What is sudo?
Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.
It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.
However, the later versions added support for running commands not only as the superuser but also as other (restricted) users, and thus it is also commonly expanded as “substitute user do”.
Although the latter case reflects its current functionality more accurately, sudo is still often called “superuser do” since it is so often used for administrative tasks.
Why use sudo?
Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell.
sudo uses the users password, this means no revealing root passwords to random users in order to allow them to run a few extra commands that they need to use.
How do I use sudo?
Well, this is what man sudo is for, but basically it’s simple:
There are a couple of ways of doing this, you can either edit /etc/sudoers with your favourite editor or usevisudo. visudo will use which ever editor you have set using export. I’ve seen some distributions that do not allow direct access to /etc/sudoers and force you to use visudo, I’ve also read and seen that visudo does some checking before saving.
So, open your sudoers list using your chosen method, you should see something similar to this:
root ALL=(ALL) ALL
So, what does this mean? Well, it’s actually surprisingly simple. The first part “root” is the name of the user, the second “ALL” is the host that this definition belongs to, chances are you don’t need to change this, the third “ALL” is the user(s) to allow the user to run commands as and the final “ALL” is a list of commands that the user can run.
So, this might be a bit daunting from that explanation, so lets take a look at a user I’ll create for myself
vrk ALL=(root) /usr/bin/apt-get, /usr/bin/vi
So let’s break that down; the user vrk can run the commands /usr/bin/apt-get and /usr/bin/vi as the user root on all hosts.
What is the correct grammar of the sudoer line, and what is the difference between the given examples?
- sysadmin ALL=NOPASSWD:/path/to/command
- sysadmin ALL=(ALL) NOPASSWD:/path/to/command
- sysadmin ALL=(ALL:ALL) NOPASSWD:/path/to/command
Also, what are all the ALL’s for? One user, one command, yet I need to use the ALL keyword up to three times? Am I doing this wrong?
sysadmin host=(user:group) tag:commands
- hostspecifies the host names this line is valid for. Unless you are sharing asudoers file among different hosts that need different rules using the special value ALL meaning “all hosts” is a good choice.
- userspecifies which users you can use with the -u options to run the command. If you omit this you can’t use the -u
- groupspecifies which groups you can use with the -g If you omit it you can’t use the -g option.
Both user and group understand the special value ALL as “all users/groups”
If you omit the whole (user:group) thing you can’t use -u and -g but only run the command as root.
- taglets you specify some options, like NOPASSWD
Sample user alias, command alias and pemissions
User_Alias SYSMAN = vrk, pavan
Cmnd_Alias APACHECTL = /usr/sbin/apache2ctl
Cmnd_Alias APACHEINIT = /etc/init.d/apache2
Cmnd_Alias TOMCAT55 = /etc/init.d/tomcat5.5
Cmnd_Alias SAMBA = /etc/init.d/smb
Cmnd_Alias WINBIND = /etc/init.d/winbind
Cmnd_Alias PUPPETD = /etc/init.d/puppet
Cmnd_Alias OPENFILES = /admin/tomcat/openfiles.sh
Cmnd_Alias PUPPET_RESTART = /admin/puppet/puppet_restart.sh
Cmnd_Alias DF = /bin/df
SYSMAN ALL = ALL
user1 ALL = PUPPETD
user1 ALL = WINBIND
%admins ALL=(ALL) ALL ————————– permissions for entire group