What if you want one user to run a command as an another system user without exchanging passwords. For example, you may want an user john to run a find command or custom bash shell script as an user greg or even as a user root ( superuser ) without password exchange. In this case a sudo utility with its /etc/sudoers configuration file will be your friend. This utility is very widely used but at the same time very little understood by Linux users of all levels.
This short article describes some basic of sudo usage and format of sudoers configuration file.
First we need to make sure that sudo and /etc/sudoers the sudo configuration file is available. To do that run:
$ which sudo
$ sudo -V
The first command should reveal a location of a sudo binary executable and the second program will output a version number of sudo command its self. The sudo configuration file sudoers is in most cases located in /etc/sudoers. You can use ls command to locate this file.
$ ls -l /etc/sudoers -r--r----- 1 root root 481 2010-04-08 21:43 /etc/sudoers
Note the default and "must be" permissions of a /etc/sudoers file. Only user root and users which belong to a root group are able to read this file.
$ cat /etc/sudoers cat: /etc/sudoers: Permission denied
If you had some problems when executing above commands the chances are that sudo is not installed on your system. This is very unlikely If you are running Ubuntu, Fedora or OpenSuSE as a sudo utility is installed on your system by default. In case you are running Debian execute a following linux command to install sudo utility:
NOTE: it is very unlikely that sudo utility is not installed on your system as most of the decent Linux distributions have the sudo utility installed by default.
# apt-get install sudo
For yum ( RPM ) distributions use this command to install sudo:
# yum install sudo
Executing bash script using sudo
Let's create some simple bash script which will provide us with a basic testing environment for a sudo command. The following linux commands will create bash script called sudo_test.sh within /usr/local/bin directory and make it executable:
$ su - Password: # cd /usr/local/bin/ # echo "ps aux | grep $$" > sudo_test.sh # echo "touch /tmp/sudo_file.tmp" >> sudo_test.sh # chmod +x sudo_test.sh
This script will do nothing except it will print process ID of the sudo_test.sh bash script along with its relevant owner id as a STDOUT output and in the same time it will create a file called sudo_file.tmp within /tmp/ directory. Now we execute this script as a root user and check a owner of this process.
./sudo_test.sh  3513 /usr/local/bin# ps aux | grep 3513 root 3513 0.0 0.1 4260 908 pts/4 S 16:32 0:00 bash root 3516 0.0 0.0 1700 268 pts/4 R+ 16:32 0:00 grep 3513
As you can see the process ID 3513 is owned by a user root. Furthermore, by executing ls command we may observe that file /tmp/sudo_file.tmp is owned by a root user.
# ls -l /tmp/sudo_file.tmp -rw-r--r-- 1 root root 0 2010-08-29 17:31 /tmp/sudo_file.tmp
Let's remove /tmp/sudo_file.tmp file and try to execute this very same script with another user named "lilo". Note the script's permissions after ls -l command execution.
$ whoami lilo $ ls -l /usr/local/bin/sudo_test.sh -rwxr-xr-x 1 root root 44 2010-08-29 17:31 /usr/local/bin/sudo_test.sh $ /usr/local/bin/sudo_test.sh root 3502 0.0 0.3 4260 1744 pts/4 S+ 16:31 0:00 bash lilo 3773 0.0 0.1 3116 720 pts/5 R+ 17:36 0:00 grep 3502 $ ls -l /tmp/sudo_file.tmp -rw-r--r-- 1 lilo lilo 0 2010-08-29 17:36 /tmp/sudo_file.tmp
As you can see the script is executed by lilo user and the owner of this process is a user lilo as well. File created within a /tmp/directory is owned by lilo user too. Before you continue please remove /tmp/sudo_file.tmp file.
give sudo permissions to userOur next task now is to make lilo user to be able to execute /usr/local/bin/sudo_test.sh script with root privileges and without giving away root credentials. To do this we need to edit a /etc/sudoers the sudo configuration file. Since the root has read only access to a sudo configuration file /etc/sudoers and we do not want to change that, we will use visudo command executed as a root to add a following line to this file:
lilo ALL=(root) /usr/local/bin/sudo_test.sh
- lilo: the user who will have a permission to execute the /usr/local/bin/sudo_test.sh script
- ALL: matches anything and in this context it applies to a hostname
- (root): this command will be run with root privileges
- /usr/local/bin/sudo_test.sh: the actual command
As a result, when we now try to execute the /usr/local/bin/sudo_test.sh script as a lilo user using sudo command and enter lilo's password:
$ rm /tmp/sudo_file.tmp $ sudo /usr/local/bin/sudo_test.sh [sudo] password for lilo: root 3502 0.0 0.3 4260 1744 pts/4 S 16:31 0:00 bash root 3793 0.0 0.1 3116 720 pts/5 S+ 17:46 0:00 grep 3502 $ ls -l /tmp/sudo_file.tmp -rw-r--r-- 1 root root 0 2010-08-29 17:46 /tmp/sudo_file.tmp
the process ID 3502 is owned by a root and the owner of the /tmp/sudo_file.tmp is root user. Moreover, if you for example want a user lilo to execute a script /usr/local/bin/sudo_test.sh as a user j"john" simply alter /etc/sudoers config file and replace (root) with (john) using visudo command.
sudo without password
When a sudo command is executed a user is asked for a password. This default bahaviouv of a sudo command can be changed by editing /etc/sudoers config file. If we do not want to be asked for a password we alter a /etc/sudoers file by changing line:
lilo ALL=(root) /usr/local/bin/sudo_test.sh
lilo ALL=(root) NOPASSWD:/usr/local/bin/sudo_test.sh
sudo password timeout
The number of minutes before sudo will ask a user to enter a password again is by default 15. This behavior can be changed by specifying a sudo's timestamp_timeout directive within /etc/sudoers file. To increase sudo password timeout to 60 minutes we add timestamp_timeout sudo directive into /etc/sudoers file by changing a line:
Defaults env_reset , timestamp_timeout=60
Learn more about sudo
Note there is much more to be learned about sudo command and its capabilities. Good way to discover more about sudo command is to start with:
or to access man page for sudoers config file