Linux has a robust permissions system. This is a very good thing, as it enables a clear separation of roles among users, especially between the root user and your average user. Sometimes, though, you might want your average user to have some or all of root’s privileges. In Linux, this is accomplished with sudo.
Just How Would I Use sudo Anyway?
In most cases, one simply adds “sudo” in front of a command that needs root privileges. For example, a normal user (here called “example”) is not ordinarily able to restart services from the command line:
firstname.lastname@example.org [~]# /etc/init.d/httpd restart
/etc/init.d/httpd: line 15: ulimit: open files: cannot modify limit: Operation not permitted
/etc/init.d/httpd: line 16: ulimit: open files: cannot modify limit: Operation not permitted
/etc/init.d/httpd: line 17: ulimit: open files: cannot modify limit: Operation not permitted
httpd: Could not open configuration file /usr/local/apache/conf/httpd.conf: Permission denied
If the user had sufficient sudo privileges, he would be able to do so like this:
email@example.com [~]# sudo /etc/init.d/httpd restart
So How Do I Give a User sudo Access?
In order to give an average user sudo access, you must run the following command as root:
root@host [~]# visudo
This will open the sudoers file in the vi editor. In order to give the user full root privileges, add the following line to the file:
example ALL=(ALL) ALL
If you only want a user to run certain commands as root, you can create a command alias in your sudoers file, like so:
User_Alias ADMINS = example
Cmnd_Alias HTTPD = /etc/init.d/httpd
ADMINS ALL = HTTPD
User_Alias creates a group of users that you can then assign command aliases to. (Additional users can be listed on the same line, separated by commas.) Cmnd_Alias then lists the various commands that the users of that Alias can run. The user alias is then assigned the command alias. The example user is now able to run the apache init script with full root privileges, which allows him to start, stop, and restart apache.
With this configuration, the user will have to type in his own password when he wishes to run sudo. If you don’t need the user to type a password every time he runs a sudo command, just replace the last line of the above with:
ADMINS ALL = NOPASSWD: HTTPD
This should get you started applying sudo privileges to your users. If you have more detailed needs, the man page for sudo is thorough and readable. The sudoers file has a separate man page that details all the configuration options.
Tagged with: command line • linux • permissions • server • users