Sudo is the default utility on Unix-Linux systems, which is known as SuperUserDo. The Linux system forbids normal users from executing administrative commands. However, we can use this mechanism to allow regular users to run any application or command as a root user or to grant specific commands to specific users. In order to run / execute the sudo prefix command, only those users who have the information in the /etc / sudoers file (which is the main configuration file for sudo) will be allowed access.
WARNING:
The use of a root account is quite dangerous in the day-to-day course of action, since it has full privileges to perform any actions. The simplest mistake when you are running a command can easily destroy the whole system without any scope for recovery except for re-installation. As a result, it is better to avoid using root accounts, except in the very specific cases where they are explicitly required. Hence, it is always recommended to use a normal account with sudo privilege instead of root, since we know that sudo has some extra security checks, such as asking for the user's password prior to executing any administrative commands.
In most Linux distributions, sudo privilege can be granted simply by adding a user to the sudo group. In Redhat, CentOS, and Fedora, the sudo group name is "wheel", which is mostly enabled by default; if not, it can be edited the /etc/sudoers file using the 'visudo' command in the Terminal, or directly using vi or vim. Following are the three different entries in the sudoers file that give you the privilege to use sudo prefix.
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## It means all the users with the root privilege can execute all the commands like root
## Allows people in the group wheel to run all commands
%wheel ALL=(ALL) ALL
## It means all the users that belong to the wheel group can execute all the commands like root
## Allows people in the group wheel to run all commands
username ALL=(ALL) ALL
## It means only the given user can execute all the commands like root
Note:
# usermod -aG wheel username
In this article, we will see the steps to the sudoer configuration in Linux System. This will help all desktop users, developers, and system admins. The following steps are in this guide tested on RHEL and CentOS 7.8. You can use this guide for all the versions of RHEL, CentOS, Fedora, and mostly it will be identical for other distros also.
Prerequisites :
Operating System : CentOS 7
package : sudo
User account : root user or another account with sudo privileges
Access Point : Terminal Access / Command Line Interface
By default, all Linux distros come with a pre-installed package of sudo. You can check whether the packages are available or not in the system by using the following commands from the given options:
Option -A: Open your terminal and simply type 'sudo' without a quote and press enter.
# sudo
Output: If the sudo package is not installed in the system, then it will display the output as like below:
-bash: /usr/bin/sudo: No such file or directory
If the package is available in the system, then it will display the result as below:
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
Option -B: To check the package using yum or rpm utilities.
# yum list installed | grep sudo OR # rpm -qi sudo
Output:
libsss_sudo.x86_64 1.16.4-37.el7 @anaconda
sudo.x86_64 1.8.23-9.el7 @base
Note:
# yum install sudo
Note:
1. Find one of the following options to create a new user with sudo privilege
Option - A:
(i) Use the following command to create a new user in Linux
# useradd linuxteck
# passwd linuxteck (create a password)
(ii) Now we can add a new user (linuxteck) to the wheel group
# usermod -aG wheel linuxteck
OR
Option - B:
Instead of using the above steps (i and ii ), we can also use the following command in a single line to create a new sudo user. There are many methods to create a user in Linux. If you need to brush-up on the 'useradd' related commands in Linux click here
# useradd -G wheel linuxteck
(iii) Now, we can use the 'id' command to get the user and group information of the newly created user (linuxteck)
# id linuxteck
Output:
uid=1005(linuxteck) gid=1005(linuxteck) groups=1005(linuxteck),10(wheel)
Note:
(iv) We can now test the sudo prefix with the new user account. For that, we use 'su' command to switch user account from root to the standard user (linuxteck) account OR open a different terminal and log in as a new user. I will use the 1st option here.
[root@centos ~]# su - linuxteck ## To switch
[linuxteck@centos ~]$ ## After switched
Note:
$ sudo ls -la /root/
[sudo] password for linuxteck:
Output:
total 48
dr-xr-x---. 5 root root 245 May 31 14:40 .
dr-xr-xr-x. 17 root root 224 May 22 09:01 ..
-rw-------. 1 root root 1865 May 22 09:03 anaconda-ks.cfg
-rw-------. 1 root root 2955 Jun 5 23:13 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
drwx------. 4 root root 31 May 22 09:06 .cache
drwx------. 4 root root 30 May 22 09:06 .config
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
drwx------. 3 root root 25 May 22 09:04 .dbus
-rw-r--r--. 1 root root 15264 Sep 18 2019 epel-release-latest-7.noarch.rpm
-rw-r--r--. 1 root root 1913 May 22 09:05 initial-setup-ks.cfg
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
Note:
2. How do you permit a particular user to run/execute only specific commands as sudo?
Note:
In this example, we are granting permission to the user "john" to execute only a single command "systemctl restart network " as sudo. For a better understanding, let's execute the same above command, with and without the privilege of sudo.
(i) Without privilege:
$ sudo systemctl restart network
[sudo] password for john:
Output:
john is not in the sudoers file. This incident will be reported.
Note:
(ii) With privilege:
# visudojohn ALL = /usr/bin/systemctl restart network
Note:
$ sudo systemctl restart network
[sudo] password for john:
Note:
john ALL = /usr/bin/systemctl restart network,/usr/bin/systemctl status network
3. How to permit users to run/execute a command using sudo without a password check?
john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart network,/usr/bin/systemctl status network
Note:
4. How to modify the default sudo password prompt timeout?
Note:
Defaults timestamp_timeout=15
Note:
Defaults:linuxteck timestamp_timeout=15
5. How to run the command as another user with sudo prefix?
Note:
britto ALL = (john) /usr/bin/systemctl status network
save and close the file using ‘:wq’
$ sudo -u john systemctl status network
[sudo] password for britto:
Output:
● network.service - LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
Active: active (exited) since Sun 2020-06-07 11:22:58 IST; 11h ago
Docs: man:systemd-sysv-generator(8)
Process: 5844 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
Process: 6016 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
Tasks: 0
6. How to create a customised log file for sudo?
Note:
Defaults logfile="/var/log/sudo.log"
Note:
# cat /var/log/sudo.log
Output:
Jun 7 23:54:45 : linuxteck : TTY=pts/0 ; PWD=/home/linuxteck ; USER=root ;
COMMAND=/bin/bash
Jun 7 23:55:08 : john : TTY=pts/1 ; PWD=/home/john ; USER=root ;
COMMAND=/bin/systemctl status network
How can we use sudo command in Linux
Global Syntax of sudo command in Linux:
sudo [options] [command]
Note:
7. How to verify if a user belongs to a sudoer or not?
# sudo -l -U britto
Output:
User britto is not allowed to run sudo on centos.
Note:
# sudo -l -U john
Output:
Matching Defaults entries for john on centos:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User john may run the following commands on centos:
(ALL) NOPASSWD: /usr/bin/systemctl restart network, /usr/bin/systemctl status network
Note:
# sudo -ll -U john
Output:
User john may run the following commands on centos:
Sudoers entry:
RunAsUsers: ALL
Options: !authenticate
Commands:
/usr/bin/systemctl restart network
/usr/bin/systemctl status network
Thank you for taking the time to read! I hope this article will help you to understand the 7 useful sudoers configuration for setting 'sudo' in Linux. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well.
A few sudo references are collected from this site
Thank you!
2 replies on “7 Useful steps to configure 'sudo' in Linux”
Hi,
check out opendoas too.
Certainly