previous contents up next

Unix for Advanced Users

15. Advanced Commands and Usage

15.11. sudo

Sometimes it is important for people who aren't the system's administrator to have limited root access. For example, if you are working with large data sets on CD-ROM then it would be important for you to be able to mount and unmount those volumes. Ordinarily, you would need root permission to accomplish such a feat. It was for these sorts of reasons that a program called sudo was created. It is freeware and easily compiled on all Unixes. UWSG mirrors the sudo source and binary distribution.

sudo allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, and should not be perceived as a replacement for the shell or the su command. The configuration file for sudo is /etc/sudoers.

sudo uses timestamp files to implement a "ticketing" system. When a user invokes sudo and enters their password, they are granted a ticket for 5 minutes and each subsequent sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard. There is also an easy way for a user to remove their ticket file, useful for placing in a .logout file.

sudo Usage:

Assuming that you, as an ordinary user, have permission to invoke the right commands (defined in the /etc/sudoers file), you invoke the command as

sudo <command>

You will be asked to enter your (and not the root) password and the command will be run as root if you supply the right password. You can then continue to sudo other commands without being asked for a password for a period of 5 minutes (after which you have to resupply the password).

/etc/sudoers:

Here is a typical /etc/sudoers extracted from the sudoers(5) manpage: 

# Host alias specification
Host_Alias  HUB=houdini:\
            REMOTE=merlin,kodiakthorn,spirit
Host_Alias  SERVERS=houdini,merlin,kodiakthorn,spirit
Host_Alias  CUNETS=128.138.0.0/255.255.0.0
Host_Alias  CSNETS=128.138.243.0,128.138.204.0,\
            128.138.205.192

# User alias specification
User_Alias  FULLTIME=millert,dowdy,mikef
User_Alias  PARTTIME=juola,mccreary,tor

# Runas alias specification
Runas_Alias OP=root,operator

# Command alias specification
Cmnd_Alias  LPCS=/usr/etc/lpc,/usr/ucb/lprm
Cmnd_Alias  SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
Cmnd_Alias  SU=/bin/su
Cmnd_Alias  MISC=/bin/rm,/bin/cat:\
            SHUTDOWN=/etc/halt,/etc/shutdown

# User specification
FULLTIME    ALL=(ALL) NOPASSWD: ALL
%wheel      ALL=ALL
PARTTIME    ALL=ALL,!SHELLS,!SU
+interns    +openlabs=ALL,!SHELLS,!SU
britt       REMOTE=SHUTDOWN:ALL=LPCS
jimbo       CUNETS=/bin/su ?*,!/bin/su root
nieusma     SERVERS=SHUTDOWN,/etc/reboot:\
                     HUB=ALL,!SHELLS
jill        houdini=/etc/shutdown -[hr] now,MISC
markm       HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
davehieb    merlin=(OP) ALL:SERVERS=/etc/halt:\
                     kodiakthorn=NOPASSWD: ALL
steve       CSNETS=(operator) /usr/op_commands/

The first four sections define various aliases. The last section defines who can do what with sudo. FULLTIME (i.e. users millert, dowdy, and mikef) can run all commands without needing to supply a password; PARTTIME (users juola, mccreary, and tor) can run all commands except shells (i.e. they cannot "sudo csh", for example); and various users can only run the commands listed for them.

For further details, see the sudo(8) and the sudoers(5) manpages.

previous contents up next