Friday, July 18, 2003

Sudooo Voodooo

Sudo is a handy little tool that is of value to both system administrators and common folks like us. What does it do? It allows you to temporarily assume the permissions of another user, up to and including root. If you belong to the camp that says you should only have root privileges at the time they are needed, sudo makes your life a little easier by making it easier to shape-shift between the permissions for a mere mortal and those of the super user.

We'll start with an easy -- and not uncommon -- example. You need to make a change to a configuration file in order to take advantage of your latest hardware acquisition. Gedit is your editor of choice, but you need root privileges in order to write a modified version of the config. What to do? Sudo, of course. Open a console and enter this:

sudo gedit /etc/some.conf

Depending on which distribution you use, you'll be prompted for your user password or the root password. When you've entered it, you'll immediately have the file you want to edit in front of you. Better yet, when you're finished, you'll be able to save it.

It's important to note that after entering the password, you can use sudo again for a short period without needing to use the password again. The default is five minutes, though this can be changed in sudo's configuration file. You can bring the curtain down early on that condition by entering:

sudo -k

This tells sudo to invalidate your timestamp, so that you'll be prompted for a password the next time you use sudo.

But wait, I don't like gedit!

Don't worry, you can use the editor of your dreams instead. In fact, try this:

sudo -e /etc/some.conf

That does the same thing as the command above that specifies gedit, but it uses the editor in your EDITOR environment string, or the one noted in /etc/sudoers, which is the configuration file used by sudo.

And finally, if the -e argument is too hard for you to type, then just type:

sudoedit /etc/some.conf

It behaves exactly the same as the sudo command using the -e option.

Often, you'll need just to have root access in the shell, instead of root permissions for a single command. Sudo handles that circumstance, too. Just enter:

sudo -s

That will give you a shell with full root permissions, which will remain in effect until you exit the shell.

Sometimes you may need to run a command as a user other than root. This is no problem for sudo. The command is:

sudo -u username

Here is a list of other sudo options you may find handy:

  • -v Resets the time-stamp set when you've started sudo to extend the time available, without running a command.
  • -H Resets the HOME environment variable to that of root or the user whose ID is being used to satisfy permissions.
  • -K Similar to the -k option, except that it removes the time-stamp completely.
  • -b The command sudo is executing will be run in the background.
  • -l Lists the commands available to the user.

Sudo's configuration file, /etc/sudoers, describes to sudo who can do what. Some distros, like SUSE, include all users in the file by default. Others, like Ubuntu, include only the first user in the admin group. But for many distributions, you may need to add yourself to /etc/sudoers in order to use the sudo command.

To add a user to /etc/sudoers, you'll need to use the visudo command -- don't edit the file using another editor. Run visudo to add a user to the file. The basic format for adding users is:

user HOST = (otheruser) command

The first field is for the user that will run sudo. When using sudo, it will check to see if your username is in the /etc/sudoers file, or if you belong to a group that's in the /etc/sudoers file. If not, you'll usually get a message saying you're not in the sudoers file.

The HOST field lists servers that the user is allowed to use sudo on. If you're not setting up sudo for use on multiple machines, it's usually safe to just say "ALL" here. The command field lists one or more commands that the user is allowed to use with sudo, and the final field tells sudo what users the sudo'ing user may run a command as. Let's say you want to allow a user to run all commands, as any user, using sudo. Then you'd have an entry that looks like this:

bob ALL=(ALL) ALL

On the other hand, if you want to restrict the user bob to one command that he can run as root, you could do so like this:

bob ALL=(root) /usr/sbin/tcpdump

This restricts bob to running the tcpdump command as root. He won't be able to run any other commands as root, nor will he be able to run tcpdump or any other commands as another user.

That is just the tip of the iceberg, of course. Advanced configuration of /etc/sudoers is really more on the sysadmin side of the house than we like to get into in this column, which is written with newcomers in mind. If you are the curious type, read the man pages for sudo, sudoers, and visudo.

That's it for this week. Remember to visit the man, and remember too, it's not who you know, it's who you sudo.

No comments: