How to use sudo – root privilege for a normal user
Sudo works under Linux / Mac OS X and all UNIX like operating systems. /etc/sudoers (config file that defines or list of who can run what) allows you to delegate authority to give certain users or groups of users the ability to run various commands as the superuser(root) or another user without needing the root password. This is useful for delegating roles and permissions to other users without sharing the root password.
This file must be edited with the visudo command as the root user . The sudo command allows users to do tasks on a Linux system as another user.
Let us take an example here,
If you want to give the user John, access to restart httpd service. First, Login as root user, then use visudo command edit the config file:
# visudo
Append the following lines to file:
John ALL= /etc/init.d/httpd restart
Save and close file . Now John user can restart httpd service by typing the following command:
$ sudo /etc/init.d/httpd restart
Output:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: Stopping httpd: [ OK ] Starting httpd: [ OK ]
The sudo command has logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/secure
Sample outputs:
Nov 15 06:05:36 localhost sudo: John : TTY=pts/1 ; PWD=/home/John ; USER=root ; COMMAND=/etc/init.d/httpd restart
Before running a command with sudo, users usually supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, the command will be run. sudo logs each command run.
a) If you want to allow John to run various commands:
John ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b) Allow user John to restart httpd without any password i.e. as root without authenticating himself:
John ALL= NOPASSWD: /etc/init.d/httpd restart
c) Allow user Alex to run any command from /usr/bin directory:
Alex ALL = /usr/bin/*
d) Allow user Alex to run ALL commands:
Alex ALL =(ALL) ALL
e) If you want to allow system admin user to run all commands (add users to a group eg:- unixsa)
Append the following line:
## Allows people in group unixsa to run all commands %unixsa ALL=(ALL) ALL
Save and close the file. Finally, add a group called unixsa:
# groupadd unixsa
Add a user called Alex (existing user) to group unixsa:
# usermod -a -G unixsa Alex
Verify group membership:
# id Alex
Sample Outputs:
uid=5001(Alex) gid=5001(Alex) groups=5001(Alex),110(unixsa)
Login as user Alex and to run any command as the root type:
$ sudo /etc/init.d/network restart
f) If database admin user want to run command as oracle
Append the following lines to /etc/sudoers file:
John ALL=(oracle) /u01/app/oracle/product/11.1.0/db_1/bin/dbstart
In this case, it’s that indicating the user John can execute the dbstart command as oracle occurs. When using sudo to assume the role of a user other than root, use the -u option and give the user name as an argument, followed by the command that should be executed.
$ whoami John
$ sudo -u oracle /u01/app/oracle/product/11.1.0/db_1/bin/dbstart
Output:
Password: Processing Database instance "TEST": log file /u01/app/oracle...
That’s all, we have tried all the common options for the sudo command. You may have your queries in the comments section.
