07.07.2023
24 min
3440
Sudo is one of the basic Linux tools used to control access and execute system commands. This article examines its role in everyday work with the system and an approach to privilege separation without details and preconceived conclusions.
The sudo command (substitute user and do) allows strictly specified users to execute specified programs with administrative privileges without entering the root superuser password. To be more precise, the sudo command allows you to execute programs on behalf of any user, but if the identifier or name of this user is not specified, then execution is assumed on behalf of the root superuser. Thus, using sudo allows ordinary users to execute privileged commands without having to enter the root superuser password. The list of users and the list of their rights to system resources can be configured in the optimal way to ensure comfortable and secure work. For example, the sudo command in Ubuntu Linux is used in a mode that allows you to perform any system administration tasks without interactively logging in as the root account.
The sudo settings are quite simple, and nevertheless, they allow you to implement a flexible system for distributing the powers of individual users in a multi-user environment.
The sudo command line can be used in the following formats:
sudo -h | -K | -k | -V sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] sudo -l [-AknS] [-g group] [-h host] [-p user] [-u user] [command] sudo [-AbEHknPS] [-C prompt] [-u user] [VAR=value] [-i|-s] [] sudo -e [-AknS] [-C num] [-g group] [-h host] [-p prompt] [-u user] file
-A, –askpass – use a password helper
-b, –background
– execute command in background -C files >= num
-E, –preserve-env – preserve user environment when executing command
-e, –edit – edit files instead of executing command
-g, –group=group – execute command as name or ID of specified group
-H, –set-home – set HOME variable to home directory of specified user
-h, –host – hosts (if supported by module)
-i, – login – start login shell as specified user; command can also be specified
-K, –remove-timestamp – completely remove file with timestamp
-k, –reset-timestamp – invalidate file with timestamp
-l, –list – show list of user permissions or check given command; used twice in long format
-n, –non-interactive – stand-alone mode without prompting the user
-P, –preserve-groups – preserve group vector instead of setting target group
-p, –prompt=prompt – use specified password prompt
-S, –stdin – read password from standard input
-s, –shell – start shell; can also specify command
-U, –other-user=user – in list mode, show user privileges
-u, –user=user – execute command (or edit file) as specified user or ID
-V, –version – show version information and exit
-v, –validate – update user timestamp without executing command
— stop processing
sudo –l – displays a list of commands available for execution by the current user. In addition to the list of commands, the environment parameters that will be applied when they are executed are displayed.
sudo –ll – display a list of commands available for execution by the current user in long (extended) format.
In this format, instead of a short syntax for the list of allowed commands in the form (ALL: ALL) ALL, a detailed description of the user’s rights is displayed:
Sudoers entry:
RunAsUsers: ALL
RunAsGroups: ALL
Teams: ALL
sudo lshw -C network – display information about network equipment with root superuser privileges
sudo –l –U user1 – view the list of commands available for execution by user user1. To execute this command, the user must be root or have the right to execute the sudo -l command, which is provided by the sudo utility settings in the /etc/sudoers file
sudo ipmitool sensor – execute the ipmitool sensor command with root privileges.
sudo su – execute the su command, i.e. create a root superuser session
sudo -i – launch a command shell with root superuser privileges. To execute this command, the user must have the right to execute a shell program in a sudo environment, for example – / bin / bash
sudo ls /usr/local/protected – get a list of files in a directory accessible only to root
sudo -u user2 ls ~ – get a list of files in the home directory of user2
sudo -u www vi ~www/htdocs/index.html – edit the file ~www/htdocs/index.html on behalf of the www user
sudo -g adm view /var/log/syslog – view the system log file accessible only to the superuser root and members of the adm group
sudo -u user1 -g users2 vi /home/users2/textfile.txt – edit a text file as user1, with membership in the primary group users2
sudo -E /usr/bin/firefox – launch the firefox browser on behalf of the superuser root, preserving the current user’s environment settings. The ability to execute commands while preserving the user environment must be enabled by the SETENV parameter in the sudo configuration file settings.
The sudo configuration is determined by the contents of the /etc/sudoers file. Since incorrect data in this file can lead to serious problems accessing system resources, it is recommended to modify it using the special sudoedit editor (in some distributions – visudo), which supports syntax checking functions and significantly reduces the risk of creating an inoperable sudo configuration.
The contents of the /etc/sudoers file define the names of users and groups, a list of programs, the need to enter passwords, and some other settings related to the formation of environment variables when changing the user. In addition to this file, the sudo configuration can be determined by the contents of files from the /etc/sudoers.d directory, which allows you to structure the system for granting rights to use sudo as a set of files with meaningful names, which is useful for a large number of users and a complex system of rights separation. The names of the configuration files in the /etc/sudoers.d directory can be anything, but their contents must fully comply with the format of the /etc/sudoers file. Do not use the . (dot) and ~ (tilde) symbols in the file names – such files will be ignored.
The syntax of the settings in the /etc/sudoers file allows you to use special aliases (Aliases), which greatly simplify both the configuration and perception of sudo configuration information.
In the /etc/sudoers configuration file, four types of aliases can be used:
User_Alias - lists of users for whom the sudo usage policy is configured.
Runas_Alias - lists of users on whose behalf commands can be executed via sudo.
Host_Alias - lists of hosts from which the system is connected.
Cmnd_Alias - lists of commands used in the settings executed by the /etc/sudoers file directives
Examples:
Host_Alias ADMCOMPS = localhost, server, admin – defines the alias ADMCOMPS, which defines a group of computers with the names localhost, server, admin.
Host_Alias MAILSERVERS = 192.168.0.100, smtp2 – defines a group of two computers with the specified IP and name. It is possible to use subnet addresses.
User_Alias ADMINS = jsmith, admusr – defines the group ADMINS, which includes users with the names jsmith and admusr.
Similarly, you can create aliases for different sets of commands available for execution with sudo:
## A group of commands, for networking, alias Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/ /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
# Group of commands to control the installation and removal of programs, alias SOFTWARE Cmnd_Alias
SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
# A group of commands for managing system services
/sbin/service, /sbin/chkconfig
Similarly, you can create aliases for groups of commands that are delegated to individual or aliased users.
The main part of the settings in the /etc/sudoers file defines the rules that determine which users, on which computers, can execute which commands. The format of the entries is:
user MACHINE=COMMANDS
user – user names or aliases.
MACHINE – computer names or aliases
COMMANDS – command section, which includes command names or aliases and additional parameters.
Typically, there is a directive in the /etc/sudoers file that allows the root user to run any commands anywhere:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
Similarly, you can allow all user commands to be executed via sudo, for example,
ALL= ALL= ALL= ALL= ALL= ALL
= ask for a password (his personal one, not the password of the superuser root). If necessary, you can configure the command section so that the password is not asked, using the NOPASSWD parameter:
user ALL=(ALL) NOPASSWD: /usr/bin/su, /usr/bin/drakxconf – the password will be asked when executing user user via sudo for all users, except su and drakxconf
Using to connect to the system from different computers and enter different groups:
ADMINS localhost=(ALL) NOPASSWD:ALL – allow the user group specified by the alias “ADMINS” to execute any commands when connecting via the loopback interface “localhost”
without entering a password. “SOFTWARE”.
For user groups existing in the system, you can also allow the execution of individual commands or groups of commands:
%users localhost=/sbin/shutdown -h now – allow local users to shut down the computer.
%operators ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom – allow members of the “operators” group to mount and unmount the specified devices.
%powerusers ALL=NETWORKING, NOPASSWD: /usr/bin/su – allow members of the “powerusers” group to execute “NETWORKING” group commands with a password and the “su” command without a password.
Quite often, it is necessary to exclude permission to execute individual commands from a list united by an alias. In this case, an exclamation mark is placed before the name of the command or alias – !
ADMINS ALL= ALL, !NETWORKING – allow the group of users united by the alias “ADMINS” to execute all commands except those united by the alias “NETWORKING”
In the following example, a command configuration is used that allows execution via sudo for all users in the “ADMINS” group, all commands,
ALL !/bin/bash, !/usr/bin/su
In addition to access settings, the /etc/sudoers file contains the Defaults directives that define some settings for executable paths and the creation of environment variables when executing commands: Defaults
secure_path = /sbin:/bin:/usr/sbin env_keep = “COLOS DISPLAY HOSTSIZE INPUTRC KDEDIR LS_COLORS” Defaults env_keep += “MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE” Defaults env_keep += “LC_COLLATE LC_ID Defaults env_keep += “LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”
Defaults env_keep += ” LC_TIME LC_ALL required. However, this value can be changed by adding the timestamp_timeout value in minutes:
Defaults timestamp_timeout=1
If the sudo command is executed no later than 1 minute after entering the password for the previous command, the password will not be requested again. If the “timestamp_timeout” value is set to zero, the password will be requested every time sudo is run, if it is set to negative (-1), the password will never be requested again.
To prevent the possibility of executing sudo commands when connecting via ssh without authorization, the “ssh –t “ command should be used by default:
# Disable “ssh hostname sudo”, because it will show the password in clear.
# You have to run “ssh -t hostname sudo”.
#Defaults requiretty
To specify an additional directory with sudo user configuration files, use the following directive:
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
If any rule does not work, for example, if the NOPASSWD parameter is present, the password is still requested, processed top to bottom).
For greater security when configuring sudo, it is necessary to grant users the minimum necessary rights to perform the necessary tasks. It is advisable to use rights management through groups, and not individually for each user. All actions performed through sudo are recorded in the /var/log/auth.log log.
In order for sudo commands not to be recorded in the command history (in the ~/.bash_history file for the bash shell), you can use the feature of most shells (for example, bash) that a command starting with a space is not recorded in the history if the appropriate setting is enabled. To check the settings, enter the command:
echo $HISTCONTROL
If the output contains ignorespace or ignoreboth, commands that begin with a space will not be saved in the history.
If ignorespace or ignoreboth is missing, you can enable it with the export command
export HISTCONTROL=ignorespace
To make this change permanent, add the line
export HISTCONTROL=ignorespace
in the file ~/.bashrc For example, with the command
echo 'export HISTCONTROL=ignorespace'
>> a space is not recorded in the history.
If you want commands containing sudo to never be recorded in the history, you can set the HISTIGNORE variable.
To do this, add the following line to your ~/.bashrc file:
export HISTIGNORE="sudo*"
This will remove all commands starting with sudo from the history.
To apply changes to the ~/.bashrc file: without rebooting, use the command:
source ~/.bashrc
Detailed help on using sudo can be obtained using the commands:
man sudo man sudoers
The sudo command is a basic yet very powerful tool for managing permissions in Linux. It allows you to flexibly distribute administrative privileges, increase system security, and avoid unnecessary use of root access. Properly configuring sudo helps maintain a balance between usability and control, especially in a multi-user environment. If you want to learn more about sudo, its syntax, and configuration details, you should visit the official project website.
