How To Manage Sudo Access For Linux Users

September 14, 2012 | By
| Reply More

Sudo Linux

Sudo access allows a user to execute all permitted commands as root or as any other user. This is facilitated with the help of the file ‘/etc/sudoers’. Once the sudo access is given to a specific user in sudoers file, that user can execute the commands as root by executing it using the prefix ‘sudo’.

That is, if ‘sudo’ access is provided to the user ‘sam’, sam can list the files under the protected folder ‘/root’ as follows.

sudo ls /root

It will ask for the password to enter (user sam’s password and not root password). Once you are authenticated, a timestamp will be set and you can execute sudo command without password for a short period of time (5 minutes by default) after which the timestamp get reset.

Configuring sudo access in /etc/sudoers file

The sudoers file can be edited using the following command.

visudo

This will lock the sudoers file to prevent simultaneous modification and will not save the changes in the file in case of any syntax errors.

The syntax for providing sudo access is as follows.

username host_list = (users) command

username : This corresponds to the user to which sudo access need to be provided
host_list : This defines the hosts on which the user is allowed sudo access
users : This defines the users as which ‘username’ can execute the commands
command : This defines the commands that the user is allowed to execute as root/another user.

We can go through some example configurations of sudoers file to get a clear idea on this.

Example 1

sam ALL=(ALL) ALL

Here, sam is allowed to run any commands as any user in any hosts.

Example 2

%admins ALL=(ALL) ALL

Here, all users in the group admins are allowed to run any commands as any user in any hosts.

Example 3

sam localhost = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

Here, the user sam is allowed to run the commands /bin/kill, /bin/ls and /usr/bin/lprm on localhost without authenticating himself.

Example 4

sam ALL = (jack) /bin/ls, (root) /bin/kill, /usr/bin/lprm

Here, sam is allowed to run /bin/ls as jack and /bin/kill and /usr/bin/lprm as only root on any host.

Example 5

sam ALL = /usr/bin/*

Here, sam is allowed to run any commands under the folder /usr/bin as root on any host. Note that a forward slash ('/') will not be matched by wildcards used in the pathname. That is sam is not allowed to run binaries under /usr/bin/subfolder/*

Example 6

sam ALL = /usr/bin/* !/usr/bin/passwd

Here, sam is allowed to run any commands under the folder /usr/bin as root other than ‘/usr/bin/passwd’ on any host.

sudo command usage

Once the sudo access is provided using sudoers file, you can execute the permitted commands as root or as another user using sudo command. We can go through some example usages of sudo command.

1. Restarting the web server

sudo /etc/init.d/httpd restart

2. To edit a file of user ‘jack’

sudo –u jack vi /home/jack/mail.php

Here –u option will allow the user to execute the command as jack.

3. Execute the previously entered command in sudo

sudo !!

This will execute the command which has executed just before using the sudo access.

# ls –ld /
ls: /: Permission denied
# sudo !!
sudo ls –ld /
drwxr-xr-x 22 root root 4096 Aug 20 2012 /

Filed Under : LINUX HOWTO, SECURITY

Tagged With :

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.