sudo: Options and Configuration

sudo configurationIn order to use sudo, the user must have already supplied a username and password. If a user attempts to run the command via sudo and that user is not in the sudoers file (at /etc/sudoers), an e-mail is automatically sent to the administrator, indicating that an unauthorized user is accessing the system.

Once a user logs in to sudo, a ticket is issued that is valid by default for five minutes. A user can update the ticket by issuing the -v falg, which will validate the ticket for another five minutes. To do this, type the following:

sudo -v

If an unauthorized user runs the -v flag, an e-mail will not be sent to the administrator. The -v flag informs the unauthorized user that they are not a valid user. If the user enters a command via sudo anyway, an e-mail will then be sent to the administrator.


sudo logs login attempts, successful and unsuccessful, to the syslog file by default. However, this can be changed during sudo configuration. sudo also has several command line options, such as the following:

  • -V: Version; prints version number and exits
  • -l: List; lists the commands that are allowed and denied by the current user
  • -h: Help; prints usage message and exits
  • -v: Validate; updates the user’s ticket for a configured amount of time (the default is five minutes). If required, the user must re-enter the user password to update the ticket
  • -k: Kill; expires the user’s ticket. Completing this option requires the user to re-enter the user password to update the ticket
  • -K: Sure kill; removes the user’s ticket entirely. User must log in with username and password after running this option
  • -u: User; runs the specific command as the username specified. The user specified can be any user except root. If you want to enter a uid, enter #uid instead of the username

Configuring sudo

To configure sudo, you must edit the /etc/sudoers file. The sudoers file defines which users are allowed to execute what commands. Only the root user is allowed to edit the file, and it must be edited with the visudo command. By default, the visudo command opens the sudoers file in the vi text editor. The vi commands are used to edit and write the file. You can change the default text editor used by visudo using the compile time option. Visudo uses the EDITOR environment variable. The visudo command performs the following tasks when editing the sudoers file:

  • Visudo will not save any changes if a syntax error exists. It will state the line number of the error and prompt you for guidance.
  • If you attempt to run visudo while the sudoers file is being edited, you will receive an error message telling you to try again at a later time.

The sudoers file consists of two different types of entries, user specifications and aliases. The following examples show you to use user specifications, which define which user is allowed to run what commands. Aliases are basically variables.


style=”display:inline-block;width:180px;height:90px”
data-ad-client=”ca-pub-8834983181171783″
data-ad-slot=”8138242896″>
//

The sudoers file contains a root entry. The user privilege specification is listed as:

root ALL=(ALL) ALL

This configuration allows the root user to issue all commands. To allow other users to run commands as root, you must enter those users in the sudoers file. You must also list the host on which they are allowed to run the commands. Finally, you must list the specific commands that those users are allowed to run as root. As an example, imagine we have a user called chris and we want to allow him to run some commands as root.

First, we open the sudoers file using the visudo command. The sudoers file will now open in vi. Locate the “User privileges specification” section. After the root entry, enter the following:

chris your-hostname = /sbin/ifconfig, /bin/kill, /bin/ls

[This will allow user chris to run the ifconfig, kill and ls commands as root. NOTE: Depending on your implementation of Linux/Unix, you may have to add your default shell to the list of commands user chris can execute as root; e.g. /bin/bash.] Press ESC, then enter wq at the to write and quit the file. Now, if you have not already, you have to create user chris. To do this, enter:

useradd chris

To create a password of user chris, enter:

passwd chris

Then enter the password when prompted. Now, you should have a user chris on your system that can run ifconfig, kill and ls as root.


External links:

The sudo project page

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy