Quick HOWTO: Using Sudo Page 1 of 4

More Linux Server Topics - Network Diagram - About This Site

Chapter 2

Using Sudo
===========================================
In This Chapter
Chapter 2
Using Sudo
What is sudo?
Download and Install The sudo Package
The visudo Command
The /etc/sudoers File
How To Use sudo
Using syslog To Track All sudo Commands

© Peter Harrison, www.linuxhomenetworking.com

===========================================

You can give selected users temporary "root" privileges using the "sudo" command, here's how.
What is sudo?
• Sudo is a command that allows users defined in the /etc/sudoers configuration file to have temporary
root access to run certain privileged commands.
• The command you want to run must first begin with the word "sudo" followed by the regular command
syntax.
• When running the command you will be prompted for your regular password before it is executed.You
may run other privileged commands using sudo within a five minute period without being re-prompted
for a password
• All commands run as sudo are logged in the log file /var/log/messages

http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm 1/09/2010
Quick HOWTO: Using Sudo Page 2 of 4

Download and Install The sudo Package

Fortunately the package is installed by default by RedHat

The visudo Command

• "visudo" is the command used to edit the /etc/sudoers configuration file. It is not recommended that
you use any other editor to modify your sudo parameters. "visudo" uses the same commands as the
"vi" text editor.
• "visudo" is best run as user "root"

[root@aqua tmp]# visudo

The /etc/sudoers File

General Guidelines
o The /etc/sudoers file has the general format:
usernames/group target-servername = command
o Groups are the same as user groups and are differentiated from regular users by a % at the
beginning
o The "#" at the beginning of a line signifies a comment line
o You can have multiple usernames per line separated by commas
o Multiple commands can be separated by commas too. Spaces are considered part of the
command.
o The keyword "ALL" can mean all usernames, groups, commands and servers.
o If you run out of space on a line, you can end it with a "\" and continue on the next line.
o The NOPASSWD keyword provides access without you being prompted for your password

Simple sudoers Examples

o Users "paul" and "mary" have full access to all privileged commands

paul, mary ALL=(ALL) ALL

http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm 1/09/2010
Quick HOWTO: Using Sudo Page 3 of 4

o Users with a groupid of "operator" has full access to all commands and won't be prompted for a
password when doing so.

%operator ALL=(ALL) NOPASSWD: ALL

How To Use sudo

• In this example, user "paul" attempts to view the contents of the /etc/sudoers file

[paul@bigboy paul]$ more /etc/sudoers

/etc/sudoers: Permission denied
[paul@bigboy paul]$

• Paul tries again using sudo and his regular user password and is successful

[paul@bigboy paul]$ sudo more /etc/sudoers

Password:
...
...
...
[paul@bigboy paul]$

Using syslog To Track All sudo Commands

All sudo commands are logged in the log file /var/log/messages. Here is sample output from the above
example.

[root@bigboy tmp]# grep sudo /var/log/messages

Nov 18 22:50:30 bigboy sudo(pam_unix)[26812]: authentication failure;
logname=paul uid=0 euid=0 tty=pts/0 ruser= rhost= user=paul
Nov 18 22:51:25 bigboy sudo: paul : TTY=pts/0 ; PWD=/etc ; USER=root ;
COMMAND=/bin/more sudoers
[root@bigboy tmp]#

http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm 1/09/2010
Quick HOWTO: Using Sudo Page 4 of 4

http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm 1/09/2010