What is Sudo (su). Obtaining administrator rights

In any Linux system there is always one privileged user - root. This user has the rights to perform any actions, delete any files and change any settings. It is almost impossible to somehow limit the freedom of action of root. On the other hand, all other users of the system usually do not have most of the necessary rights, such as the right to install programs, since this is an administrative operation that only root has rights to. Another common operation, accessible only to the superuser, is copying and changing files in system folders where a regular user does not have access.

Previously, this problem was solved quite simply: if you had the root password, you could log into the system under his account or temporarily obtain his rights using the su command. Then perform all the necessary operations and return back to the normal user. In principle, this scheme works well, but it has many significant drawbacks, in particular, it is impossible in any way (more precisely, it is very difficult) to limit administrative privileges to only a certain range of tasks.

Therefore, in modern Linux distributions, instead of the root account, the sudo utility is used for administration.

In Ubuntu, by default, the root account is completely disabled, i.e. There is no way you can become root without enabling it. root is disabled, i.e. it is present in the system, you just can’t log into it. If you want to return the ability to use root, see the paragraph below about enabling the root account.

What is sudo

sudo is a utility that grants root privileges to perform administrative operations according to its settings. It allows you to easily control access to important applications on the system. By default, when installing Ubuntu, the first user (the one created during installation) is given full rights to use sudo. Those. in fact, the first user has the same freedom of action as root. However, this behavior of sudo is easy to change; see below in the paragraph about setting up sudo.

Where is sudo used?

sudo is used whenever you run something from the System Administration menu. For example, when you launch Synaptic you will be asked to enter your password. Synaptic is an installed software management program, so to run it you need administrator rights, which you get through sudo by entering your password.

However, not all programs that require administrative privileges automatically run through sudo. Typically, you have to manually launch programs with administrator rights.

Running graphical programs with administrator rights

To launch graphical programs with administrator rights, you can use the program launch dialog, which is called up by default by the keyboard shortcut Alt + F2.

Let's say we need to launch the Nautilus file manager with administrator rights in order to somehow change the contents of system folders through the graphical interface. To do this, enter the command in the application launch dialog

Gksudo nautilus

gksudo can be substituted with gksu , and KDE users should also write kdesu instead of gksudo . You will be asked to enter your password, and if you have the necessary rights, Nautilus will start as an administrator. You can launch any graphical software with administrator rights by simply writing in the launch dialog

Gksudo<имя_команды>

Be extremely careful when working in applications running with administrator rights. You can perform any operation without any warnings from the system, in particular, delete system files, making the system inoperable.

Running programs with administrator rights in the terminal

To run a command in a terminal with administrator rights, simply type sudo in front of it:

Sudo<команда>

You will be asked to enter your password. Be careful when entering the password no way is not displayed, this is normal and done for security purposes, just type to the end and press Enter. After entering the password, the specified command will be executed as root.

The system remembers the entered password for some time (keeps the sudo session open). Therefore, subsequent executions of sudo may not require entering a password. To guarantee termination of the sudo session, type in the terminal

Additionally, errors related to channels in Linux are common. When executing a command

Sudo cat test.txt | grep text > result.txt

with root rights only cat will execute, so the file result.txt may not register. You either need to write sudo before each command, or temporarily switch to superuser.

Gaining superuser rights to run multiple commands

Sometimes it becomes necessary to run several commands in a row with administrator rights. In this case, you can temporarily become a superuser using one of the following commands:

Sudo -s sudo -i

This will put you in superuser mode (with restrictions imposed through the sudo settings), as indicated by the # symbol at the end of the command line prompt. These commands are similar in action to su , however: - sudo -s- does not change the home directory to /root, the home directory of the calling user remains home sudo -s, which is usually very convenient. - sudo -i- will also change the home directory to /root.

To exit back to normal user mode, type exit or simply press Ctrl + D.

Using a traditional root account and the su command

Unlocking the root account leads to unnecessary risks (working constantly under root, you have 100,500 ways to “shoot yourself in the foot”), and also makes it easier for an attacker to gain access to your computer.

Ubuntu 11.04 and earlier

To log in as root, just give it a password:

Sudo passwd root

Then on the login screen, click Other... and enter the username (root) and password that you set.

Ubuntu 11.10 and older

Starting with version 11.10, the lightdm login manager was installed, and logging in as root is a little more complicated.

1. Set the root password. Enter in terminal:

Sudo passwd root

2. Turn on the “Enter login” item. Enter in terminal:

Gksu gedit /etc/lightdm/lightdm.conf

At the end of the file add:

Greeter-show-manual-login=true

3. Reboot lightdm. Enter in terminal:

Sudo service lightdm restart

That’s it, the “Login” item will appear on the login screen. In the login field we enter “root”, in the password field - the password that we set in the first stage.

To reverse lock the root account, you will need to rollback the changes in the lightdm settings, and also lock the root account with the command in the terminal:

Sudo passwd -l root

Setting up sudo and permissions to run various commands

sudo allows you to allow or disable users from running a specific set of programs. All settings related to access rights are stored in a file /etc/sudoers. This is not an ordinary file. To edit it necessary(for security reasons) use the command

Sudo visudo

By default, it says that all members of the group admin have full access to sudo, as indicated by the line

%admin ALL=(ALL) ALL

You can read more about the syntax and customization options of this file by running

Man sudoers

If you make a mistake when editing this file, you may completely lose access to administrative functions. If this happens, you need to boot into recovery mode, and you will automatically receive administrator rights and be able to fix everything. You can also edit this file from a LiveCD.

Allow a user to execute a command without entering a password

In order to prevent the system from asking for a password for certain commands, it is necessary to add sudoers after the line # Cmnd alias specification add a line where you list the desired commands with the full path separated by commas (the path of the command can be found by running which command_name:

# Cmnd alias specification Cmnd_Alias ​​SHUTDOWN_CMDS = /sbin/shutdown, /usr/sbin/pm-hibernate, /sbin/reboot

And add the line to the end of the file

Username ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS

Attention! The above steps do not replace the need to enter the sudo command before your command

Creating synonyms (aliases)

To not only avoid having to enter a password for sudo, but also to avoid having to enter sudo at all, do the following: open the .bashrc file located in your home directory

nano ~/bashrc

and add the lines to the end of the file

alias reboot ="sudo reboot" alias poweroff ="sudo poweroff" alias pm-hibernate="sudo pm-hibernate" alias hibernate ="sudo pm-hibernate" alias shutdown ="sudo shutdown"

The validity period of the entered password

Perhaps you want to change the length of time that sudo lasts without entering a password. This can be easily achieved by adding something like the following to /etc/sudoers (visudo):

Defaults:foo timestamp_timeout=20

Here's sudo for the user foo valid without the need to enter a password for 20 minutes. If you want sudo to always require a password, set timestamp_timeout to 0.

sudo doesn't ask for password

sudo without a password is a terrible security hole, anyone is allowed to do whatever they want. If you allowed this on purpose, immediately return it back to how it was.

However, in some cases, sudo suddenly stops requiring a password on its own. If you do visudo , you can see something like this line, which the user apparently did not add:

ALL ALL=(ALL) NOPASSWD:ALL

Most likely, this disastrous line was added when installing a program like Connect Manager from MTS or Megafon. In this case, it needs to be changed to a line that allows only this Connect Manager to be run as root, something like this:

Username ALL= NOPASSWD: /path/to/program

There are other options for solving the problem, a short discussion.

Separation of access rights is one of the most important security paradigms implemented in Linux and Unix-like operating systems. Regular users work with limited rights; This reduces their impact on their own environment and on the operating system as a whole.

The root user has superuser privileges. This administrator account does not have the restrictions that are present on regular user accounts. Other users may be able to run commands as root in a number of specific cases.

This guide shows you how to properly and safely transfer root privileges to your system.

Note Note: This tutorial was performed on an Ubuntu 12.04 server, however most modern Linux distributions will behave in a similar manner.

To complete the tutorial, you must first complete the initial server setup:

Login to the server as a non-root user.

How to get root rights

There are three main ways to gain superuser privileges, which vary in difficulty.

Login as root

The easiest way, of course, is to log in as root.

If connecting via SSH, provide the IP address or hostname:

ssh root@IP_address_or_domain

When prompted, enter your root password.

su command

It is not recommended to constantly use the root account, since, having absolute access rights, you can accidentally cause irreparable harm to the system.

Therefore, the system has the su command, which allows an ordinary user to obtain root rights at any time.

Note: The su command is short for substitute user.

So to root, just type:

The system will ask for the root user's password, after which it will open access to the root user's shell session.

After completing all tasks that require root rights, you can return to the previous session:

sudo command

The last way to gain root privileges is with the sudo command.

The sudo command allows you to run specific commands as root without having to open a new session.

sudo command_to_execute

Note: Unlike su, the sudo command does not ask for the root password, but rather the password of the user calling the command.

For security reasons, the sudo command is not available by default; access to it must be configured. If you've followed the initial server setup guide, you already know how to do this.

What is Visudo?

The sudo command is configured using the /etc/sudoers file.

Important! Never edit this file using a regular text editor! To do this you should use visudo.

Incorrect syntax added to this file can completely break the distribution of rights between users. Therefore, the visudo command is used to work with this file.

The visudo command opens a file in a regular text editor, but checks its syntax when saving the file. This avoids configuration errors.

Typically, visudo opens the /etc/sudoers file in the vi editor. On an Ubuntu system, visudo uses nano.

To configure the visudo command to use vi on an Ubuntu system, run the command:

sudo update-alternatives --config editor

There are 3 choices for the alternative editor (providing /usr/bin/editor).
Selection Path Priority Status
————————————————————
* 0 /bin/nano 40 auto mode
1 /bin/nano 40 manual mode
2 /usr/bin/vim.basic 30 manual mode
3 /usr/bin/vim.tiny 10 manual mode

Select the number corresponding to the text editor you want to use.

On CentOS, this value can be changed by adding the following line to ~/.bashrc:

export EDITOR=/path/to/editor

To update your settings, enter:

To open /etc/sudoers, enter:

Editing the sudoers file

So, in the text editor of your choice, the sudoers file will open on the screen.

Below are the Ubuntu 12.04 system file parameters (the commented lines are omitted and the changes made during the initial server setup are saved).

Note: The CentOS sudoers file is much larger; Some of its parameters are not described in this manual.

Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root ALL=(ALL:ALL) ALL
demo ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL

Standard parameters

The first line, Defaults env_reset, resets the terminal environment to remove all user variables. This security measure is used to eliminate the potentially harmful effects of environment variables from the sudo session.

The second parameter, Defaults secure_path=..., specifies the path (PATH, points in the file system where the OS will look for applications) for sudo operations. This prevents potentially dangerous user paths from being used.

User rights settings

The third and fourth parameters should be familiar to you. You added the fourth line yourself, but perhaps you did not examine it in detail.

• demo ALL=(ALL:ALL) ALL
• The first field specifies the name of the user to whom this rule should be applied (in this case it is demo).
• The first ALL means that the rule will apply to all hosts.
• The second ALL means that the specified user can run commands in any user's session.
• The third ALL means that the specified user can run commands in any group.
• The last ALL indicates that these rules should be applied to all commands.

This means that root and demo users can run all commands using sudo with their password.

Group privilege settings

The last two lines are similar to the user privilege settings, but they are responsible for group rights.

Group names begin with the % symbol.

As you can see, the admin group can execute any command as any user or host. The sudo group has similar rights, but it can also run the command like any group.

Custom rules

Once you're familiar with the basic file syntax, try creating a couple of rules yourself.

Creating Aliases

The sudoers file can be more conveniently structured using various aliases.

For example, you can create three different user groups with combined rights:

User_Alias ​​GROUPONE = abby, brent, carl
User_Alias ​​GROUPTWO = brent, doris, eric,
User_Alias ​​GROUPTHREE = doris, felicia, grant

Group names must begin with a capital letter. After this, you can give GROUPTWO users the right to change the apt-get database:

GROUPTWO ALL = /usr/bin/apt-get update

If the rule does not specify a user and group, sudo defaults to root.

You can then allow GROUPTHREE users to shutdown and restart the machine; To do this you need to create a command alias:

Cmnd_Alias ​​POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
GROUPTHREE ALL = POWER

The POWER command alias contains commands for shutting down and restarting the machine.

You can also create an alias, Run as, which replaces the part of the rule that specifies the user in whose session the command should be executed.

Runas_Alias ​​WEB = www-data, apache
GROUPONE ALL = (WEB) ALL

Now any user of the GROUPONE group can execute commands in www-data or apache user sessions.

Note Note: Remember that previously created rules take precedence in case of a rule conflict.

Blocking rules

There are a number of ways to control how sudo behaves and responds to calls.

For example, the updatedb command in combination with the mlocate package is relatively harmless. So that an ordinary user can perform it with superuser privileges without entering a password, you can create the following rule:

GROUPONE ALL = NOPASSWD: /usr/bin/updatedb

The NOPASSWD command means that the system will not prompt for a password. There is also a PASSWD command that does the opposite behavior and is used by default.

NOPASSWD applies to the entire rule unless the PASSWD command overrides it. For example, the line might look like this:

GROUPTWO ALL = NOPASSWD: /usr/bin/updatedb, PASSWD: /bin/kill

Another handy command is NOEXEC, which is used to prevent dangerous behavior of certain programs. For example, some commands, such as less, can call other commands:

This command executes any command with the privileges of the user running less, which can be very dangerous.

To prevent this behavior, you can use the following line:

username ALL = NOEXEC: /usr/bin/less

additional information

This section contains various useful tips for working with sudo.

If you specified a user or group in the Run as parameter, you can run commands in that user's session using the -u and –g flags, respectively:

sudo -u run_as_user command
sudo -g run_as_group command

By default, sudo stores credentials in one terminal for a period of time. This means that you will not have to enter your password again during this period.

If for security reasons you want to reset this timer, use the command:

To find out the user's rights, enter:

This command will list all permissions specified in the /etc/sudoers file for a given user.

If a normal user tries to run an administrator command without the sudo prefix, the command will not work. To avoid having to retype the command, use a bash function that repeats the command:

A double exclamation point will repeat the last command.

Conclusion

You now have basic skills with the sudoers file and root permissions.

When working with superuser rights, remember that regular users do not have such rights by default for security reasons. Do not abuse root rights, otherwise you may accidentally cause irreparable damage to the system.

Tags: ,

As a Linux administrator, I have always used and sudo, And su. And as a system administrator, it is very important that you know the difference between them. For those who have no general idea about the difference between the two or always confuse them - here is a list of 12 Q&A (questions and answers) that are aimed to help you understand the intricacies of sudo and su.

NOTE- This article is specific to Ubuntu only. Although some information may apply to most popular distributions.

Sudo vs Su

This series of questions and answers should clarify some of the features of sudo vs su for many Ubuntu users.

Q1. How are sudo and su used? What is the difference between them?

Answer.Sudo is used to run a particular command with root permission. The interesting thing is that when you use sudo for a specific command, the system will ask you for the current user's password. After entering the password, the command is launched with superuser privileges.

Here's an example:

$ apt-get install skype E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root ? $ sudo apt-get install skype password for mylinuxbook: Reading package lists... Done Building dependency tree Reading state information... Done ... ...

As you can see, first I tried to install Skype using the command apt-get but I got permission denied error. Then I used sudo along with the same command system and password system for the mylinuxbook user. After entering the correct password, the command is completed successfully.

On the other hand, su is used to switch any user. The configured password for the corresponding user is enabled. If su is used without options, it falls to the root user account. In this case, the system requests the superuser password.

Here's an example:

$ su mylinuxbook Password: mylinuxbook@mylinuxbook-Inspiron-1525:~$

In the above example, I used su to switch to the mylinuxbook user account and after entering the password for mylinuxbook, I was able to do this.

Here's another example:

$ su Password: su: Authentication failure

In the example above, I ran su to enable root account permissions for a normal user, but it couldn't because I didn't have a root password configured. Distributions such as Ubuntu do not have superuser passwords configured by default. Once it is set up, you will be able to use this password.

Q2. What if I don't want to configure an administrator password in my Ubuntu, but still want to switch to superuser?

Answer. In this case, you can try the command " sudo su". Here is an example:

$ sudo su password for mylinuxbook: root@mylinuxbook-Inspiron-1525:/home/mylinuxbook#

Once sudo has been used to start su, the system prompts you for the current user's password rather than the superuser password. Once this was entered, the current account was transferred to the account.

Q3. What if I want to use su to navigate to other user accounts, but don't want to remember each and every user password?

Answer. Well, in that case, just use the su command, enter the administrator password and switch to the account. From here, using su, you can switch to any user account without using passwords.

Q4. If sudo is used to do something with root privileges, then why is the current user's password needed and not the root password?

Answer. Well, it's not exactly like any normal user can do sudo and run commands that require superuser privileges. You, as a user, must be sudoer Same. This means that you must have privileges to use sudo. If you are a valid sudoer, the system only asks for a password to make sure you understand that you are doing some work that requires root privileges, and you should double-check everything before you actually do it.

Now the question arises about sudoers. How to become a user sudoer? A user can become a sudoer if they are added to the sudo group. Here's an example:

$ sudo adder sudo

Just replace with the actual username for the account. Please note that previously (before Ubuntu 12.04) the group had to be called admin, but now this is not necessary.

You can use the command " group" to check all groups that this user is in. Here's an example:

$ groups mylinuxbook mylinuxbook: mylinuxbook adm cdrom sudo dip plugdev lpadmin sambashare

So you see that the user " mylinuxbook" is part of all of these groups, including the sudo groups, and therefore sudoer.

Q5. I noticed that as soon as I used sudo, my root permissions remained for a long time, although after a while everything returned to normal. What is this?

Answer. Ubuntu remembers the password for sudo for about 15 minutes. This means that once you have used sudo to run a command, the system will not prompt you for a password if you run other commands that require root privileges to run. Although you will have to use " sudo" before each team.

Q6. What are the advantages of sudo over su?

Answer. Sudo has many advantages over su.

Here is the list:

Sudo ensures that privileges exist for a specific command (or for a specific period of time) and not for an entire session, as this can lead to accidental abuse of superuser privileges.

You can use sudo to restrict user rights. This is useful when you don't want the user to have control over all superuser rights when working with suda.

There is a log (auth.log) that is maintained for each sudoer. This file contains information about the commands that were executed using sudo and the time they were executed. This helps the administrator track even trusted users (sudoers).

The biggest advantage is that suda requires the user's own password to log in, rather than the root password. This helps to keep the root password private and there is no need to change it even when the user (sudoer) leaves.

Q7. Can any user perform sudo operations?

Answer. No, only trusted users or sudoers can perform sudo operations. Here is the official page that describes how and what a sudoer user can do.

Q8. I'm interested in su. How can I configure the use of su in a way that achieves functionality similar to suda?

Answer. If you are running su, this means that you already have a superuser password configured. To achieve functionality similar to sudo, i.e. to run just one command with root privileges using su, all you need to do is use the option -c from the su team.

Here's an example:

$ su -c "apt-get install skype" Password:

Just enter the password and only this command will work with superuser privileges. Although this is the same as sudo, the only difference is that you need to enter the superuser password instead of the current user password.

Q9. I'm working with sudo. How can I customize my use of sudo in a way that achieves similar functionality to su?

Answer. To achieve su functionality via sudo, try the option -i sudo commands.

Here's an example:

$ sudo -i password for mylinuxbook: root@mylinuxbook-Inspiron-1525:~#

You see that with " sudo -i", the root account was switched although the password entered was for the current user (mylinuxbook in this case).

Q10. My account's root password has not yet been activated. Can I use sudo to enable the superuser password?

Answer. To activate the superuser password, you can use the command passwd in the following way:

$ sudo passwd root

This command requires root privileges, so you will have to use sudo.

Q12. Can I use sudo to grant special rights to users?

Answer. Configuration file for sudo - /etc/sudoers. It cannot be edited manually using an editor. For this purpose it is recommended to use the command visudo.

Here's the exact command:

$sudo visudo

and this is what you get:

This command will open a temporary file /etc/sudoers.tmp in nano editor for editing. Visudo makes sure that there is no conflict when multiple copies of the same file are edited.

To understand how to grant limited rights, understand the design of this configuration file, .

The sudo command is very important for managing access rights in the Linux operating system. Thanks to this small command, you can grant permissions to perform certain actions on behalf of the administrator to other users, without giving them the superuser password itself. Also, you do not need to always be under a superuser account to occasionally perform administrative actions.
It would seem that such a small team, with a minimum of capabilities and the simplest possible use, but in fact it can do much more. In this article we will look at how sudo is configured in Linux to control access to system functions and user capabilities.

How does sudo work?

Before we move on to setting up access to the sudo utility, let's look at how it works. There are two ways to gain administrator rights in Linux. You can switch to the root user using the su command, or you can pass the desired command as a parameter to the sudo utility, which will execute it with administrator rights. Moreover, the second method is preferable, because you will not forget that you are using root rights and will not do anything unnecessary.
The team name means substitute user do or super user do. The utility allows you to run programs as another user, but most often as the root user. The utility was developed back in 1980 by Bob Cogshell and Cliff Spencer. During this time, many developers have changed and many features have been added.
sudo works thanks to the SUID access flag. If this flag is set for a program, then it is executed not on behalf of the user who launched it, but on behalf of the owner, given that the file is owned by sudo, then the utility is executed as root. It then reads its settings, asks for the user's password, and decides whether the user can be allowed to run commands as an administrator. If yes, then the command passed in the parameter is executed.
Now that you know the theory, let's look at how to set up sudo on Linux.

Setting up sudo on Linux

All sudo settings are located in the /etc/sudores file. Here you can configure a lot of parameters, starting from who will be allowed to execute commands on behalf of the superuser and ending with limiting the set of available commands.
To open a file for editing, type the following command as superuser:

You can also specify the text editor in which you want to edit the configuration file:

# EDITOR=nano visudo

Next we will look at the most interesting settings that you can set in this file. But first, let's look at the basic file syntax. It consists of two types of strings, these are aliases that allow you to create lists of users and flags, as well as the rules themselves, which specify how the sudo command will behave. The alias syntax looks like this:
type alias_name = element1, element2, element3
The type specifies what type of Alice should be created, the name is the name that will be used, and the list of elements specifies the elements that will be implied when referring to this name.
The description of user permissions has a slightly different syntax:
user host = (other_user:group) teams
The user specifies the user or group for which we are creating the rule, the host is the computer for which this rule will apply. Another user - under the guise of which user the first one can execute commands, and the last one can execute allowed commands. An alias can be used instead of any of the parameters. And now setting up sudo in Debian and other distributions.

Main settings

The Defaults alias allows you to set standard parameters for the utility’s operation, which we will consider in this section. Such an alias begins with the word Defaults, followed by the name of the flag. If there is a ! symbol in front of the name, this means that the flag needs to be turned on; otherwise, turn it off:
Disable the introduction the first time you use it:

Defaults!lecture

The superuser cannot do sudo:

Defaults !root_sudo

Now if you try to run sudo sudo nothing will work:


Change the home directory for the target user, leaving the current user's folder as the home directory by default:

Defaults set_home

Save the list of groups of the current user:

Defaults !preserve_groups

Request superuser password instead of user password:



Next, let's look at the variables that you can set values ​​to set the desired settings:
Set the number of password attempts before sudo quits, default is 3:

Defaults passwd_tries=5

The number of minutes that will pass before sudo asks for a password again is 5 by default. If you set the value to 0, it will always ask for a password, no matter how long ago you used the utility:

Defaults timestamp_timeout=10

The following parameter specifies the number of minutes that sudo will wait for a password to be retyped if it is entered incorrectly:

Defaults passwd_timeout=10

You can change the message that is displayed when prompted for a password:

Defaults passprompt="Your password:"

You can specify another user, not root, from which all commands will be executed, for this use:

Defaults runas_default="user"

You can log all attempts to connect to sudo:

Defaults logfile=/var/log/sudo

Then we try to check the operation of the log:

$ sudo cat /var/log/sudo

These were all the most interesting sudo settings that you may need, next we will look at how to set sudo access rights for users.

Setting up sudo users

We have already discussed above the syntax for setting up actions for users; here everything is more complicated than with aliases, but you can figure it out. For example, let's allow any user to use sudo, from any host, and execute any command:

ALL ALL = (ALL) ALL

Such a team is very unsafe; it allows everyone and everything. The first ALL is to allow all users, the second ALL is for all hosts, the third ALL is to allow login as any user, and the fourth is to allow any command to be executed. But another construction is used much more often:

%wheel ALL = (ALL) ALL

It means the same as the previous one, only here we do not allow all users to use sudo, but only those who are members of the wheel group.

%wheel ALL = (root) ALL

Here we have already limited the possible choice of users to only the root user. You can also specify the user group on behalf of which he can execute commands:

%wheel ALL = (root:admins) ALL

This means that you can run the command as root or another user from the admins group. We can also specify commands that the user can execute. For example:

Runas_Alias- alias of users on whose behalf commands will be executed;

Host_Alias- host alias;

Cmnd_Alias- command alias;

For example, let's create four aliases and use them in our rule:

User_Alias ​​Users = user1,user2,user3
Runas_Alias ​​Admins = root,admin
Host_Alias ​​Hosts = host1,host2
Cmd_Alias ​​Cmds = /bin/mount,/bin/umount

Users Hosts = (Admins) Cmds

This means that users from the Users list will be able to execute Cmds commands on behalf of Amdins users on Hosts hosts.
There are still a few words left to say about flags. The NOPASSWD flag tells you not to prompt for a password when executing this rule. For example, to allow all users to run the mount command with sudo without a password:

ALL ALL = (root) NOPASSWD: /bin/mount

You can also prevent this particular command from being executed at all using the NOEXEC flag:

ALL ALL = (root) NOEXEC /bin/mount

You can check whether the /etc/sudores file was configured correctly and see all the created rules using the command:


All installed flags and settings are displayed here, as well as the permissions of this user.

conclusions

In this article we looked at how to configure sudo in Linux. As you can see, despite the fact that this is a very simple utility, it hides a lot of useful settings that you can use on your system. If you have any questions, ask in the comments!

Sometimes, you just need to run a command from another user. And there are several ways how this can be done. I will talk about them in my article “Run a command as another user in Unix/Linux”.

Run a command as another user in Unix/Linux - method 1

And so, you can use the SUDO utility. Let's look at an example:

$ sudo -H -u Your_another_user -c "ping site"

Explanations:

• -H YOUR_HOME: Sets HOME (Environment variable for a specific user's home) and by default is root.
• -u YOUR_USER: Specify the user from whom the command will be executed.
• -c YOUR_COMMAND: Serves as an option to enter a command.

Something like this.

Run a command as another user in Unix/Linux - method 2

You can use the SU utility. And now I will give a few examples.

Login as root user

To get root, run:

$su - root

Run the command as root user

Here is an example command:

# su - root -c "YOUR_COMMAND_HERE"

Su - -c "YOUR_COMMAND_HERE arg1"

Execute a command from another user using su

So, here's an example:

# su -c "/opt/solr/bin/solr create -c test_solr_core -n solrconfig.xml" -s /bin/sh solr Created new core "test_solr_core"

Let's look at another example:

$ su another_user -c "ping site"

$su -YOUR_USER -c "YOUR_COMMAND_HERE"

• — — Will simulate the login of the specified user.
• -c - Used to specify the command to be executed (for the specified user).

Something like this.

Run a command as another user in Unix/Linux - method 3

And so, you can use the runuser utility. The runuser command starts a shell with replacement user and group IDs. This command is only useful when you are logged in as root. The syntax is as follows:

# runuser -l YOUR_USER -c "YOUR_COMMAND_HERE"

As an example, I'll show the following line:

# runuser -l nginx -c "service nginx start"

PS: The runuser command does not require a password and should only be run by the root user.

Main options:

• -l: Create a login shell using the runuser-l PAM file instead of the default one.
• -g: Points to the main group.
• -G: Indicates an additional group.
• -c: Actually, it is used to specify a command.
• –session-command=COMMAND: Pass a single command to the shell with the “-c” option and does not create a new session.
• -m: Do not reset environment variables (ENVs).

That's it, the topic "Run a command as another user in Unix/Linux" is complete.