1. Home
  2. pairCloud
  3. Using sudo and sudoers

Using sudo and sudoers

sudo allows you to run your program as another user, by default this user is root, also known as the Super User. The basic usage of sudo is sudo commandname. If you don’t have permission to run the command it will request the password.

The basics of using sudo

There are two main use cases for basic sudo use. The first is that it is your computer or your server and the vast majority of the time you operate as a normal user, however occasionally you want to execute a command as root without doing a full su. The risks of a full su are that you could do accidental damage. In this case using sudo will only elevate your privileges for that one command. The second use case is that you are a server admin and don’t want to give root privileges out to anyone, however you do want to give one or more users access to specific root commands.

In either case once your system administrator has given you sudo privileges you only need to prefix the command with sudo, for example if your server admin wants to give someone in the HR dept the ability to add users then that user would execute sudo adduser billg. The system admin doesn’t therefore need to be involved in adding users but also doesn’t need to give over full root access to the HR dept. The other benefit is that the HR dept person doesn’t gain access to userdel or other system commands.

In the case of a user who owns the system it is generally recommended not to operate on the system as root user for day to day work and only elevate privileges to root when required. In this case sudo will be enabled for all commands but will require the users password. So user barrym would log in as barrym and work as barrym all the time. If he then wanted to modify the Apache config files and restart Apache he would user sudo vim /etc/apache2/httpd/httpd.conf and sudo service apache2 restart.

The other use for sudo is if you have multiple admins on a server you don’t want them all running as root and logging to the same place. You therefore give them sudo access and each command is logged to the respective user.

The difference between sudo and su

The su command will make you the root user whereas sudo will only elevate your privileges for that one command. With su you may forget to exit and are then in a position to cause accidental damage. With sudo you will have elevated privileges for that one command only. In addition if it is a protected command you will be required to re-enter your password which is a helpful reminder that you are about to do something potentially dangerous to the system.

Configuring sudo.

There is one file that is used to manage sudo and that file is called /etc/sudoers. This has lots of configuration information which we won’t cover here but then it contains the all important permissions section.

The first line we are looking for will be like this:

root ALL=(ALL) ALL

To convert this into as plain language as is possible this line breaks down into

who where = (as_whom) what

The who part is the username we are giving privileges to. This can also be a group of users. If you want to specify a group of users you need to use the % symbol at the beginning. Please see the examples below.

The “where” part is the name of the system that this access right is being granted to. The sudoers file can be shared across multiple systems for ease of management. This means you can give example user barrym access to specific commands but only on certain systems and not on others. For the purposes of this tutorial we will be treating this as a single system setup and this field will always be ALL=.

The (as_whom) field is the name of the user and optionally the group the command is to be run as. By default this is root but can be any system user or user:group.

Finally the what field is what command or group of commands you are allowing this user to run. This can be a single command, multiple commands separated by , commas or it can be an alias for a list of files.

The first example above simply means root can run any command on any system that this sudoers file has control over.

Here are a few examples. In these examples we will always use barrym as the username and as we are only using this sudoers file on one system we will set the where part to ALL.

If we want to give barrym the ability to kill a process we would use this line in the sodoers file

barrym  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

This means that barrym can run /sbin/mount /mnt/cdrom and /sbin/umount /mnt/cdrom.

If you want everyone who can log on to this system to be able to mount and unmount the cdrom then you would use.

%users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

You may have noted that in the two previous examples that there is no (as_whom) section. If you are leaving this blank you can also omit the brackets.

If you own a system and you want to give another user (barryX) temporary root access to it rather than your root password you could add this

barryX ALL=(ALL) ALL

This user could then sudo commands as though he were root using his own password. You could then remove him from the sudoers to prevent access again.

Using Aliases

You can use Aliases for groups of commands or users. This is useful if your sudoers file is starting to get complicated.

User aliases are of this format:

User_Alias ADMINS = jsmith, mikem, barrym
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

In both cases the first part is the type of Alias User or Cmnd. The second is the NAME for this alias and the final part is the list of either users or commands for this alias.

You would then assign them as follows:

%admins  ALL=SOFTWARE

This would allow jsmith, mikem and barrym all to access the systems update software.

Granting access without requiring a password

If you want to give the user access to a command and not require them to re-enter their password then you can use the NOPASSWD: option.

Using the previous example of the cdrom the line would look like this

%users  ALL= NOPASSWD: /sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

This would allow any user on the system to mount and unmount the cdrom without having to enter their password.

Logging

If you have a problem and suspect a sudo user has caused it you can view the log for sudo entries like this: grep sudo /var/log/messages.

More information

To find out more about sudo and the sudoers file please see the man pages man sudo and man sudoers

Updated on August 9, 2018

Was this article helpful?

Related Articles