The sudo command stands for "superuser do". If a server

needs to be administered by a number of people it is

normally not a good idea for them all to use the root

account. This is because it becomes difficult to determine

exactly who did what, when and where if everyone logs in

with the same credentials. The sudo utility was designed to

overcome this difficulty.

The sudo utility allows users defined in the /etc/sudoers

configuration file to have temporary access to run commands

they would not normally be able to due to file permission

restrictions. The commands can be run as user "root" or as

any other user defined in the /etc/sudoers configuration file.

The privileged command you want to run must first begin with

the word sudo followed by the command's regular syntax. When

running the command with the sudo prefix, you will be

prompted for your regular password before it is executed.

You may run other privileged commands using sudo within a

five-minute period without being re-prompted for a password.

All commands run as sudo are logged in the log file

/var/log/messages.

In order to use sudo we first need to configure the sudoers

file.

Do not edit directly the file:

To edit it, use the command

# visudo

******Output***************

# /etc/sudoers

#

# This file MUST be edited with the 'visudo' command as root.

#

# See the man page for details on how to write a sudoers file.

#

Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

root ALL=(ALL) ALL

**********************************************

You will see the line

root ALL=(ALL) ALL

This lines means that the user root can execute from ALL

terminals, acting as ALL (any) users, and run ALL (any) command.

The first part is the user, the second is the terminal from

where the user can use sudo, the third is as which user he

may act, and the last one, is which commands he may run.

Example:

Granting Access To Specific Users To Specific Files

---------------------------------------------------

amsin21, %operator ALL= /sbin/, /usr/sbin,

/usr/local/apps/check.pl

This entry allows user amsin21 and all the members of the

group operator to gain access to all the program files in

the /sbin and /usr/sbin directories, plus the privilege of

running the command /usr/local/apps/check.pl. Notice how the

trailing slash (/) is required to specify a directory location:

Granting Access to Specific Files as Another User

-------------------------------------------------

The sudo -u entry allows allows you to execute a command as

if you were another user, but first you have to be granted

this privilege in the sudoers file.

This feature can be convenient for programmers who sometimes

need to kill processes related to projects they are working

on. For example, programmer amsin21 is on the team

developing a financial package that runs a program called

monthend as user accounts. From time to time the application

fails, requiring "amsin21" to stop it with the /bin/kill,

/usr/bin/kill or /usr/bin/pkill commands but only as user

"accounts". The sudoers entry would look like this:

amsin21 ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill

User amsin21 is allowed to stop the monthend process with

this command:

# sudo -u accounts pkill monthend

Granting Access Without Needing Passwords

-----------------------------------------

This example allows all users in the group operator to

execute all the commands in the /sbin directory without the

need for entering a password. This has the added advantage

of being more convenient to the user:

%operator ALL= NOPASSWD: /sbin/

Using Aliases in the sudoers File

---------------------------------

Sometimes you'll need to assign random groupings of users

from various departments very similar sets of privileges.

The sudoers file allows users to be grouped according to

function with the group and then being assigned a nickname

or alias which is used throughout the rest of the file.

Groupings of commands can also be assigned aliases too.

In the next example, users amsin21, amsin211 and amsin212

and all the users in the operator group are made part of the

user alias ADMINS. All the command shell programs are then

assigned to the command alias SHELLS. Users ADMINS are then

denied the option of running any SHELLS commands and su:

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh,

/usr/bin/ksh, /usr/local/bin/tcsh,

/usr/bin/rsh, /usr/local/bin/zsh

User_Alias ADMINS = amsin21, amsin211, amsin212, %operator

ADMINS ALL = !/usr/bin/su, !SHELLS

This attempts to ensure that users don't permanently su to

become root, or enter command shells that bypass sudo's

command logging. It doesn't prevent them from copying the

files to other locations to be run. The advantage of this is

that it helps to create an audit trail, but the restrictions

can be enforced only as part of the company's overall

security policy.