Sudo Command in Linux/Unix

When you use the sudo command for the first time, you see the message “With great power, comes great responsibility.”

And rightly so. “Sudo” is short for Superuser Do. With this command, any user who has been granted permissions has access to root-like privileges without having to actually be a superuser.

Working with sudo Command in Linux

Using the sudo command is very straight forward but before a user can use it we need to configure the right permissions.

1. Granting sudo access to users

To grant access to a specific user, an existing superuser needs to first add an entry in the /etc/sudoers file. This file in Linux contains the entire list of users who have sudo access, along with what level of access is granted. You can follow a similar format of adding users as listed in the file, or modify the permissions as required. A sample entry would be something like below:

username ALL=(ALL:ALL) ALL
Sudoers File Editing
Giving sudo access to users using the /etc/sudoers file
  • The “username” will be the name of the user who has the permissions
  • The ALL at the beginning specifies which hosts the user has sudo access on
  • The second ALL specifies which users the user can run commands as
  • The third ALL specifies which groups the user can run commands as
  • The ALL at the end specifies which commands the user is allowed to run.

2. sudo command usage

Once the access is granted, you can run the permitted commands as a superuser. To do so, you need to enter “sudo <command>”.

root@shell# sudo apt-get update
Enter password:

By default, you’ll be required to enter your password to gain access but this can be skipped by adding a “NOPASSWD” attribute when granting permissions in the sudoers file. Though this is NOT recommended.

3. Running a sudo command as another user

In certain situations, all you want is to be able to run a command which someone else in your organization has access to. We don’t mean this as a hack, but as a user switch.

In Windows, if you had to copy files from another users “document’s folder, you would just switch user, login to the other account and finish the work, then log back in to the original account.

But how do you do the same in Linux? We make use of the -u option like an example below.

root@shell# sudo -u otherusername (command)
Enter otheruser password:

The -u option allows you to run any command as another user, so long as you have the password.

4. Allowing limited commands as sudo for your users

When offering escalated privileges, we need to make sure only the users who require specific access should have it. If you add “ALL” in the permitted commands section for a user in sudoers file, you could open yourself up to potential breaches

Let’s say you want to only allow the users to power off their systems when they’re done. But the user needs sudo access to do so. You can edit the sudoers file to permit only the poweroff command without asking for a password.

username ALL=NOPASSWD: /sbin/poweroff

Notice how we have added the full path instead of just the command. Now if you want to add multiple commands to multiple users, it can be tedious to keep a tab of the right commands to assign to users. In such a case, you can create command aliases, and simply add those in place of the “/sbin/poweroff” above. See the image below for reference.

Sudoers File Limited Command Access For Sudo Users 1
Sudoers File Limited Command Access For Sudo Users

5. Other common options with the sudo command

The options that we listed above are some very frequently used options. Below are a few more common options that will come handy for you.

  • -l stands for “list” and it allows a user to list the commands that they are permitted to run on the particular host
  • -p allows a user to specify a custom terminal prompt while overriding the one that’s already in use
  • -k whenever a user runs sudo, a timestamp is recorded and the timestamp lets the user use sudo without password until the timeout specified in sudoers (usually 5 minutes). With this option, a user can invalidate the timestamp so the next usage of sudo will require a password again
  • -K similar to the lowercase -k option, but this one allows the user to entirely remove the timestamp.
  • -h get all the available options as a list with their explanation and usage

Difference between sudo and su Commands

So, these are two completely different commands but the one feature that is similar between the two is superuser access to regular users. Now, this does make people think that both the commands are the same or do the same thing, but that’s not the case.

With sudo, you can work as a superuser and get further access while being logged into your own user account, but with su you have to login as a different user to gain access to their privileges.

Conclusion

You have seen how powerful the sudo command can be by bestowing root-like permissions in the hands of the users in the sudoers file. Always make sure to recheck the permissions that are being granted, and the user they’re being granted to. Hope this tutorial helps you understand the sudo command, its usage, and the risks of granting sudo better.