What is SUDO ?
SUDO is a tool that allows an administrator to delegate authority, to give select users (or group) the ability to run some or all the commands as root or another user.
SUDO is not a shell. It operates on a per-command basis.
Who gets to use SUDO, and which commands can be run by those users is controlled by the
visudois the command used to make changes to the file
You should edit
/etc/sudoers only using the
visudo command. Do not edit the file directly.
/etc/sudoers file syntax
/etc/sudoersfile is composed of two entries. They are -
- Aliases - These are variables; and
- User specifications - These decide who is allowed to run what.
There are 4 kinds of Aliases (variables). They are
Here is an example of User_Alias definition.
User_Alias ADMINS = ravi, anand
User_Alias is very rarely used as you can use regular groups in this file. Just use
Host_Aliasassigns computers to variables. The variables accept host names or ip address of the machines. Here is an example of the Host_Alias usage.
Host_Alias FILESERVERS = fs1, fs2, 192.168.0.1
Cmnd_Aliasare group of related commands. For example, you can bunch together useful networking tools into a command alias as follows.
## Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Updating the locate database Cmnd_Alias LOCATE = /usr/bin/updatedb
There is no limit to the number of variables you can define using
Cmd_Alias. And it need not be NETWORKING or LOCATE. You can give any useful name.
Once you have defined all the variables using the Aliases feature, you have to provide the user specifications.
Defining the user specifications is the most important part of the
/etc/sudoersfile. It defines which users can run what software on which machines.
The syntax for user specification is as follows.
There is no space on either side of the '=' symbol in the above syntax.
The following are a few examples of user specification rules in the
## Allow root to run any commands anywhere. root ALL=(ALL) ALL
## Allow people in the wheel group to run all the commands ## without a password. %wheel ALL=(ALL) NOPASSWD: ALL
By default SUDO requires that a user authenticate him or herself before running a command. This behaviour can be modified via the
NOPASSWD tag as shown in the example above. Alternately, you can use the
PASSWD tag to reverse the situation.
## Allow members of the users group to shutdown this system. %users localhost=/sbin/shutdown -h now
Predefined Tags used in the /etc/sudoers file
PASSWD- Used to indicate the user needs to enter his password to run the command.
NOPASSWD- User need not enter his password to run the command.
NOEXEC- Allow / prevent a dynamically-linked executable from running further commands itself.
NOSETENV- The user is allowed to enable or disable the
env_resetoption from the command line via the
NOLOG_INPUT- These tags override the value of the log_input option on a per-command basis.
NOLOG_OUTPUT- These tags override the value of the log_output option on a per-command basis.
You can use wildcards when defining host names, path names and command line arguments in the
Features of SUDO
The following are the main features of SUDO.
- To run any command using SUDO, prepend a
sudoto your command.
- You don't need to know the root's password to run SUDO. It prompts for your password.
- Manages an extensive Logging/Audit Trail. Each command executed by the user using SUDO is logged.
- Caches your password. The default time of caching is 5 minutes.
- Can use
NOPASSWDtag for accounts used for batch processes.
- Handy way to give users controlled access for stuff they need without giving them the root password.
For more details in using SUDO, refer its manpage.