Installing sudo on a Debian/Ubuntu system and understanding sudoers

Contents

If you’ve been using Linux for any amount of time or even just getting your feet wet in the world of administering a Linux system, you’ve definitely seen references to ‘sudo’ or been told to use ‘sudo’ when executing certain commands. But, what is ‘sudo’, why should you use it and how do you install and set it up?

Already know what sudo is all about or just don’t care about the background? Jump right to installation and configuration!

What is sudo

‘sudo’ stands for ‘Super-User Do!’ (pronounced sue-dough, though it probably should be sue-do….) and allows you to command the system to execute your orders with the authority of the super-user – in other words, go-go Super-User! If you’re familiar with the Windows world, then this is like ‘running as’ the Administrator or answering a UAC prompt and granting temporary Administrator rights. In the Unix world, running a command via sudo is like transparently logging in as root, executing your command, and dropping back to your regular user account. Obviously, this is very useful since it lets you safely use your normal account but, still be able to execute privileged commands when you need to do so.

Why sudo instead of su?

Many users will be familiar with the su, or ‘substitute-user’, command. This let’s you switch to another user account (hence why lots of people actually think su stands for ‘switch-user’) providing you have the credentials. This is most often used by root users when they have to quickly do something in another user’s account without screwing up permissions. Root users do not need to know user credentials and can simply ‘su - username’, do what they need to do as that user, then ‘exit’ back to their root account. The story is a little different for all other mere mortal user accounts, however.

If I’m not root, then I must know the credentials of the account I want to switch into. This is a problem. In our scenario, if user1 needed to execute a privileged command, such as shutting down a service, s/he would have to switch to the root account and thus, must know or be given the root password. Obviously, this is a huge security problem. A user that knows the root password is in effect a root user and can do anything. Enter the single best reason to use sudo.

Instead, we can allow user1 to sudo and execute commands as root. With sudo however, the user only needs to enter their own password to confirm they are who they say they are. This is much safer since the root password never needs to be disclosed!

Other people give reasons such as sudo being safer because you need to type it before each command, etc. However, this is easy to work-around so I don’t consider that a true advantage. The only real reasons sudo should be used are to keep that root password secret and to make it simple to manage who has permission to run-as root.

Installing sudo

As the root user, installing sudo is very simple:

apt install sudo

Granting users rights to use sudo

By default, all members of the group sudo are permitted to use it. So, let’s add a user to that group!

usermod -aG sudo username

That’s it, username is now part of the group sudo and can execute commands using sudo next time s/he logs in. If all you’re interested in is granting a user rights to execute privileged commands, then your task is done! If you want a quick refresher on how to use sudo, read the next section. If you want to learn more about how sudo is configured, then keep reading the rest of this article!

Using sudo

In vast majority of cases, you’ll need sudo for running single commands as root. In that case, usage is simple and straightforward like the following examples:

# shutdown the system now
sudo shutdown now
# reboot the system
sudo reboot
# delete a directory, which you don't have access to, and all it's files
sudo rm -rf /etc/somedir

Each of the preceding commands would have required you being logged in as root, but instead, you can simply prepend sudo and carry-on in your normal account. Under normal configurations, you will be prompted for your password the first time you use sudo and anytime 5 minutes has elapsed since the last time you used it.

Useful command-line parameters

Sudo has many options, but a few are commonly used:

CommandExplanation
sudo -sUse your shell and your environment settings but execute commands with root privileges
sudo -iUse your shell with root’s environment settings and execute commands with root privileges
sudo suSwitch users and actually use the root account
sudo su - usernameSwitch users without having to know that user’s password ;-)
sudo -u usernameUse your shell and your environment settings but execute commands with username’s privileges
sudo -u username -sUse your shell with username’s environment settings and execute commands with username’s privileges
sudo -bRun command in the background

Configuring sudo - the sudoers file

Configuration of sudo is handled via /etc/sudoers which is only accessible via your root account (um… or via sudo, haha!). It’s a plain text file, so you can use any editor you like, although visudo is highly recommended since it can syntax check the file in case you make a mistake. Making a mistake in the configuration disables sudo and can result in locking yourself out of system functions if you’ve disabled root login! visudo itself is a wrapper for another editor and on modern Debian/Ubuntu systems, that is nano by default. If you want to change the editor, run the following command:

update-alternatives –config editor

Using visudo

visudo is only used to edit the sudoers file and only opens that file. You run the command as-is: visudo

It will open the sudoers file in the configured editor (nano by default). Upon saving your changes, visudo will perform some checks and exit normally if it finds no errors. If it does find an error, it will inform you what line has a ‘syntax error’ and will ask “What now?”. This is pretty cryptic since it gives you no options. You can type help to see your options and then respond as you see fit. The option to exit without saving changes is a lifesaver, so bottom line: always use visudo to edit your sudoers file!

sudoers rule statements

You will see in the sudoers file two particular lines:

19
20
21
22
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

We can use these lines as a quick primer on how all rule statements are created. The rules break down in the following syntax, which we’ll go through one by one:

user or %grouphost=(user:group) tag:command(s)

ParameterMeaning
user or %groupThe user or group (prefixed with ‘%’) to which this rule applies
hostThe hostname of the machine to which this rule applies. ALL matches everything. If using on a single machine, ALL is the best choice
user:groupThe user(s) and/or group(s) which the command may be executed as. User is specified with -u and group with -g upon invoking sudo. ALL permits execution as any user. :ALL permits execution as any group. ALL:ALL permits execution as any user or any group. If omitted, commands may only be executed as root
tagApplies a tag to commands. There are 10 tags, all optional. The most common is NOPASSWD which means that no password is required for the following commands. If NOPASSWD: ALL is specified, it means that sudo will not prompt for a password regardless of the command
command(s)The command(s) permitted to be performed. Specific commands may be separated by spaces. ALL means any command may be executed

Using this knowledge, we can see that the default rules mean the following (in syntactical order, not proper English):

Let’s create a few hypothetical rules just to clarify how this works (again, explained syntactically, not in proper English):

user1 ALL=(user2:staff) /bin/sed /bin/nano /bin/grep

User1, on any system using this sudoers file, may run permitted commands as user2 or the group staff. Only the programs sed, nano and grep are permitted to be run as these different users/groups.

user1 ALL=(ALL) /bin/sed /bin/nano /bin/grep

User1, on any system using this sudoers file, may run commands as any user (including root) but not any alternate group. Only the programs sed, nano and grep are permitted to be run as these different users.

user1 database.mytechiethoughts.com= NOPASSWD: /bin/nano

User1, on any machine defining it’s hostname as ‘database.mytechiethoughts.com’, may run commands as root (only) without needing to provide a password for authentication beforehand. Only the program nano may be run as root.

This final example is often used when wanting to allow a user or group of users to run sudo commands without needing a password – understand that this a security risk!

user1 ALL=(ALL) NOPASSWD: ALL  
%sudo ALL=(ALL) NOPASSWD: ALL

You should be able to decipher what these rules mean, but I’ll run through it for you just in case – this time in plain English because I think you understand the syntax now.

In the first rule, we’re saying user1 may run any command, on any machine using this sudoers file, as any user including root without requiring a password for authentication. In the second rule, we are saying the same thing, but applying that to any member of the group sudo

Aliases

Just like on your BASH command-line, you can define aliases to shorten the amount of stuff you need to type in your suoders configuration file and minimize mistakes by only having to list multiple items once. Aliases are divided into two groups but they work the same way and the same as they do in BASH. The basic formula is definition ALIAS=list. Note: The convention is to define aliases in configuration files in ALL CAPS but it is not required. Let’s work through a few examples:

# define aliases
User_Alias SYSADMINS=larry,curly,moe
Cmnd_Alias TEXTTOOLS=/bin/sed,/bin/nano,/bin/grep

# define rules
SYSADMINS   ALL= TEXTTOOLS

See what we’re doing here? Hopefully, the slightly confusing syntax used by sudoers is clearing up in your mind by now. We’re saying:

SYSADMINS (Larry, Curly and Moe), on any machine using this sudoers file, can run any TEXTTOOLS command (which are sed, nano and grep) as root providing they authenticate first.

Down the road, Moe might get injured and need time off. So, you can remove him from your list of SYSADMINS by changing the single alias definition instead of having to hunt his name down everywhere it appears throughout your entire configuration. This is how aliases can make your administrative life easier!

Defaults and other options

There are numerous other defaults and options available for sudo and I can’t even begin to go into them all unless I want this article to become a novel. If you’re interested, check out the man page – I’ll warn you though, it’s not clearly written (in my opinion) and not for the faint of heart. So get some coffee and get back in touch with your inner student :-)

Final thoughts

I think I’ve covered pretty much 99% of what you’ll routinely need to know about sudo. We’ve explored how to install it, grant users access and then define what those users can and cannot do. More than enough to get you started and, to be very honest, probably all you need to know about the topic.


Thanks for reading my techie-thoughts on this issue. Have any comments or suggestions? Want to add your tips? Things you want me to cover in a future article? Comment below!