Sudo Command in Linux/Unix

By /
Power Up

When you use the sudo command for the first time, you see the message “With great power, comes great responsibility.”

And rightly so. “Sudo” is short for Superuser Do. With this command, any user who has been granted permissions has access to root-like privileges without having to actually be a superuser.

Also read: Shell Scripting 101: Variables in Shell Scripts

Working with sudo Command in Linux

Using the sudo command is very straight forward but before a user can use it we need to configure the right permissions.

1. Granting sudo access to users

To grant access to a specific user, an existing superuser needs to first add an entry in the /etc/sudoers file. This file in Linux contains the entire list of users who have sudo access, along with what level of access is granted. You can follow a similar format of adding users as listed in the file, or modify the permissions as required. A sample entry would be something like the below:

username ALL=(ALL:ALL) ALL
Sudoers File Editing
Giving sudo access to users using the /etc/sudoers file
  • The “username” will be the name of the user who has the permissions
  • The ALL at the beginning specifies which hosts the user has sudo access on
  • The second ALL specifies which users the user can run commands as
  • The third ALL specifies which groups the user can run commands as
  • The ALL at the end specifies which commands the user is allowed to run.

2. sudo command usage

Once the access is granted, you can run the permitted commands as a superuser. To do so, you need to enter “sudo <command>”.

root@shell# sudo apt update
Enter password:

By default, you’ll be required to enter your password to gain access but this can be skipped by adding a “NOPASSWD” attribute when granting permissions in the sudoers file. Though this is NOT recommended.

3. Running a Sudo command as another user

In certain situations, all you want is to be able to run a command that someone else in your organization has access to. We don’t mean this as a hack, but as a user switch.

In Windows, if you had to copy files from another user “document’s folder, you would just switch users, log in to the other account and finish the work, then log back into the original account.

But how do you do the same in Linux? We make use of the -u option like an example below.

root@shell# sudo -u otherusername (command)
Enter otheruser password:

The -u option allows you to run any command as another user, so long as you have the password.

4. Allowing limited commands as sudo for your users

When offering escalated privileges, we need to make sure only the users who require specific access should have it. If you add “ALL” in the permitted commands section for a user in the sudoers file, you could open yourself up to potential breaches

Let’s say you want to only allow the users to power off their systems when they’re done. But the user needs sudo access to do so. You can edit the sudoers file to permit only the poweroff command without asking for a password.

username ALL=NOPASSWD: /sbin/poweroff

Notice how we have added the full path instead of just the command. Now if you want to add multiple commands to multiple users, it can be tedious to keep a tab of the right commands to assign to users. In such a case, you can create command aliases, and simply add those in place of the “/sbin/poweroff” above. See the image below for reference.

Sudoers File Limited Command Access For Sudo Users 1
Sudoers File Limited Command Access For Sudo Users

5. Other common options with the sudo command

The options that we listed above are some very frequently used options. Below are a few more common options that will come in handy for you.

  • -l stands for “list” and it allows a user to list the commands that they are permitted to run on the particular host
  • -p allows a user to specify a custom terminal prompt while overriding the one that’s already in use
  • -k whenever a user runs sudo, a timestamp is recorded and the timestamp lets the user use sudo without a password until the timeout specified in sudoers (usually 5 minutes). With this option, a user can invalidate the timestamp so the next usage of sudo will require a password again
  • -K is similar to the lowercase -k option, but this one allows the user to entirely remove the timestamp.
  • -h get all the available options as a list with their explanation and usage

Bonus – Shortcut to run shell as root – sudo -s

Sudo -s runs your current shell as superuser/root. You can also specify another user using -su.

This is useful if you want to run a command as superuser/root without having to log out and back in again. Just remember that your current environment variables (e.g. $PATH) will still be set, so if you need to override them, you’ll have to do so explicitly.

[username@host] sudo -s

[root@host]

You may need to enter the password for root depending on your sudoers configuration. But sudo -s is a shortcut to running the existing shell as a superuser.

Difference between sudo and su Commands

So, these are two completely different commands but the one feature that is similar between the two is superuser access to regular users. Now, this does make people think that both the commands are the same or do the same thing, but that’s not the case.

With sudo, you can work as a superuser and get further access while being logged into your own user account, but with su you have to log in as a different user to gain access to their privileges.

Summary

You have seen how powerful the sudo command can be by bestowing root-like permissions in the hands of the users in the sudoers file. Always make sure to recheck the permissions that are being granted, and the user they’re being granted to. Hope this tutorial helps you understand the sudo command, its usage, and the risks of granting sudo better.

References: