How to Set Up and Manage Sudo Permissions

Reading Time: 7 minutes

What Is Sudo?

sudo-sudoers

credit to: XKCD

Sudo is a Linux program meant to allow a user to use root privileges for a limited timeframe to users and log root activity.  The basic thought is to give as few privileges as possible to a user while allowing  the user to accomplish a task. The term “Sudo” means substitute user, and do. It is a program used for managing of user permission based on a system configuration file. It allows users to run programs with the privileges of another user, by default, the superuser. The program is supplied for most UNIX and Linux-based operating systems.

Syntax

The sudo command is most often called like so.

[root@host ~]# sudo <command>

Security 

Many experts state that we should not work with elevated root privileges in a default manner. This is due to possible security and error related issues which can occur when using this elevated permission level. Because the root user has full access to create, modify or delete settings, files and folders, any mistake committed by the root user will have global repercussions. 

Many think that the sudo command deals with access restriction, but the opposite is true. Sudo allows us to run commands and programs with elevated or superuser privileges (as root). Through the use of the sudo configuration, programs and commands themselves are configured for a specific user. Compared to windows, sudo similar to utilizing the `run as’ option. Also, we need to note that under certain conditions, it is possible to run programs or commands with the privileges of anyone specified in that users’ configuration.

In Ubuntu, the sudo command is always set up by default, as there is no root password until we create one. The initial user (that was created during installation) can do anything through sudo as they will be acting as the root user. The developers of Ubuntu purposely created this system in this way so that new users can begin using correct security practices when working with servers.

Installation

The sudo program is installed by default in almost all Linux distributions. The distributions which do not are Arch Linux, Gentoo, and the BSD family of distros.

If we need to install sudo in Debian/Ubuntu, we would use the following command.

apt-get install sudo

If we need to install sudo in CentOS, we would use this command.

yum install sudo

Configuration

Sudo

The sudo.conf file contains information to configure the sudo front-end. It contains plugin variables related to the security policy and logging options.

Here is a sample sudo.conf file.

#
# Sample /etc/sudo.conf file
#
# Format:
#   Plugin plugin_name plugin_path plugin_options ...
#   Path askpass /path/to/askpass
#   Path noexec /path/to/sudo_noexec.so
#   Debug sudo /var/log/sudo_debug all@warn
#   Set disable_coredump true
#
# Sudo plugins:
#
# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
#   that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so

#
# Sudo askpass:
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support.  Sudo does not ship with its
# own askpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass

Plugins

The sudo configuration also supports the use of plugins which can increase its functionality if needed without altering the original sudo functionality. Users can create third-party plugins that allow for specific needs to be met. 

Logging

We can add a variable in the /etc/sudo.conf file which will log all the user interactions to a file or other outputs. Sudo logging is broken down into 4 parts. 

  • Debug
  • Program
  • Log file location
  • Subsystem and level

We can configure logging to include the following information.

  • To log what sudo did – /var/log/auth.log
  • To debug any issues with sudo – /var/log/sudo_debug
  • To capture a full sudo session – /var/log/sudo-io

To configure this option, we would add the following parameter.

Defaults log_host, log_year, logfile="/var/log/sudo.log"

By default, the sudo logs are written to the syslog file. Additionally, we can specify where the logging output will be sent. 

Defaults log_input, log_output

This parameter tells sudo to write the text of the user’s session. There is a command log, messages of standard input/output channels (stdin, stderr, stdout), and a log with tty/pty.

Debug

This option can be set to capture issues when certain events occur. 

Other Settings

Sudo can enable additional settings such as:

  • Disable_coredump
  • Developer_mode
  • Group_source

To name a few.

Sudoers

After sudo is installed, we would begin by editing the configuration file, which is located here.

/etc/sudoers

Originally, all the programs default settings were included within a single sudoers file. Later, the program developers added the option to use include statements, which allowed for the option to maintain a default or base sudoer file, while permitting the additional integration of more granular configurations into the main sudoers file. The main configuration for the sudo command is located in the /etc/sudoers file. Within this file are individual variables or configurations that define how commands can be accessed by certain users or groups. Additional configurations can be stored in the /etc/sudoers.d directory. Configuration files located within the sudoers.d directory are included in the sudoers file utilizing the 

#includedir /etc/sudoers.d 

variable. We can create a configuration for a user or group of users within the /etc/sudoers.d directory which would be regarded as part of the sudoer file.

File Structure

Let’s open the /etc/sudoers file to see what is included there. We will review the file using our nano editor. In ubuntu, the default file contains the following information.

[root@host ~]# nano /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

There are a wide range of parameters and configurations which can be added, but we will try to focus on the most relevant ones so that we have a solid understanding of how this system works. It should be noted that if edits to the file need to be made, the ‘visudo’ command should be used. Additionally, the format of the sudoers file MUST be syntactically correct in order for the program to function.

Defaults

In the sudoers file, there are sections which begin with ‘Defaults’. These are the preselected variables where no alternative is specified by the program. These settings are common to all users. 

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

Defaults env_reset: This setting causes commands to be executed with a new, minimal environment.

Defaults mail_badpass: This setting send mail to the mailto user if the user running sudo does not enter the correct password.

Default secure_path: This setting indicates the ‘Path’ to be used for every command run from sudo. If we do not explicitly trust the users running sudo, we can use this variable to have an alternate PATH environment variable which limits.

Aliases

There are four types of alias specifications used in the configuration.

# Host alias specification
# User privilege specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
  • Host_Alias –  A list of hostname, ip addresses, networks or netgroups
  • User_Alias – This option specifies a group of users
  • Cmnd_Alias – A list or group of commands and directories This alias will include any file within a defined directory, but not in any subdirectories
  • Runas_Alias – This alias is nearly the same as user aliases, but we can specify users by uid’s

The main option we should be concerned with is the following parameter.

# User privilege specification
  root   ALL=(ALL:ALL) ALL

To better define this setting we will explain further.

  • The first ALL is the users allowed to use the sudo command. 
  • The second ALL defines the hosts (servers) on which sudo can be employed. 
  • The third ALL is the user you are running the command as.
  • The last ALL defines the commands allowed.

This option indicates that any user can execute a command from any terminal, acting as ALL (or any) user, and run can run any or ALL commands.

To run commands through sudo, the user will need to enter a password. This creates a sudo user session where the password won’t be requested again for X minutes. The session lifetime is set by the server administrator through the sudo configuration. If a user needs to log off or end the sudo session, they can use the following command.

[root@host ~]# sudo -k

15 Sudo Examples

Here are a few sudo examples you can use.


Reboot the system.

[bob@host ~]# sudo shutdown -r now

List the files in the user bob’s public_html folder.

[bob@host ~]# sudo -u bob ls /home/bob/public_html

Revalidates or extends the timeframe of the current users sudo session.

[bob@host ~]# sudo -v

The -k flag (kill) essentially ends the sudo session for that user. 

[bob@host ~]# sudo -k

After opening and editing a file as a user in vim, using this sudo command in vim saves the file as the root user without losing our changes,

[bob@host ~]# vim /etc/file.conf

:w !sudo tee %

Run the 251st command in our history file as root.

[bob@host ~]# sudo !251

Did you forget to run the last command as root? Rerun it again easily using the following command.

[bob@host ~]# sudo !!

Reads a protected file.

[bob@host ~]# sudo cat /etc/passwd

Append a repo to our /etc/apt/sources.list

[bob@host ~]# sudo sh -c 'echo "deb http://us.archive.ubuntu.com/ubuntu/ focal universe" >> /etc/apt/sources.list'

Make a backup copy of our /etc/apt/sources.list.

[bob@host ~]# sudo cp /etc/apt/sources.list /etc/apt/sources.list.bk

List which files have been modified in the last 60 minutes

[bob@host ~]# sudo find / -mmin 60 -type f

Limit the amount of cpu usage for a process

[bob@host ~]# sudo cpulimit -p pid -l 50

Set an immutable flag on a file.

[bob@host ~]# sudo chattr +i <file>

Use sudo to run multiple commands.

[bob@host ~]# sudo -s <<< 'apt update -y && apt upgrade -y'

Switch to superuser account.

[bob@host ~]# sudo su

Conclusion

In this tutorial, we have learned what sudo is, how it is configured, and reviewed how it distributes specific rights to users.

Would you like to learn more about the available on your server? Give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable technical support specialists or an experienced systems administrator today!

Author Bio

About the Author: Ellen Sletton

I'm 23 years old Linux Tech who always takes NO as Next Opportunity. Every day I'm trying to learn something new and share my knowledge with others. My free time I spend with my dog Emil or doing some UI/UX design or simply making an inspiring photo for my blog :)

Sharing knowledge helps me generate new ideas and stay motivated.

Refer a friend and get a $50 hosting credit!