Before you start
Objectives: Learn how to allow users to run administrative commands using sudo.
Prerequisites: you have to know how to manage users and how to manage groups in Linux.
Key terms: sudo, root, user, command, Linux, sudoers file.
sudo is a very useful tool used to delegate administrative rights to other users. One of the advantages (or drawbacks) in Linux is that there is only one root user, meaning one administrator. It’s not easy to delegate tasks to other people without the need to give them root password so that they can log in as root. We don’t want to give people root password, so that we always have a fallback to use root if we need to. Because of that, the sudo utility is created.
sudo allows users to execute things with the permissions of the root user, without actually having to be logged in as the root user. We can also use it to allow people to execute programs with the permissions of other user accounts. The main configuration file for sudo is in etc folder, and is called sudoers. Let’s take a look at that file. In our case we will be working in Ubuntu 14.04 LTS. So, to open sudoers file, in terminal we will enter the command: sudo less /etc/sudoers.
Here we see two important things. First, we see that we can’t modify this file directly, but we can edit it using the visudo command as root. When we enter that command in our terminal, the sudoers file will be opened with our default text editor (in our case it is nano), and we will be allowed to edit that file. We have to use the visudo command because it edits the sudoers file in a safe fashion, meaning that it locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. We will not edit the sudoers file now, so we will simply read it using less.
User Privilege Specification
Note how the entry looks like in sudoers file, for example, in the user privilege specification.
User Privilege Specification For root
A user specification is in the format
<user list> <host list> = <operator list> <tag list> <command list>
This is the example of basic entry in sudoers file, for the root user. This entry is actually broken down into different columns. The first column is the user name, or list of user names, or groups, that we specify this rule for. The second column, right before the equals sign ( = ), is the host or the computer name on which this applies. Now, the sudoers file assumes that it is the one file used network wide for all of our machines. This way we have a way to limit users on specific machines. In this case, and probably in most cases, we will probably be dealing with one machine, so we can typically leave that as all, meaning “this user on all machines”. The next section is after the equal sign, in parenthesis, is a list of users that the specified users in the left hand side, are allowed to execute commands as. So, if we want to allow a user to execute commands not only as the root user, but also all other users, we could put their users names here as a comma separated list, or we can simply allow to execute as any user, which is done using the ALL statement. The tag list allows us to set special things for each command. The last column is a list of commands that this rule is going to apply to. This can also be a single command or a comma separeted list of commands. We can also use PASSWD and NOPASSWD to specify whether the user has to enter a password or not. For example, we can specify that the user “cicnavi” don’t have to enter password when shutting down, halting, or rebooting the machine.
cicnavi ALL=(ALL:ALL) NOPASSWD: /sbin/poweroff,/sbin/halt,/sbin/reboot
Typically when we execute a command with sudo, we would have to enter “sudo <command>”, and then the system would ask us for our password. The command would then be executed. If we want to allow certain users to execute commands using only “sudo <command>”, and without entering the password, we can do that using the NOPASSWD. Note that we might need to reboot the machine after modifying the sudoers file before this will work as expected.
In the “Host alias specification” we can create aliases of groups of hosts (computers) to be able to be plugged into the hosts section.
“User alias specification” means that we can specify aliases of users so that we can refer to a group of users, that may not correspond to a Unix group, and we can then refer to that group alias in the user section.
“Cmnd alias specification” is basically the same thing. We can specify groups of commands to which we can then refer to when we specify privileges, and is used in the command section.
Let’s create alias for our shutdown commands used before:
Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/halt, /sbin/reboot
Now that we have this alias, we can use it in our privilege specification for user cicnavi:
cicnavi ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS
Aliases are like variables which we can use. We can also write the above line like this:
cicnavi ALL=NOPASSWD: SHUTDOWN_CMDS
Note that we have left out the section in parenthesis (ALL). If we do that, we’ll only be able to run those commands as the root user.
The next important thing we can see in the sudoers file is the section “Allow members of group sudo to execute any command”. Note that the line
%sudo ALL=(ALL:ALL) ALL
is available by default in Ubuntu. Also note that if we want to specify the Unix group (the one which can be found in /etc/group), we put % before the name of that group. So, the line above specifies that any member of the sudo group can run all commands using the sudo command.
So, in order for particular user to have sudo capabilities, we can simply add it to the sudo group. In other Linux distributions, we can have some other default group for this purpose. We can also add other groups to this list. Note that we can also see the section “Members of the admin group may gain root privileges”. In Ubuntu this is for compatibility purposes and is not used in newer versions of Ubuntu. So, administrators are added to the sudo group, but the admin group is supported for backward compatibility.
In Fedora distribution, we will typically find the wheel group as the entry in sudoers file. It is commented by default, but we can uncoment it to allow people in that group to run all commands (sudo capabilities). Remember that we have to edit sudoers using the visudo command.
To exclude certain users to do something, we can use the ! in front of the command section in order to disallow a user to do something. For example, we can say that we want to disallow user “demo5” to shutdown the localhost:
demo5 ALL=!/sbin/shutdown -h now
This way, he will be able to use other commands, but not the shutdown command.