More Linux Server Topics - Network Diagram - About This Site
Chapter 2
Using Sudo
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
In This Chapter
Download and Install The sudo Package
Using syslog To Track All sudo Commands
© Peter Harrison, www.linuxhomenetworking.com
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
You can give selected users temporary "root" privileges using the "sudo" command, here's how.
What is sudo?
· Sudo is a command that allows users defined in the /etc/sudoers configuration file to have temporary root access to run certain privileged commands.
· The command you want to run must first begin with the word "sudo" followed by the regular command syntax.
· When running the command you will be prompted for your regular password before it is executed.You may run other privileged commands using sudo within a five minute period without being re-prompted for a password
· All commands run as sudo are logged in the log file /var/log/messages
Download and Install The sudo Package
Fortunately the package is installed by default by RedHat
The visudo Command
· "visudo" is the command used to edit the /etc/sudoers configuration file. It is not recommended that you use any other editor to modify your sudo parameters. "visudo" uses the same commands as the "vi" text editor.
· "visudo" is best run as user "root"
[root@aqua tmp]# visudo
The /etc/sudoers File
General Guidelines
o The /etc/sudoers file has the general format:
usernames/group target-servername = command
o Groups are the same as user groups and are differentiated from regular users by a % at the beginning
o The "#" at the beginning of a line signifies a comment line
o You can have multiple usernames per line separated by commas
o Multiple commands can be separated by commas too. Spaces are considered part of the command.
o The keyword "ALL" can mean all usernames, groups, commands and servers.
o If you run out of space on a line, you can end it with a "\" and continue on the next line.
o The NOPASSWD keyword provides access without you being prompted for your password
Simple sudoers Examples
o Users "paul" and "mary" have full access to all privileged commands
paul, mary ALL=(ALL) ALL
o Users with a groupid of "operator" has full access to all commands and won't be prompted for a password when doing so.
%operator ALL=(ALL) NOPASSWD: ALL
How To Use sudo
· In this example, user "paul" attempts to view the contents of the /etc/sudoers file
[paul@bigboy paul]$ more /etc/sudoers
/etc/sudoers: Permission denied
[paul@bigboy paul]$
· Paul tries again using sudo and his regular user password and is successful
[paul@bigboy paul]$ sudo more /etc/sudoers
Password:
...
...
...
[paul@bigboy paul]$
Using syslog To Track All sudo Commands
All sudo commands are logged in the log file /var/log/messages. Here is sample output from the above example.
[root@bigboy tmp]# grep sudo /var/log/messages
Nov 18 22:50:30 bigboy sudo(pam_unix)[26812]: authentication failure; logname=paul
uid=0 euid=0 tty=pts/0 ruser= rhost= user=paul
Nov 18 22:51:25 bigboy sudo: paul : TTY=pts/0 ; PWD=/etc ; USER=root ;
COMMAND=/bin/more sudoers
[root@bigboy tmp]#