: Discover Excellence

The Path To Discover Excellence.

Tuesday, 13 March 2018

Run commands as root with sudo

 Introduction –

Linux follows the very tough permission model. A root user can do anything but normal user has no permissions. To run any command, they need to ask for permissions from the superuser. The easy and common way to grant administrative privileges to non-root users is, a user can use su command and temporarily become the root but users must know the root’s password. In corporate world this is very dangerous because all the privileges of root are granted to any user, who can do anything. For Example –

[userA@rhel7 ~]$ su -

It’s asking for the password of superuser.

To overcome above mentioned risk, sudo command comes in trend. It allows a user to run a command as a root or as any other user after providing the user’s own password for authentication. These information are defined in the /etc/sudoers file. Before describing “sudo” command I want to talk a bit about visudo

What is visudo –
visudo is a command to edit configuration file for sudo command located at /etc/sudoers.You should not edit this file directly with normal editor, always use visudo for safety and security. Eiditing /etc/sudoers file requires superuser’s privileges.

visudo command cannot allow to edit /etc/sudoers file simultaneously by just locking the file and if someone tries to access the same it will get a message to try later.

[root@rhel7 ~]# visudo
visudo: /etc/sudoers busy, try again later

It also checks the syntax of edits and provide basic sanity checks which are very helpful. If it identifies any error, then visudo won’t allow to save the file with edits.

Set rules in sudoers file –
A common question arises in everyone’s mind, how we define the rules in sudoers file? So, before editing it’s better to understand the existing configuration which defines which users can run what software on which machines. Syntax of pre-defined rule is given below –

root    ALL=(ALL:ALL) ALL

This allows root to run any command anywhere.Meaning of this line is –

username    hosts=(users:groups)    commands

ALL means, the user can run all commands on all hosts, as all users and groups. So, root has all the privileges to run any command as any user or group.

Let considered an example and provide ALL power to userA as root.

userA   ALL=(ALL:ALL)   ALL

If you wish to use command without password then use PASSWD parameter –


In below example userA only start, stop and restart the “httpd” service

userA   ALL=(root)      /usr/bin/systemctl, /usr/sbin/httpd start stop restart

User can check wether the command is working or not. Then follow the below procedure to check –

[root@rhel7 ~]# su - userA
Last login: Thu Sep 13 15:01:18 EDT 2018 on pts/0
[userA@rhel7 ~]$ sudo -u root systemctl stop httpd
[sudo] password for userA:
[userA@rhel7 ~]$

Note – We can also use vim with visudo.

export VISUAL=vim; visudo

Using nano with visudo

export VISUAL=nano; visudo

Assign privileges to a group –
You can asign similar privileges to multiple users just by making a group them. There is one predefined group is in sudoers file. Members of this group can use sudo to run any commands as any user, including superuser. We can add users to this group. It is normally configured like –

%wheel  ALL=(ALL)       ALL

Use command to add user in wheel group –

usermod -aG wheel username

No comments:

Post a comment