Linux Admins have a hard time granting permissions for every command that might require super user access. The `sudo` command allows specified users to execute commands with the execution privilege of another user, typically the super user. This capability is really important for performing tasks without logging in as the root user, which is generally not considered safe for security reasons.
In this article, we will explore various methods to add a user to the sudoers file, enabling them to use the root privileges on a Linux system.
Method 1: Using the visudo Command
The visudo command is one of the secure ways to edit the sudoers file. It opens the file in a special mode that performs syntax checking before saving changes, preventing potential errors which might lock you out of your system.
username host=(user:group) command
Let’s break down this structure using an example entry:
root ALL=(ALL:ALL) ALL
Username (root):
The first field indicates the username that the rule will apply to (root). In this case, the rule grants sudo privileges to the root user.
Host (ALL):
The second field designates the hosts to which the rule applies. The term “ALL” in this field indicates that this rule applies to all hosts. The sudo rule will be effective regardless of the system the user is accessing.
User and Group (ALL:ALL):
The third field specifies the user and group as (user:group). In the example, both are set to “ALL,” indicating that the root user can run commands as all users and all groups on the system.
Command (ALL):
The last field denotes the commands to which the rule applies. The term “ALL” in this field indicates that the root user can run commands of any type. This ensures that the sudo privileges cover all commands that may be executed with elevated privileges.
Method 2: Modifying the sudoers File Directly
If you prefer to use a different text editor or are unable to use visudo, you can manually edit the sudoers file.
- Open a terminal.
sudo nano /etc/sudoers
- Follow the same steps as in Method 1 to add a line specifying the user and privileges.
- Save the changes and exit the text editor.
Method 3: Using the usermod Command
The usermod command provides an alternative way to add a user to the sudo group, granting them sudo privileges.
- Open a terminal.
sudo usermod -aG sudo username
- The
-aG
option appends the user to the specified group (in this
Method 4: Creating a New sudoers File
In some cases, you may want to create a separate sudoers file for custom configurations. This is especially useful in environments with multiple administrators.
- Open a terminal.
sudo visudo -f /etc/sudoers.d/customfile
- Add the user and privileges as in previous methods.
- Save and exit the file.
Method 5: Using the adduser Command
The adduser command can be used to create a new user and add them to the sudo group in one step.
- Open a terminal.
sudo adduser username
- Follow the on-screen prompts to set a password and other user details.
- Add the user to the sudo group:
sudo usermod -aG sudo username
How To Set Up Custom Rules
Now that we have got familiar with the syntaxs and stuff of the file, let’s create some new rules.
How To Create Aliases
The sudoers file can be organized more easily by grouping things with various kinds of aliases
.
For instance, one can create three different groups of users, with overlapping members
/etc/sudoers
. . .
User_Alias GROUPONE = abby, brent, carl
User_Alias GROUPTWO = brent, doris, eric,
User_Alias GROUPTHREE = doris, felicia, grant
. . .
Group names must start with a capital letter. We can then allow members of GROUPTWO to update the apt database by creating a rule like this
/etc/sudoers
. . .
GROUPTWO ALL = /usr/bin/apt-get update
. . .
If we do not specify a user/group
to run as, as above, sudo defaults to the root user.
We can allow members of GROUPTHREE to shutdown and reboot the machine by creating a command alias
and using that in a rule for GROUPTHREE
/etc/sudoers
. . .
Cmnd_Alias POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
GROUPTHREE ALL = POWER
. . .
We create a command alias called POWER that contains commands to power off and reboot the machine. We then allow the members of GROUPTHREE to execute these commands.
We can also create Run as
aliases, which can replace the portion of the rule that specifies the user to execute the command as
/etc/sudoers
. . .
Runas_Alias WEB = www-data, apache
GROUPONE ALL = (WEB) ALL
. . .
This will allow anyone who is a member of GROUPONE to execute commands as the www-data user or the apache user.
Just keep in mind that later rules will override earlier rules when there is a conflict between the two.
How To Lock Down Rules:
There are several ways you can achieve more control over how sudo reacts to a call.
The updatedb command associated with the mlocate package is relatively harmless on a single-user system. If we want to allow users to execute it with root privileges without having to type a password, we can make a rule like this
/etc/sudoers
. . .
GROUPONE ALL = NOPASSWD: /usr/bin/updatedb
. . .
NOPASSWD is a tag
that means no password will be requested. It has a companion command called PASSWD, which is the default behavior. A tag is relevant for the rest of the rule unless overruled by its twin
tag later down the line.
For instance, we can have a line like this
/etc/sudoers
. . .
GROUPTWO ALL = NOPASSWD: /usr/bin/updatedb, PASSWD: /bin/kill
. . .
Another helpful tag is NOEXEC, which can be used to prevent some dangerous behavior in certain programs.
For example, some programs, like less, can spawn other commands by typing this from within their interface
!command_to_run
This basically executes any command the user gives it with the same permissions that less is running under, which can be quite dangerous.
To restrict this, we could use a line like this
/etc/sudoers
. . .
username ALL = NOEXEC: /usr/bin/less
. . .
Miscellaneous Information:
There are a few more piece of information that may be useful when dealing with sudo.
If you specified a user or group to run as
in the configuration file, you can execute commands as those users by using the -u
and -g
flags, respectively
sudo -u run_as_user command
sudo -g run_as_group command
For convenience, by default, sudo will save your authentication details for a certain amount of time in one terminal. This means you won’t have to type your password in again until that timer runs out.
For security purposes, if you wish to clear this timer when you are done running administrative commands, you can run
sudo -k
If, on the other hand, you want to prime
the sudo command so that you won’t be prompted later, or to renew your sudo lease, you can type
sudo -v
You will be prompted for your password, which will be cached for later sudo uses until the sudo time frame expires.
If you are simply wondering what kind of privileges that are defined in your username, you can type
sudo -l
The above command will list all the rules in /etc/sudoers
file that apply to your user. This gives you an good idea of what you will or will not be allowed to do with the sudo as any of the user.
There are many times when you will execute a command and it will fail because you forgot to preface it with sudo. To avoid having to re-type the command, you can take advantage of a bash functionality that means repeat the last command
sudo !!
Conclusion
Giving super user privileges is an important aspect of the Linux administration, and various methods provide different preferences and system requirements. Whether it is using visudo for efficient editing or using usermod for quick group addiction, these methods make sure that users perform admin tasks responsibly and easily without giving up on system security.