Using sudo command, an user can
execute root only commands.
1. Set up sudo Environment in /etc/sudoers
You can provide
sudo privilege to an individual user or a group by modifying /etc/sudoers.
sudo access to an user
To provide sudo
access to an individual user, add the following line to the /etc/sudoers file.
ram
ALL=(ALL) ALL
In the above
example:
- ram: name of user to be allowed to use sudo
- ALL : Allow sudo access from any terminal ( any machine ).
- (ALL) : Allow sudo command to be executed as any user.
- ALL : Allow all commands to be executed.
sudo access to a group
To provide sudo
access to a group, add the following line to the /etc/sudoers file.
%programmers ALL=(ALL) ALL
In the above
example:
- programmers : name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
- ALL : Allow sudo access from any terminal ( any machine ).
- (ALL) : Allow sudo command to be executed as any user.
- ALL : Allow all commands to be executed.
Note: Ubuntu users are already familiar
with sudo command, as you’ll use sudo
apt-get install to install any package. On Ubuntu, sudo is already setup
for your username as shown below. i.e All users who belong to admin group has
access to execute root commands using sudo.
$ sudo cat /etc/sudoers
%admin ALL=(ALL) ALL
$ grep admin /etc/group
admin:x:115:sathiya
2. Executing a command as super user
Once the sudo
access is provided to your account in /etc/sudoers, you can pass any root
command as an argument to the sudo command. For example, mount can only be done
by root. But, a normal user can do mount as shown below using sudo.
$ sudo mount /dev/sda3 /mnt
Note: If you are executing sudo for the
first time in a shell it will ask for the password ( current user password ) by
default.
3. Forgot to Use Sudo in Vim? No Worries. Save
file Trick in vim with sudo
When you have
opened a file that can be saved only by root user using vim (without using the
sudo command), you can do the following.
For example, if
you want to edit the file /etc/group that can only be saved by root user, you
typically do the following. When you do a :w, no problem, it will work, as it
was opened using sudo command.
$ sudo vim /etc/group
:w
What if you’ve
forgot to give sudo when you’ve opened the /etc/group file as shown below? In
this case, instead of coming out of the file (and loosing all your changes) and
executing the vim command with sudo, you can do the following.
$ vim /etc/group
:w !sudo tee %
Note: “:w !sudo tee %” will save the file
as root privilege, even if you didn’t use sudo command to open it.
4. Forgot to give sudo for root command? Do it
again using !!
If you’ve forgot
to give sudo for a command that requires root privilege, instead of typing the
command with sudo again, you can simply do sudo !! as shown below.
$ head -n 4 /etc/sudoers
head: cannot open `/etc/sudoers' for
reading: Permission denied
$ sudo !!
sudo head -n 4 /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the
'visudo' command as root.
#
5. Get Root Shell Access using Sudo
To get a root
shell from your user account, do the following.
$ sudo bash
Once you get the
root shell, you can execute any root command without having to enter sudo in
front of it every time.
6. Built in commands won’t work with Sudo –
Command not found
sudo invokes an
executable as the another user, so bash built in commands won’t work. It will give “sudo command
not found” error as shown below.
For example,
umask is a bash built-in command, which will not work when used along with sudo
as shown below.
$ sudo umask
sudo: umask: command not found
Work-around: To use bash shell built-in command in
sudo, first get the root shell, by doing ‘sudo bash’ and then execute the shell
built in command.
7. View Unauthorized Sudo command executions
from auth.log
When an user who
doesn’t have sudo permission, tries to execute sudo command, they’ll get
following error message.
$ sudo ls /
[sudo] password for test:
raj is not in the sudoers file. This incident will be reported.
Anytime this
happens, it will be logged in the /var/log/auth.log file for sysadmins
to view any unauthorized sudo access.
Sep 25 18:41:35 ramsudo: raj : user NOT in sudoers ; TTY=pts/4 ;
PWD=/home/ra
Reference : http://www.thegeekstuff.com/2010/09/sudo-command-examples/
No comments:
Post a Comment