Sudo access allows a user to execute all permitted commands as root or as any other user. This is facilitated with the help of the file ‘/etc/sudoers’. Once the sudo access is given to a specific user in sudoers file, that user can execute the commands as root by executing it using the prefix ‘sudo’.
That is, if ‘sudo’ access is provided to the user ‘sam’, sam can list the files under the protected folder ‘/root’ as follows.
sudo ls /root
It will ask for the password to enter (user sam’s password and not root password). Once you are authenticated, a timestamp will be set and you can execute sudo command without password for a short period of time (5 minutes by default) after which the timestamp get reset.
Configuring sudo access in /etc/sudoers file
The sudoers file can be edited using the following command.
This will lock the sudoers file to prevent simultaneous modification and will not save the changes in the file in case of any syntax errors.
The syntax for providing sudo access is as follows.
username host_list = (users) command
username : This corresponds to the user to which sudo access need to be provided
host_list : This defines the hosts on which the user is allowed sudo access
users : This defines the users as which ‘username’ can execute the commands
command : This defines the commands that the user is allowed to execute as root/another user.
We can go through some example configurations of sudoers file to get a clear idea on this.
sam ALL=(ALL) ALL
Here, sam is allowed to run any commands as any user in any hosts.
%admins ALL=(ALL) ALL
Here, all users in the group admins are allowed to run any commands as any user in any hosts.
sam localhost = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
Here, the user sam is allowed to run the commands /bin/kill, /bin/ls and /usr/bin/lprm on localhost without authenticating himself.
sam ALL = (jack) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Here, sam is allowed to run /bin/ls as jack and /bin/kill and /usr/bin/lprm as only root on any host.
sam ALL = /usr/bin/*
Here, sam is allowed to run any commands under the folder /usr/bin as root on any host. Note that a forward slash ('/') will not be matched by wildcards used in the pathname. That is sam is not allowed to run binaries under /usr/bin/subfolder/*
sam ALL = /usr/bin/* !/usr/bin/passwd
Here, sam is allowed to run any commands under the folder /usr/bin as root other than ‘/usr/bin/passwd’ on any host.
sudo command usage
Once the sudo access is provided using sudoers file, you can execute the permitted commands as root or as another user using sudo command. We can go through some example usages of sudo command.
1. Restarting the web server
sudo /etc/init.d/httpd restart
2. To edit a file of user ‘jack’
sudo –u jack vi /home/jack/mail.php
Here –u option will allow the user to execute the command as jack.
3. Execute the previously entered command in sudo
This will execute the command which has executed just before using the sudo access.
# ls –ld /
ls: /: Permission denied
# sudo !!
sudo ls –ld /
drwxr-xr-x 22 root root 4096 Aug 20 2012 /