Friday 24 August 2018

10 Quick Tips About sudo command for Linux systems

Overview


sudo stands for superuser do. It allows authorized users to execute command as an another user. Another user can be regular user or superuser. However, most of the time we use it to execute command with elevated privileges.

LPI Certification, LPI Guides, LPI Tutorial and Material, Sudo Command, LPI Linux Systems

sudo command works in conjunction with security policies, default security policy is sudoers and it is configurable via /etc/sudoers file. Its security policies are highly extendable. One can develop and distribute their own policies as plugins.

How it’s different than su


In GNU/Linux there are two ways to run command with elevated privileges:

◈ Using su command
◈ Using sudo command

su stands for switch user. Using su, we can switch to root user and execute command. But there are few drawbacks with this approach.

◈ We need to share root password with another user.
◈ We cannot give controlled access as root user is superuser
◈ We cannot audit what user is doing.

sudo addresses these problems in unique way.

1. First of all, we don’t need to compromise root user password. Regular user uses its own password to execute command with elevated privileges.
2. We can control access of sudo user meaning we can restrict user to execute only certain commands.
3. In addition to this all activities of sudo user are logged hence we can always audit what actions were done. On Debian based GNU/Linux all activities are logged in /var/log/auth.log file.

Later sections of this tutorial sheds light on these points.

Hands on with sudo


Now, we have fair understanding about sudo. Let us get our hands dirty with practical. For demonstration, I am using Ubuntu. However, behavior with another distribution should be identical.

Allow sudo access


Let us add regular user as a sudo user. In my case user’s name is lpicentral

1) Edit /etc/sudoers file as follows:

$ sudo visudo

2) Add below line to allow sudo access to user lpicentral:

lpicentral ALL=(ALL) ALL

In above command:

◈ lpicentral indicates user name
◈ First ALL instructs to permit sudo access from any terminal/machine
◈ Second (ALL) instructs sudo command to be allowed to execute as any user
◈ Third ALL indicates all command can be executed as root

Execute command with elevated privileges


To execute command with elevated privileges, just prepend sudo word to command as follows:

$ sudo cat /etc/passwd

When you execute this command, it will ask lpicentral’s password and not root user password.

Execute command as an another user


In addition to this we can use sudo to execute command as another user. For instance, in below command, user lpicentral executes command as a devesh user:

$ sudo -u devesh whoami
[sudo] password for lpicentral:
devesh

Built in command behavior


One of the limitation of sudo is – Shell’s built in command doesn’t work with it. For instance, history is built in command, if you try to execute this command with sudo then command not found error will be reported as follows:

$ sudo history
[sudo] password for lpicentral:
sudo: history: command not found

Access root shell

To overcome above problem, we can get access to root shell and execute any command from there including Shell’s built in.

To access root shell, execute below command:

$ sudo bash

After executing this command – you will observe that prompt sign changes to pound (#) character.

Recipes


In this section we’ll discuss some useful recipes which will help you to improve productivity. Most of the commands can be used to complete day-to-day task.

Execute previous command as a sudo user


Let us suppose you want to execute previous command with elevated privileges, then below trick will be useful:

$ sudo !4

Above command will execute 4th command from history with elevated privileges.

sudo command with Vim


Many times we edit system’s configuration files and while saving we realize that we need root access to do this. Because this we may lose our changes. There is no need to get panic, we can use below command in Vim to rescue from this situation:

:w !sudo tee %

In above command:

◈ Colon (:) indicates we are in Vim’s ex mode
◈ Exclamation (!) mark indicates that we are running shell command
◈ sudo and tee are the shell commands
◈ Percentage (%) sign indicates all lines from current line

Execute multiple commands using sudo


So far we have executed only single command with sudo but we can execute multiple commands with it. Just separate commands using semicolon (;) as follows:

$ sudo -- bash -c 'pwd; hostname; whoami'

In above command:

◈ Double hyphen (–) stops processing of command line switches
◈ bash indicates shell name to be used for execution
◈ Commands to be executed are followed by –c option

Run sudo command without password


When sudo command is executed first time then it will prompt for password and by default password will be cached for next 15 minutes. However, we can override this behavior and disable password authentication using NOPASSWD keyword as follows:

lpicentral ALL=(ALL) NOPASSWD: ALL


Restrict user to execute certain commands


To provide controlled access we can restrict sudo user to execute only certain commands. For instance, below line allows execution of echo and ls commands only

lpicentral ALL=(ALL) NOPASSWD: /bin/echo /bin/ls

Insights about sudo


Let us dig more about sudo command to get insights about it.

$ ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 145040 Jun 13  2017 /usr/bin/sudo

If you observe file permissions carefully, setuid bit is enabled on sudo. When any user runs this binary it will run with the privileges of the user that owns the file. In this case it is root user.

To demonstrate this, we can use id command with it as follows:

$ id
uid=1002(lpicentral) gid=1002(lpicentral) groups=1002(lpicentral)

When we execute id command without sudo then id of user lpicentral will be displayed.

$ sudo id
uid=0(root) gid=0(root) groups=0(root)

But if we execute id command with sudo then id of root user will be displayed.

Related Posts

0 comments:

Post a Comment