sudo install, usage and sudoers config file basics

What if you want one user to run a command as an another system user without exchanging passwords. For example, you may want an user john to run a find command or custom bash shell script as an user greg or even as a user root ( superuser ) without password exchange. In this case a sudo utility with its /etc/sudoers configuration file will be your friend. This utility is very widely used but at the same time very little understood by Linux users of all levels.

This short article describes some basic of sudo usage and format of sudoers configuration file.

sudo install

First we need to make sure that sudo and /etc/sudoers the sudo configuration file is available. To do that run:

$ which sudo

or

$ sudo -V

The first command should reveal a location of a sudo binary executable and the second program will output a version number of sudo command its self. The sudo configuration file sudoers is in most cases located in /etc/sudoers. You can use ls command to locate this file.

$ ls -l /etc/sudoers
-r--r----- 1 root root 481 2010-04-08 21:43 /etc/sudoers

Note the default and “must be” permissions of a /etc/sudoers file. Only user root and users which belong to a root group are able to read this file.

$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied

If you had some problems when executing above commands the chances are that sudo is not installed on your system. This is very unlikely If you are running Ubuntu, Fedora or OpenSuSE as a sudo utility is installed on your system by default. In case you are running Debian execute a following linux command to install sudo utility:

NOTE: it is very unlikely that sudo utility is not installed on your system as most of the decent Linux distributions have the sudo utility installed by default.

# apt-get install sudo

For yum ( RPM ) distributions use this command to install sudo:

# yum install sudo


Executing bash script using sudo

Let’s create some simple bash script which will provide us with a basic testing environment for a sudo command. The following linux commands will create bash script called sudo_test.sh within /usr/local/bin directory and make it executable:

$ su -
Password:
# cd /usr/local/bin/
# echo "ps aux | grep $$" > sudo_test.sh
# echo "touch /tmp/sudo_file.tmp" >> sudo_test.sh
# chmod +x sudo_test.sh

This script will do nothing except it will print process ID of the sudo_test.sh bash script along with its relevant owner id as a STDOUT output and in the same time it will create a file called sudo_file.tmp within /tmp/ directory. Now we execute this script as a root user and check a owner of this process.

./sudo_test.sh 
[1] 3513
/usr/local/bin# ps aux | grep 3513
root      3513  0.0  0.1   4260   908 pts/4    S    16:32   0:00 bash
root      3516  0.0  0.0   1700   268 pts/4    R+   16:32   0:00 grep 3513

As you can see the process ID 3513 is owned by a user root. Furthermore, by executing ls command we may observe that file /tmp/sudo_file.tmp is owned by a root user.

# ls -l /tmp/sudo_file.tmp
-rw-r--r-- 1 root root 0 2010-08-29 17:31 /tmp/sudo_file.tmp

Let’s remove /tmp/sudo_file.tmp file and try to execute this very same script with another user named “lilo”. Note the script’s permissions after ls -l command execution.

$ whoami
lilo
$ ls -l /usr/local/bin/sudo_test.sh
-rwxr-xr-x 1 root root 44 2010-08-29 17:31 /usr/local/bin/sudo_test.sh
$ /usr/local/bin/sudo_test.sh
root      3502  0.0  0.3   4260  1744 pts/4    S+   16:31   0:00 bash
lilo      3773  0.0  0.1   3116   720 pts/5    R+   17:36   0:00 grep 3502
$ ls -l /tmp/sudo_file.tmp
-rw-r--r-- 1 lilo lilo 0 2010-08-29 17:36 /tmp/sudo_file.tmp

As you can see the script is executed by lilo user and the owner of this process is a user lilo as well. File created within a /tmp/directory is owned by lilo user too. Before you continue please remove /tmp/sudo_file.tmp file.

give sudo permissions to user

Our next task now is to make lilo user to be able to execute /usr/local/bin/sudo_test.sh script with root privileges and without giving away root credentials. To do this we need to edit a /etc/sudoers the sudo configuration file. Since the root has read only access to a sudo configuration file /etc/sudoers and we do not want to change that, we will use visudo command executed as a root to add a following line to this file:

lilo    ALL=(root) /usr/local/bin/sudo_test.sh
  • lilo: the user who will have a permission to execute the /usr/local/bin/sudo_test.sh script
  • ALL: matches anything and in this context it applies to a hostname
  • (root): this command will be run with root privileges
  • /usr/local/bin/sudo_test.sh: the actual command


As a result, when we now try to execute the /usr/local/bin/sudo_test.sh script as a lilo user using sudo command and enter lilo’s password:

$ rm /tmp/sudo_file.tmp
$ sudo /usr/local/bin/sudo_test.sh
[sudo] password for lilo:
root      3502  0.0  0.3   4260  1744 pts/4    S    16:31   0:00 bash
root      3793  0.0  0.1   3116   720 pts/5    S+   17:46   0:00 grep 3502
$ ls -l /tmp/sudo_file.tmp
-rw-r--r-- 1 root root 0 2010-08-29 17:46 /tmp/sudo_file.tmp

the process ID 3502 is owned by a root and the owner of the /tmp/sudo_file.tmp is root user. Moreover, if you for example want a user lilo to execute a script /usr/local/bin/sudo_test.sh as a user j”john” simply alter /etc/sudoers config file and replace (root) with (john) using visudo command.

sudo without password

When a sudo command is executed a user is asked for a password. This default bahaviouv of a sudo command can be changed by editing /etc/sudoers config file. If we do not want to be asked for a password we alter a /etc/sudoers file by changing line:

lilo    ALL=(root) /usr/local/bin/sudo_test.sh

with

lilo    ALL=(root) NOPASSWD:/usr/local/bin/sudo_test.sh

sudo password timeout

The number of minutes before sudo will ask a user to enter a password again is by default 15. This behavior can be changed by specifying a sudo’s timestamp_timeout directive within /etc/sudoers file. To increase sudo password timeout to 60 minutes we add timestamp_timeout sudo directive into /etc/sudoers file by changing a line:

Defaults        env_reset

to

Defaults env_reset , timestamp_timeout=60

Learn more about sudo

Note there is much more to be learned about sudo command and its capabilities. Good way to discover more about sudo command is to start with:

man sudo

or to access man page for sudoers config file

man sudoers