Linux 101: Introduction to sudo

64327

There are two ways to run administrative applications in Linux. You can either switch to the super user (root) with the su command, or you can take advantage of sudo. How you do this will depend upon which distribution you use. Some distributions enable the root user (such as Fedora, Red Hat, openSuSE), while some do not (such as Ubuntu and Debian). There are pros and cons for each.

Sudo stands for either “substitute user do” or “super user do” (depending upon how you want to look at it). What sudo does is incredibly important and crucial to many Linux distributions. Effectively, sudo allows a user to run a program as another user (most often the root user). There are many that think sudo is the best way to achieve “best practice security” on Linux. There are some, however, that feel quite the opposite.  Regardless of where you stand, and what distribution you are currently using, there will come a time when you will have to take advantage of sudo. Whether you will need to simply use sudo or you will have to configure sudo you will want to know the ins and outs of this powerful tool.

In this article I am going to introduce you to sudo…a little history, a little use, and a little configuration. In the end you should feel as at home with sudo as you do with su.

History of sudo

Sudo found its beginnings in 1980 at the department of computer science SUNY/Buffalo (created by Bob Coggeshall and Cliff Spencer). Since it’s first inception, sudo has been re-iterated numerous time (adding new features and changing developers). At one point, around 1994, sudo was being developed by Todd Miller at the Colorado University in Boulder, CO and an unofficial “fork” of sudo was released called “CU sudo”. This “fork” added support for more distributions as well as numerous bug fixes. This “CU” prefix was finally dropped in 1999 and what was “CU sudo” is now the version of sudo we use today. The original sudo has not had a release since 1991. So the “fork” won and is still developed by Todd Miller.

Now that you have had a bit of a history lesson, let’s take a look and see how sudo is used.

Difference Between sudo and su

If you are accustomed to a more traditional Linux setup, then you are used to using the su command to gain root privileges. You can even issue the command su – to effectively log in as the root (root’s home becomes your home). With these types of distributions you can also log in as the root user. To many (including myself) this is a bad idea. NEVER log in as the root user. If you are using a distribution that relies on su and allows root user log in, log in as your standard user and su to the root user.

Now with sudo-based distributions you will most likely notice that you can not log in as a root user. In fact, in distributions such as Ubuntu, the root user account has been “disabled.” You cannot log in as root and you cannot su to become the root user. All you can do is issue commands with the help of sudo to gain administrative privileges.

Usage

Using sudo, in its most basic form, is simple. Say you have to run the dpkg to install a piece of software. If, as your standard user, you just issue the command dpkg -i software.deb you will receive an error warning you that the user does not have proper permissions to execute the command. That is because standard users, by default, cannot install applications on a Linux machine. In order to successfully install an application on a Linux machine you have to have super user privileges. So, to change that command so that you can successfully run the installation, you would instead issue the command sudo dpkg -i software.deb.

Configuration

Now let’s take a look at the configuration of sudo. I will give you a word of warning: If you mis-configure your /etc/sudoers file, you can damage your installation (at which point you will have to log boot in rescue mode). Sudo is VERY particular about syntax in the configuration file. So always double check your configurations before you save your file. Fortunately there is only one file you need to concern yourself with and that is /etc/sudoers. You may notice that, even in order to view the /etc/sudoers file you have to use the sudo command. This file will seem very simple…it is once you understand the layout and the function.

To make changes to the sudo configuration file you need to use a specific command – sudo visudo. When you open up this file you will notice that the sudoers file is fairly small in size. There really isn’t much to it, but what there is to it is key. Let’s take a look at how to add a user to the sudoers file.

The basic entry for a user looks like this:

user hostlist = (userlist) commandlist

Typically you will find an entry like this:

root  ALL=(ALL) ALL

Which indicates that the user root on all hosts using any user can run all commands. Fairly straight-forward. But let’s say you want to allow a single user access to one administrative command without having to enter a password. Let’s use the command dpkg (not wise, but an easy means of illustration) and allow the user mary to issue those commands without having to issue a password. To do this you would add a line similar to this:

mary ALL = NOPASSWD: /usr/sbin/synaptic

to the /etc/sudoers file. Now the user mary can run synaptic by entering sudo synaptic but will not be prompted for a password. This is handy on a single-user system but should be used with caution. You do not want to allow just any command to be run sans password or you open yourself to all sorts of vulnerabilities.

Now, let’s say you want to prevent certain users from using sudo. You can do this as well. If you have one user that is to be administrator of a machine, say bethany, and all other users should be uses without admin privileges, you can do this a couple of ways. The first (and less desirable method) is to do the following:

Add an entry for bethany like so:

bethany ALL=(ALL) ALL

And now comment out the entry:

%admin ALL=(ALL) ALL

by adding a “#” character at the beginning of the line.

At this point the only user on the system that will be able to run administrative commands is bethany. Now this can cause issues if you have certain applications that must run with administrative privileges and are allowed such privileges by being a member of the admin group. You can avoid this issue by simply opening up the Users administrative tool and removing all users, except for those you want to be allowed to have admin rights from the admin group. Let’s stick with our example. You want all users other than bethany to have restricted access to run administrative commands and tools. To do this, follow these steps:

  1. Open up the User administrator.

  2. Go to the Groups manager.

  3. Select the admin group.

  4. Click properties.

  5. Uncheck all users but bethany from the list.

  6. Close the Groups manager and the User administrator.

Now only the user bethany will have administrative rights on the machine.

Final Thoughts

Although this has mostly been an introductory look at sudo, you should have a firm grasp on how this tool works and how powerful it is. For further reading on sudo, issue the command man sudo, which will open up the manual page for the sudo command. Just remember, use caution when editing your /etc/sudoers file or you can wind up having to reboot in rescue mode to save your system.