A very useful application for Linux and BSD systems is the sudo application. This allows a user to execute a root task without being logged in as root. There are some security concerns when this is not configured correctly. Fortunately most distributions have this enabled only for the ‘sudo’ usergroup. But in some cases you want sudo to merge into your environment, instead of having to change your environment for sudo.
How does it work?
If you are logged in as a regular user and want to execute a root task, simply enter ‘sudo’ followed by the command, or ‘sudo -s’ to open a root shell. Here are some examples:
sudo apt-get update
sudo cat /etc/passwd
When entering the command, it asks for YOUR password. So you can perform root tasks without knowing the root password. You can even change the root password this way!
If your account is not allowed to use ‘sudo’, you’ll simply get the following error message after entering the password:
user is not in the sudoers file. This incident will be reported.
How to configure sudo
Editing the ‘sudoers’ file can configure Sudo. You can edit this by simply entering the following command:
In some cases it might open in a different editor than you are used to, ‘vi’ for example. I prefer the ‘nano’ text editor. Assuming you’ve installed it, you can find its location with ease:
It’s mostly located in /bin. To edit the ‘sudoers’ file in nano, enter these two commands:
export EDITOR=/bin/nano visudo
if you prefer a different editor, specify its location instead.
To save the configuration, simply save your changes and exit the editor. In case of ‘nano’ this is done by pressing CTRL + X.
The default ‘sudoers’ configuration file will look similar to this:
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL # Allow members of group sudo to execute any command # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL # #includedir /etc/sudoers.d
The part where you have to pay attention to are the ALL=(ALL) ALL lines. These specify the access. You can add an entry for each user, or for each usergroup by putting a %-sign in front of the name. Delete all those lines, except the other ones starting with ‘Defaults’.
Close the editor now, saving changes.
We are going to use a usergroup who will be able to use ‘sudo’. If you have already created such a group and added the users to it, you can skip this part.
In this example I will create a usergroup called ‘admins’.
Now adding the users that should be able to use ‘sudo’ to that group. First I get the list of usergroups for this user:
Now set the membership of the ‘admins’ group to the primary group:
usermod -G admins roy
if you have any other groups to assign, use this instead:
usermod -G admins -g group1,group2 roy
Note: Some distributions switch the function of -G and -g, refer to the man page of your distribution:
Now we will configure sudo to only accept sudo logins from the ‘admins’ group.
Assuming that you have cleared all lines, except for the ‘default’ lines, add this line to allow the ‘admins’ group to use sudo:
%admins ALL=(ALL) ALL
Now save the file and close the editor. The settings have now been saved.
Q. I am getting a command not found when entering the sudo command.
A. Sudo is not installed.
Q. I am getting a command not found when entering the ‘groupadd’ or ‘usermod’ command.
A. Enter the commands as /usr/sbin/groupadd and /usr/sbin/usermod. If these also fail, use the ‘whereis’ command to look for the location of these programs.
Just like I said before, ‘sudo’ is a very powerful tool. Always keep in mind that the strongest point on a chain is its weakest spot. Always make sure that each user with access to ‘sudo’ has a strong password. And if users have SSH keys to log in remotely without a password, have them saveguard those keys at all cost!