blogger templates blogger widgets
This is part of a list of blog posts.
To browse the contents go to

sudo Tutorial

If you are using Ubuntu, you will already have sudo installed. But if you are on other linux distros like ArchLinux, you need to install it by yourself.

After installing, you need to create a account for yourself. Read about creating, modifying and switching accounts here

Configure sudo

Sudo's configuration file is /etc/sudoers. You can edit it using vi but it's advised to edit it using the visudo command.

visudo command opens your sudoers file using nano editor. You can change that to your preferred editor (I prefer vim) in 3 ways
  1. Just for once.
    If you want to use another editor only this time, Run
    #EDITOR=vim visudo

  2. At all times
    If you want sudoers file to be opened in editor of your choice at all times, then
    #EDITOR=vim visudo

    Append this line to the top of the file.
    Defaults editor=/usr/bin/vim

  3. System-wide setting
    To set your preferred editor as the default editor for your whole system, add the below line to ~/.bashrc file.
    export EDITOR=vim

Note: Whatever be the case, we still should open the file using visudo command.

Why do you need to use visudo and not vi sudo?
visudo locks the sudoers file, saves edits to a temporary file, and checks that file's grammar before copying it to /etc/sudoers. It is imperative that sudoers be free of syntax errors since it will not run otherwise.

To give a user or group root privileges add this line.

So I added the below line to the sudoers file.

NOPASSWD: ALL removes the password requirement everytime you sudo.

What does "ALL" mean here?
It's a built in aliases. It could be used in place of any other alias.

What happens when a user who is not listed in sudoers file tries to run sudo?
A mail get sent. To whom? Well, mostly to system administrators. But it's configurable via "default entries".

How does a user try out sudo without sending a mail?
use -l or -v option.
[onie@myhost root]$ sudo -v
[onie@myhost root]$ sudo -l
User onie may run the following commands on this host:

This allows users to check for themselves whether or not they are allowed to use sudo.

How long does the sudo effect last?>
Once a user uses sudo, the sudo privilege lasts for 5 minutes (default). That means you can run other admin commands without entering password each time. This can be modified using "Default entries".

What does "Defaults env_reset" mean?
It resets the terminal environment after switching to root. So, all user set variables gets removed. There are a lot other "Default entries".

Default entries

Certain configuration options may be changed from their default values at runtime via one or more Default Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user.
Few of the common overrides are:
  • env_reset
    If set, sudo will reset the environment to only contain the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_ variables.
  • mail_always
    Send mail to the mailto user every time a users runs sudo. This flag is off by default.
  • mail_badpass
    Send mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
  • mail_no_user
    If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.
  • rootpw
    If set, sudo will prompt for the root password instead of the password of the invoking user. This flag is off by default.
  • passwd_timeout
    Number of minutes before the sudo password prompt times out. Use 0 for no timeout. The default is 5.
  • timestamp_timeout
    Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire.
For a detailed look at these, check out the Sudoers Manual
Also there is a sample sudoers file available: sample.sudoers

A Detailed look at Sudoers file

The sudoers file is composed of two types of entries:
  • aliases (basically variables)
  • user specifications (which specify who may run what)


There are 4 kinds of aliases.
User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.
Each alias definition is of the form:
Alias_Type NAME = item1, item2, ...

Alias_Type is one of User_Alias, Runas_Alias, Host_Alias or Cmnd_Alias.
a name is the alias name (it could be a string of uppercase letters, numbers and underscores).
item1, item2,.. are values. And these depend on the type of alias you are dealing with.
You can put several aliases of the same type on one line by separating them with colons (:) as so:
Alias_Type NAME1 = item1, item2 : NAME2 = item3

The text that follow are taken from the Ubuntu documentation pages.

User Aliases

User aliases are used to specify groups of users. You can specify usernames, system groups (prefixed by a %) and netgroups (prefixed by a +) as follows:
# Everybody in the system group "admin" is covered by the alias ADMINS
User_Alias ADMINS = %admin
# The users "tom", "dick", and "harry" are covered by the USERS alias
User_Alias USERS = tom, dick, harry
# The users "tom" and "mary" are in the WEBMASTERS alias
User_Alias WEBMASTERS = tom, mary
# You can also use ! to exclude users from an alias
# This matches anybody in the USERS alias who isn't in WEBMASTERS or ADMINS aliases

Runas Aliases

Runas Aliases are almost the same as user aliases but you are allowed to specify users by uid's. This is helpful as usernames and groups are matched as strings so two users with the same uid but different usernames will not be matched by entering a single username but can be matched with a uid. For example:
# UID 0 is normally used for root
# Note the hash (#) on the following line indicates a uid, not a comment.
Runas_Alias ROOT = #0
# This is for all the admin users similar to the User_Alias of ADMINS set earlier
# with the addition of "root"
Runas_Alias ADMINS = %admin, root

Host Aliases

A host alias is a list of hostname, ip addresses, networks and netgroups (prefixed with a +). If you do not specify a netmask with a network the netmask of the hosts ethernet interface(s) will be used when matching.
# This is all the servers
Host_Alias SERVERS =,, server1
# This is the whole network
Host_Alias NETWORK =
# And this is every machine in the network that is not a server
# This could have been done in one step with
# but I think this method is clearer.

Command Aliases

Command aliases are lists of commands and directories. You can use this to specify a group of commands. If you specify a directory it will include any file within that directory but not in any subdirectories.

The special command '"sudoedit"' allows users to run sudo with the -e flag or as the command sudoedit. If you include command line arguments in a command in an alias these must exactly match what the user enters on the command line. If you include any of the following they will need to be escaped with a backslash (\): ",", "\", ":", "=".
# All the shutdown commands
Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt
# Printing commands
Cmnd_Alias PRINTING_CMDS = /usr/sbin/lpc, /usr/sbin/lprm
# Admin commands
Cmnd_Alias ADMIN_CMDS = /usr/sbin/passwd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/visudo
# Web commands
Cmnd_Alias WEB_CMDS = /etc/init.d/apache2

User Specifications

User Specifications are where the sudoers file sets who can run what as who. It is the key part of the file and all the aliases have just been set up for this very point.

A user specification is in the format

<user list> <host list> = <operator list> <tag list> <command list>

user list - could be a user name or user alias for whom a security restriction/privilege is going to be set.
host list - is a list of hosts/machines or a host alias on which the security restriction/privilege are going to be set.
operator list - is a list of users they must be running as or a runas alias.
command list - is a list of commands or a cmnd alias, they are permitted to operate.
tag list - allows you set special flags for each command. There are 2 common flags used.
PASSWD and NOPASSWD - to specify whether the user has to enter a password or not.
NOEXEC - to prevent any programs launching shells themselves.

For example (using the aliases and users from earlier)
# This lets the webmasters run all the web commands on the machine
# "webserver" provided they give a password
# This lets the admins run all the admin commands on the servers
# This lets all the USERS run admin commands on the workstations provided
# they give the root password or and admin password (using "sudo -u ")
# This lets "harry" shutdown his own machine without a password
harry harrys-machine= NOPASSWD: SHUTDOWN_CMDS
# And this lets everybody print without requiring a password

There is a sample sudoers file available: sample.sudoers

No comments:

Post a Comment