Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email 



SUDO


Members that use D Small Linux or VectorLinux know there is a prefix to a command called “sudo” to perform commands as root without having to log in as root, or using “su” and <password>. Pretty convenient, not 100% bullet proof, but still . . . . if you´re the only user and behind a decent firewall . . . .

Alright here is the trick, imagine you want to do “mount /dev/hda7 /mnt/loop” and you know this command has to be given as root, you don´t have to “su” but:

CODE
$ sudo  mount /dev/hda7 /mnt/loop


You simply add sudo before the command, and only for that specific command you are “temporary root”, now that is simple, isn't it ?
Well that part indeed is simple, but “sudo” does not work out of the box like that on most distros, you first have to change the “sudoers” file. Editing the sudoers file does NOT work with:

CODE
# vi /etc/sudoers


No you have to give it a special command:

CODE
$ su
< password >
# visudo


And you will get this:

QUOTE (Text @ Sudoers File)

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)      ALL

# Same thing without a password
# %wheel        ALL=(ALL)      NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now


So to be able to use the “sudo” prefix on the most used commands, just delete the two # marks ( this action is called un-commenting the line ) on these two:

QUOTE (Text @ Sudoers File)

# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now


If you want a more drastic approach, in most cases, in most distros ( not in Slackware by default ) you are part of the “wheel” group, so “un-commenting” the next two lines will give you passwordless access to all commands:

QUOTE (Text @ Sudoers File)

# %wheel        ALL=(ALL)       ALL
# %wheel        ALL=(ALL)       NOPASSWD: ALL


You save the sudoers file the same as you do the vi-editor:

< Esc >
ZZ


If you want to know more about sudo and the sudoers file:

CODE
$ man sudo


An extract of the man page on security:
QUOTE (Text @ Manpage Sudo)
SECURITY NOTES
      sudo tries to be safe when executing external commands.  Variables that
      control how dynamic loading and binding is done can be used to subvert
      the program that sudo runs.  To combat this the LD_*, _RLD_*,
      SHLIB_PATH (HP-UX only), and LIBPATH (AIX only) environment variables
      are removed from the environment passed on to all commands executed.
      sudo will also remove the IFS, ENV, BASH_ENV, KRB_CONF, KRBCONFDIR,
      KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, RES_OPTIONS, HOSTALIASES, NLSPATH,
      PATH_LOCALE, TERMINFO, TERMINFO_DIRS and TERMPATH variables as they too
      can pose a threat.  If the TERMCAP variable is set and is a pathname,
      it too is ignored.  Additionally, if the LC_* or LANGUAGE variables
      contain the / or % characters, they are ignored.  If sudo has been com-
      piled with SecurID support, the VAR_ACE, USR_ACE and DLC_ACE variables
      are cleared as well.  The list of environment variables that sudo
      clears is contained in the output of sudo -V when run as root.

      To prevent command spoofing, sudo checks "." and "" (both denoting cur-
      rent directory) last when searching for a command in the user's PATH
      (if one or both are in the PATH).  Note, however, that the actual PATH
      environment variable is not modified and is passed unchanged to the
      program that sudo executes.

      For security reasons, if your OS supports shared libraries and does not
      disable user-defined library search paths for setuid programs (most
      do), you should either use a linker option that disables this behavior
      or link sudo statically.

      sudo will check the ownership of its timestamp directory (/var/run/sudo
      by default) and ignore the directory's contents if it is not owned by
      root and only writable by root.  On systems that allow non-root users
      to give away files via chown(2), if the timestamp directory is located
      in a directory writable by anyone (e.g.: /tmp), it is possible for a
      user to create the timestamp directory before sudo is run.  However,
      because sudo checks the ownership and mode of the directory and its
      contents, the only damage that can be done is to "hide" files by
      putting them in the timestamp dir.  This is unlikely to happen since
      once the timestamp dir is owned by root and inaccessible by any other
      user the user placing files there would be unable to get them back out.
      To get around this issue you can use a directory that is not world-
      writable for the timestamps (/var/adm/sudo for instance) or create
      /var/run/sudo with the appropriate owner (root) and permissions (0700)
      in the system startup files.

      sudo will not honor timestamps set far in the future.  Timestamps with
      a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
      will log and complain.  This is done to keep a user from creating
      his/her own timestamp with a bogus date on systems that allow users to
      give away files.

      Please note that sudo will only log the command it explicitly runs.  If
      a user runs a command such as sudo su or sudo sh, subsequent commands
      run from that shell will not be logged, nor will sudo's access control
      affect them.  The same is true for commands that offer shell escapes
      (including most editors).  Because of this, care must be taken when
      giving users access to commands via sudo to verify that the command
      does not inadvertantly give the user an effective root shell.


Also see /usr/share/doc/sudo for more examples and information.


Bruno

PS: The command "visudo" works by default with vi, if you want it to default to nano ( or any other editor ) issue this command: "export EDITOR=nano"



-- Oct 21 2003 ( Revised Dec 12 2005 ) --


Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email