Sudo access allows a user to execute all permitted commands as root or as any other user. Once the sudo access is given to a specific user in sudoers file, that user can execute the commands as root by executing it using the prefix sudo. This user has full system access and should be used only for administrative tasks. There are basically no restrictions on what you can do to your system.
What is the sudoers file and how sudo command works?
/etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. When you have a new user on your system, you need to decide if this user should be able to perform administrative tasks with sudo. If the new user will be a primary user on the system, you usually want to enable sudo privileges so that you can do routine configuration and maintenance.
That is, if sudo access is provided to the user sam, he can list the files under the protected folder
/root as follows.
$ sudo ls /root
It will ask for the password to enter (user sam’s password and not root password). Once you are authenticated, a timestamp will be set and you can execute sudo command without password for a short period of time (5 minutes by default) after which the timestamp get reset.
Configuring sudo access in /etc/sudoers file
To give users access to the sudo command, we need to use the visudo command to edit
/etc/sudoers file. You should never edit this file with a normal text editor but always use the visudo command instead. If you have not assigned additional privileges to any user yet, you will need to be logged in as root to access this command
This will lock the sudoers file to prevent simultaneous modification and will not save the changes in the file in case of any syntax errors. You will be taken into a text editor session with the file that defines sudo privileges pre-loaded. We will have to add your user to this file to grant our desired access rights.
On Centos, find the line "Allow root to run any commands anywhere"
On Debian system, find the line with "User privilege specification"
The syntax for providing sudo access is as follows.
username host_list = (users) command
- username : This corresponds to the user to which sudo access need to be provided
- host_list: This defines the hosts on which the user is allowed sudo access
- users: This defines the users as which ‘username’ can execute the commands
- command : This defines the commands that the user is allowed to execute as root/another user.
We can go through some example configurations of sudoers file to get a clear idea on this. Depending on what you want to allow on your system (Debian or Centos), just respect the syntax of the lines which appear on the screenshot above. On the following cases, we will consider only Centos system
a. Allow a user to use sudo
If you want to allow a specific user to run any commands as any user in any hosts, insert the line below. Our user example is sam
sam ALL=(ALL) ALL
b. Allow users in a specific group to run any command
Here, all users in the group admins are allowed to run any commands as any user in any hosts.
%admins ALL=(ALL) ALL
c. Allow running commands without authenticating
Here, the user sam is allowed to run the commands
/usr/bin/lprm on localhost without authenticating himself.
sam localhost = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
d. Allow running specifics commands as specific user
Here, sam is allowed to run
/bin/ls as jack and
/usr/bin/lprm as only root on any host.
sam ALL = (jack) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Here, sam is allowed to run any commands under the folder /usr/bin as root on any host. Note that a forward slash (/) will not be matched by wildcards used in the pathname. That is sam is not allowed to run binaries under
sam ALL = /usr/bin/*
Here, sam is allowed to run any commands under the folder /usr/bin as root other than /usr/bin/passwd on any host
sam ALL = /usr/bin/* !/usr/bin/passwd
Sudo command usage
Once the sudo access is provided using sudoers file, you can execute the permitted commands as root or as another user using sudo command. We can go through some example usages of sudo command.
a. Operate on some services
When you want to operate some service like web server, network service or database server, you need to have privileges. For example, if you want to restart your web server, you should use the command below
$ sudo systemctl restart httpd.service
If you want to restart your firewall, the procedure is the same
$ sudo systemctl restart firewalld
b. Execute a command as another user
With the sudo command, it is possible to execute a command as if we are another user of the system.
sudo -u jack vi /home/jack/mail.php
-u option will allow the user to execute the command as jack.
c. Execute the previously entered command in sudo
You can execute a command and it fails because you forgot to preface it with
sudo. It is possible to re-execute the last command with a bash function which, coupled with sudo makes to directly run that command as root
The double exclamation point will repeat the last command. We preceded it with sudo to quickly change the unprivileged command to a privileged command.
# ls -ld / ls: /: Permission denied
# sudo !! sudo ls -ld / dr-xr-xr-x. 20 root root 4096 May 23 04:19 /
d. Substitute user on the current shell
When you create a user, the sudo command permits you to switch to another user directly on the shell. It allows you to enter the user you would like to change to
[root@centos-01 ~]# su - paul [paul@centos-01 root]$
You can see that on the second line it is the user paul who is connected
Using sudo, a regular user can execute root command, provided they are allowed to execute the command by a sysadmin. Apart from executing the command as root, a user can also execute a command as any other user, if they have the permission to do it. It is essential that you understand what each command does that you execute with root privileges.