5+ sudo Command Examples in Linux

DESCRIPTION

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file (the group vector is also initialized when the target user is not root). By default, sudo requires that users authenticate themselves with a password (NOTE: by default this is the user’s password, not the root password).

Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers).

The Suderos File

This file is the seedy underbelly of sudo. It controls who can use the sudo command to gain elevated privileges. It is usually located at /etc/sudoers. The best and safest way to edit this file is by using the visudo command. This command will start the vi editor with elevated privileges so that you can edit the file and save it. It also will put a filelock on the sudoers file so that no one else can edit it. Once your done editing it, it will parse the file for simple errors. It is a much safer way of editing the sudo file than just using any old text editor.

This file contains many parameters. You can specify which users of which groups can perform what commands. We are simply going to grant ourselves access to sudo by adding:

username ALL=(ALL) ALL //gives user “username” sudo access
%wheel ALL=(ALL) ALL //Gives all users that belong to the wheel group sudo access
at the bottom. Now the specified username will be able to use all root privileges. You can also allow a user or group to have sudo access to only specific services or servers in replace of the ALL parameter, but, that’s a topic for another day.

SYNOPSIS

sudo -l | -v | -k | -K | -s | [ -H ] [ -b ] | [ -p prompt ] [ -u username|#uid ] command

OPTIONS

-l
The -l (list) option will list out the allowed (and forbidden) commands for the user on the current host.
-v
If given the -v (validate) option, sudo will update the user’s timestamp, prompting for the user’s password if necessary. This extends the sudo timeout for another 5 minutes (or whatever the timeout is set to in sudoers) but does not run a command.
-k
The -k (kill) option to sudo invalidates the user’s timestamp by setting the time on it to the epoch. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file.
-K
The -K (sure kill) option to sudo removes the user’s timestamp entirely. Likewise, this option does not require a password.
-b
The -b (background) option tells sudo to run the given command in the background. Note that if you use the -b option you cannot use shell job control to manipulate the process.
-p
The -p (prompt) option allows you to override the default password prompt and use a custom one. If the password prompt contains the %u escape, %u will be replaced with the user’s login name. Similarly, %h will be replaced with the local hostname.
-u
The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a username, use #uid.
-s
The -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in passwd.
-H
The -H (HOME) option sets the HOME
environment variable to the homedir of the target user (root by default) as specified in passwd. By default, sudo does not modify HOME

EXAMPLES

1. Set up sudo Environment in /etc/sudoers

To provide sudo access to an individual user, add the following line to the /etc/sudoers file.

abc    ALL=(ALL) ALL

In the above example:

abc : name of user to be allowed to use sudo
ALL : Allow sudo access from any terminal ( any machine ).
(ALL) : Allow sudo command to be executed as any user.
ALL : Allow all commands to be executed.

To provide sudo access to a group, add the following line to the /etc/sudoers file.

%programmers    ALL=(ALL) ALL

In the above example:

programmers : name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
ALL : Allow sudo access from any terminal ( any machine ).
(ALL) : Allow sudo command to be executed as any user.
ALL : Allow all commands to be executed.

2. Executing a command as super user

Once the sudo access is provided to your account in /etc/sudoers, you can pass any root command as an argument to the sudo command.

$ sudo mount /dev/sda3 /mnt

3. Forgot to give sudo for root command? Do it again using !!

If you’ve forgot to give sudo for a command that requires root privilege, instead of typing the command with sudo again, you can simply do sudo !! as shown below.

$ head -n 4 /etc/sudoers
head: cannot open `/etc/sudoers' for reading: Permission denied
 
$ sudo !!
sudo head -n 4 /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#

4. Get Root Shell Access using Sudo

To get a root shell from your user account, do the following.

$ sudo bash

Once you get the root shell, you can execute any root command without having to enter sudo in front of it every time.

5. Checking which all commands are allowed to a user

ALL indicates all commands can be allowed to be given superuser privilege.

$ sudo -l
[sudo] password for abc: 
Matching Defaults entries for abc on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
User abc may run the following commands on this host:
    (ALL : ALL) ALL

6. Make an account a super user

$ sudo su

It will make you the root user and load your custom user environment variables.