7 Useful steps to configure 'sudo' in Linux

what is sudo command in linux

What is sudo in Linux Systems?

Sudo stands for SuperUserDo, which is a default utility on Unix-Linux based systems. In Linux, normal users are not allowed to execute any administrative commands. But, we can use this mechanism to allow a regular user to run any application or command as a root user or  permit only a few  commands to specific users. Only those users who have the information in the '/etc/sudoers' (which is the main configuration file for sudo) file are granted the permission to run/execute the sudo prefix command.

WARNING:

If someone tried to use the sudo prefix, without privileges will be notified as like "'this user' is not in the sudoers file. This incident will be reported."

Using root account is quite dangerous on a day to day activities as it has the full privileges to perform any kind of actions whatsoever in the system. If anything happens by accident like a typo, when you are executing command can easily destroy the entire system with no scope of recovery except to do the re-installation. There are many risks like this, so it is better to avoid using a root account except only some specific situations which are explicitly required. Therefore, it is always recommended to use a normal account with sudo privilege, instead of root, as we know that sudo has some extra security checks like, if we execute any administrative commands it will ask the user to authenticate the password, then the users have to enter his password in-order to fulfill the execution.

In most the Linux distros, we can grant the sudo privilege by simply adding the users into the sudo group. The name of the sudo group in Redhat/Centos/Fedora is "wheel" which is mostly enabled by default if not, then edit the /etc/sudoers file by using 'visudo' command in the Terminal or we can directly access this file by using 'vi or vim. Here you can see the three different following entries in the sudoers file can provide the privileges to use sudo prefix.

## Allow root to run any commands anywhere
root             ALL=(ALL)                ALL

 

## It means all the user with the root privilege can execute all the command as like root

 

## Allows people in group wheel to run all commands
%wheel             ALL=(ALL)              ALL

 

## It means all the users that belong to the wheel group can execute all the command as like root

 

## Allows people in group wheel to run all commands
username             ALL=(ALL)           ALL

 

## It means only the given user can execute all the commands as like root

Note:

Now, we can use the following command to add a user to the "wheel" group.
# usermod -aG wheel username

In this article, we will see the steps to the sudoers configuration in Linux System. It will help all desktop users, developers, and system admins. The following steps are in this guide tested on RHEL and CentOS 7.8. You can use this guide for all the versions of RHEL, CentOS, Fedora, and mostly it will be identical for other distros also.

Prerequisites :

Operating System                 :     CentOS 7
package                                  :     sudo
User account                         :     root user or another account with sudo privileges
Access Point                         :      Terminal Access / Command Line Interface

By default, all Linux distros come with a pre-installed package of sudo. You can check whether the packages are available or not in the system by using the following commands from the given options:

Option -A:  Open your terminal and simply type 'sudo' without quote and press enter.

# sudo

Output: If the sudo package is not installed in the system, then it will display the output as like below:

 

-bash: /usr/bin/sudo: No such file or directory

 

 If the package is available in the system, then it will display the result as below:

 

usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

Option -B: To check the package by using yum or rpm utilities.

# yum list installed | grep sudo                   OR                                       # rpm -qi   sudo

Output:

 

libsss_sudo.x86_64                                       1.16.4-37.el7                          @anaconda
sudo.x86_64                                                    1.8.23-9.el7                             @base

Note:

In the above output, you can see the package sudo is discovered in the system. If not, it will display either a "blank message" or "package sudo is not installed" message. To install the packages, we can use the following 'yum' command. Yum is a very powerful utility in Linux to check many things related to package management. To find more about yum command, click here.
# yum install sudo

Note:

In the first example, I will show you the steps on how to create a new user with a sudo prefix in the fresh Linux installed system without modifying/use the sudoers file.
1. Find one of the following options, to create a new user with sudo privilege

Option - A:

(i) Use the following command to create a new user in Linux

# useradd linuxteck

 

# passwd linuxteck                                        (create a password)

(ii) Now we can add the new user (linuxteck) to the wheel group

# usermod -aG wheel linuxteck

OR

Option - B:

Instead of using the above steps ( i and ii ), we can also use the following command in a single line to create a new sudo user. There are many methods to create a user in Linux. If you need to brush-up the 'useradd' related commands in Linux click here

# useradd -G wheel linuxteck

(iii) Now, we can use the 'id' command to get the user and group information of the newly created user (linuxteck)

# id linuxteck

Output:

 

uid=1005(linuxteck) gid=1005(linuxteck) groups=1005(linuxteck),10(wheel)

Note:

In the above output, you can see the user (linuxteck) is a member of the "wheel" group. The important thing is, the members of the wheel group can execute any commands as similar to the root user.

(iv) Now we can test the sudo prefix with the new user account. For that, we use 'su' command to switch user account from root to the standard user (linuxteck) account OR open a different terminal and log in as a new user. Here I will use the 1st option.

[[email protected] ~]# su - linuxteck                                                                           ## To switch

[[email protected] ~]$                                                                                           ## After switched

Note:

After switching to a standard user (linuxteck), we can test the 'sudo' prefix to execute a command. Here we are going to get a list of all the files and folders of the /root directory. The root account has only the authority to list all the files and directories of the root folder and not anyone else. In our case, the user (linuxteck) is already a member of the wheel group. Hence, we are authorized to use the sudo prefix to execute the following command. As we know, to execute a command with sudo prefix will be asked the user to enter the password. Now we can use the following command (ls -la) to get the complete list of files and directories of a root account, including hidden files with the long listing format. I believe the (ls) command is one of the very first command you have been trained when you get into the shell or command prompt. If you want to know the more possible options, click here.
$ sudo ls -la /root/
[sudo] password for linuxteck:                                                   

Output:

 

total 48
dr-xr-x---. 5 root root 245 May 31 14:40 .
dr-xr-xr-x. 17 root root 224 May 22 09:01 ..
-rw-------. 1 root root 1865 May 22 09:03 anaconda-ks.cfg
-rw-------. 1 root root 2955 Jun 5 23:13 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
drwx------. 4 root root 31 May 22 09:06 .cache
drwx------. 4 root root 30 May 22 09:06 .config
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
drwx------. 3 root root 25 May 22 09:04 .dbus
-rw-r--r--. 1 root root 15264 Sep 18 2019 epel-release-latest-7.noarch.rpm
-rw-r--r--. 1 root root 1913 May 22 09:05 initial-setup-ks.cfg
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc

Note:

Alway be sure, that you are added to the user in a relevant group and apply the correct user password to use the 'sudo' command.
2. How to permit a particular user to run/execute only specific commands as sudo?

Note:

In the above example, we have added the user in a sudo group, which granted full access to execute all the commands like root account. Here we are going to assign a particular user to run only specific commands with sudo prefix. It can be accomplished by using the sudo main configuration file '/etc/sudoers'.

In this example, we are granting permission to the user "john" to execute only a single command "systemctl restart network " as sudo. For a better understanding, let's execute the same above command, with and without the privilege of sudo.

(i) Without privilege:

$ sudo systemctl restart network
[sudo] password for john:

Output:

 

john is not in the sudoers file. This incident will be reported.

Note:

You can see the above output, it says, the respective user is not added the sudoers file to use sudo prefix. Now add the following entry into /etc/sudoers by using the 'visudo' command.

(ii) With privilege:

# visudo
john ALL = /usr/bin/systemctl restart network

Note:

save and close the file using ‘:wq’ and then execute the same command.
$ sudo systemctl restart network
[sudo] password for john:

Note:

The above command executed successfully without any error or warning. Adding multiple commands to a particular user can use a comma (,) between the commands as like below:
john ALL = /usr/bin/systemctl restart network,/usr/bin/systemctl status network
3. How to permit users to run/execute a command using sudo without a password check?

john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart network,/usr/bin/systemctl status network

Note:

Normally when you execute a sudo command for the first time, it will ask the user to enter his password to complete the execution. By default, the sudo password will be cached for the next 5 minutes. If any execution happens within the 5 minutes, it won't require the password, but after the cached period again, you need to enter the password. However, this can be overridden and disable the password authentication option by using NOPASSWD in the sudoers file.
4. How to modify the default sudo password prompt timeout?

Note:

By default, the sudo timed out reading password will be cached for only five minutes. This can be changed by the "timestamp_timeout option" in sudoers files. In this example, we will set the timeout for 15 minutes. It will be applied globally, to all the users in sudo.
Defaults timestamp_timeout=15

Note:

We can add the following entry to set the timestamp_timeout for a particular user. To make the password check always, set the value as 0 (zero).
Defaults:linuxteck timestamp_timeout=15
5. How to run the command as another user with sudo prefix?

Note:

Here we are going to assign a user to run the command of other users without sharing the password. To do, add the following entry in the /etc/sudoers file. In this example, the user "britto" will execute a particular command, as a user john by using "britto's" password.
britto ALL = (john) /usr/bin/systemctl status network

save and close the file using ‘:wq’

$ sudo -u john systemctl status network
[sudo] password for britto:

Output:

 

● network.service - LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
Active: active (exited) since Sun 2020-06-07 11:22:58 IST; 11h ago
Docs: man:systemd-sysv-generator(8)
Process: 5844 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
Process: 6016 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
Tasks: 0

6. How to create a customised log file for sudo?

Note:

Just all the following entry in the sudoers file to achieve this task

Defaults logfile="/var/log/sudo.log"

Note:

Now we can use the following command to view all the logs related to sudo command. It will show the history of who does what.

# cat /var/log/sudo.log

Output:

 

Jun 7 23:54:45 : linuxteck : TTY=pts/0 ; PWD=/home/linuxteck ; USER=root ;
COMMAND=/bin/bash
Jun 7 23:55:08 : john : TTY=pts/1 ; PWD=/home/john ; USER=root ;
COMMAND=/bin/systemctl status network

How can we use sudo command in Linux

The Global Syntax of sudo command in Linux:

sudo [options] [command]

Note:

The sudo command also comes with many possible options, but on a regular course mostly it will be used without any option unless if there is such a requirement. However, I have added the most used options.
7. How to verify if a user belongs to sudoer or not?

# sudo -l -U britto

Output:

 

User britto is not allowed to run sudo on centos.

Note:

Here you can see the user britto is not allowed to run any sudo commands

# sudo -l -U john

Output:

 

Matching Defaults entries for john on centos:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

 

User john may run the following commands on centos:
(ALL) NOPASSWD: /usr/bin/systemctl restart network, /usr/bin/systemctl status network

Note:

If you get an output like above, it means this user is permitted to use the sudo command, and also, you can see the name of the commands that the user can run with sudo prefix. If you have several entries in this list, then better use a long listing format like the below example.

# sudo -ll -U john

Output:

 

User john may run the following commands on centos:

 

Sudoers entry:
RunAsUsers: ALL
Options: !authenticate
Commands:
/usr/bin/systemctl restart network
/usr/bin/systemctl status network

Thank you for taking the time to read! I hope this article will help you to understand the 7 useful sudoers configuration for setting 'sudo' in Linux. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well.

Few sudo reference are collected from this site

Thank you!

Please share it, if you like this article and help us to grow! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *