The sudo command in Linux enables authorized users to execute tasks that typically demand elevated privileges. By prompting for the user’s password, it allows them to run commands with higher privileges, similar to those reserved for the system administrator, while maintaining system security through granular access control.
Description
sudo permits an authorized user to execute a command as the superuser or another user, as defined in the sudoers file. It adjusts the real and effective user and group IDs to match those of the target user, specified in the passwd file. By default, sudo prompts users to authenticate themselves with their own password, not the root password.
After successful authentication, a timestamp is updated, allowing the user to execute sudo commands without re-entering the password for a brief period (usually 5 minutes, unless modified in sudoers).
What is Suderos File?
The sudoers file manages access to the sudo command for elevated privileges. Typically found at /etc/sudoers, it controls authorized users’ capabilities. The safest way to edit this file is by using the visudo command. This command opens the vi editor with elevated privileges, allowing safe editing and imposing a file lock to prevent concurrent edits. Once editing is complete, the file is checked for simple errors, ensuring a safer process compared to using a regular text editor.
Within this file, various parameters define which users or groups can execute specific commands. For instance, granting sudo access can be achieved by adding:
username ALL=(ALL) ALL // grants user “username” sudo access %wheel ALL=(ALL) ALL // grants wheel group members sudo access
These settings allow the specified users or groups to execute commands with root privileges. Additionally, sudo access can be limited to specific services or servers by altering the ‘ALL’ parameter, but that’s a topic for another discussion.
Syntax:
The syntax for the sudo command is:
sudo [options] command [Arguments]
Here:
- Options are various flags that modify the behavior of sudo.
- Command is the command you want to execute with elevated privileges.
- Arguments are the parameters or options passed to the command being executed with sudo.
Options:
- -l (list): Lists the permitted and forbidden commands for the current user on the current host.
- -v (validate): Validates and updates the user’s timestamp, extending sudo’s timeout without executing a command.
- -k (kill): Invalidates the user’s timestamp by resetting it to the epoch. This requires the user to enter their password the next time they run sudo. This option was designed to allow users to revoke sudo permissions from a .logout file.
- -K (sure kill): Permanently removes the user’s timestamp. Similar to -k, it doesn’t require a password.
- -b (background): Executes the specified command in the background. Note that using -b disables shell job control for the process.
- -p (prompt): Allows overriding the default password prompt with a custom one. If the custom prompt contains the %u escape sequence, it will be replaced with the user’s login name. Similarly, %h will be replaced with the local hostname.
- -u (user): Executes the specified command as a user other than root. To specify a uid instead of a username, use #uid.
- -s (shell): Runs the shell specified by the SHELL environment variable, if set, or the shell specified in passwd.
- -H: Sets the HOME environment variable to the target user’s home directory, usually root’s home by default. By default, sudo does not modify HOME.
sudo Command Examples:
Example 1: Set up sudo Environment in /etc/sudoers
Access for Single User:
To provide sudo access to an individual user, add the following line to the /etc/sudoers file.
abc ALL=(ALL) ALL
In the above example:
- abc: name of user to be allowed to use sudo
- ALL: Allow sudo access from any terminal (any machine).
- (ALL): Allow sudo command to be executed as any user.
- ALL: Allow all commands to be executed.
Access for Group:
To provide sudo access to a group, add the following line to the /etc/sudoers file.
%programmers ALL=(ALL) ALL
In the above example:
- programmers: name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
- ALL: Allow sudo access from any terminal (any machine).
- (ALL): Allow sudo command to be executed as any user.
- ALL: Allow all commands to be executed.
Example 2: Executing a command as super user
Once the sudo access is provided to your account in /etc/sudoers, you can pass any root command as an argument to the sudo command.
$ sudo mount /dev/sda3 /mnt
Example 3: Forgot to give sudo for root command? Do it again using !!
If you forget to use sudo for a command that requires root privileges, you can use sudo !!. The !! refers to the last command executed, and using sudo !! allows running the previous command again with elevated privileges.
$ head -n 4 /etc/sudoers head: cannot open `/etc/sudoers' for reading: Permission denied $ sudo !! sudo head -n 4 /etc/sudoers # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. #
Example 4: Get Root Shell Access using Sudo
To get a root shell from your user account, do the following.
$ sudo bash
Once you get the root shell, you can execute any root command without having to enter sudo in front of it every time.
Example 5: Checking which all commands are allowed to a user
$ sudo -l [sudo] password for abc: Matching Defaults entries for abc on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User abc may run the following commands on this host: (ALL : ALL) ALL
The sudo -l command displays a list of commands that the user ‘abc’ is allowed to execute with superuser privileges. In this example, ‘abc’ can run any command as any user (ALL : ALL) on the host.
Example 6: Make an account a super user
$ sudo su
Using sudo su, you switch to the root user and inherit the root’s environment variables. This grants complete access as the root user.
Sanfoundry Global Education & Learning Series – 1000 Linux Tutorials.
- Apply for Programming Internship
- Check Information Technology Books
- Check Linux Books
- Practice Programming MCQs