jump to navigation

The “Sudo” Command on CentOS October 27, 2012

Posted by Tournas Dimitrios in Linux.

In Linux (and Unix in general) , there is a SuperUser named Root (the Windows equivalent of Root is Administrators group) . The root-user is the “King of the box” , he has even the “power” to  destroy the system . Each Linux distribution has a slightly different approach when dealing with “root” accounts . For example ,  Debian distributions (like Ubuntu) doesn’t use Root-user by default , this means that you cannot login as Root directly or use the “su” command to become the Root user . While in Ubuntu ,  the first user that’s  set up during the installation process has rights to run anything with sudo , in CentOs  the first user is a “full privileged” account (Root) . By default , the only way to run programs with root privileges on CentOs is to log in as root , or by running “su” in a terminal (elevating user permissions) . However , certain tasks (root programs) have also to be run by unauthorized users with “full privilege rights ” . Assigning  root privileges to every user is a very bad thing (hope there are no disagreements ) . Ideally, some unauthorized users are assigned “full privilege rights” only  to run certain programs as Root without having to know the root password .

On CentOs , none user has “sudo” privileges by default . Though , the administrator can  assign these privileges to users that he think they should  . This means that in the terminal , these users can use “sudo” for commands they have been permitted  , by simply prep-ending “sudo”  to all these commands  and providing their password (not root’s password) . Of course some preparation has to be done first , the administrator has to configure the “/etc/sudoers” file . Instead of directly editing this file , it is highly recommended to use the “visudo” utility .  visudo edits the /etc/sudoers file in a safe fashion ,  locks the  file against multiple simultaneous edits , provides basic sanity checks , and checks for parse errors . If the /etc/sudoers file is currently being edited you will receive a message to try again later .  Upon finding an error ,visudo will print a message stating the line number(s) where the error occurred and the user will receive the “What now?” prompt . At this point the user may enter “e” to re-edit the sudoers file , “x” to exit without saving the changes , or “Q” to quit and save changes . The “Q” option should be used with extreme care because if visudo believes there to be a parse error , so will sudo and no one will be able to sudo again until the error is fixed . If  “e” is typed to edit the /etc/sudoers file after a parse error has been detected , the cursor will be placed on the line where the error occurred (if the editor supports this feature) .

    • By default , the Root account password is locked in Ubuntu
    • visudo’s editor is the well known  Vi – editor , though it can be changed (do a man visudo for more information)


A display similar to the following is shown with visudo :

# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Runas alias specification
# User privilege specification

root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel  ALL=(ALL)       ALL
# Same thing without a password
# %wheel  ALL=(ALL)       NOPASSWD: ALL
# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

Some examples :

  • The “#” sign , denotes a comment line
  •  enables a user to run any commands
    youruser  ALL=(ALL)  ALL
  • enables a user to run any commands without the need to pass a password
    ec2-user   ALL = NOPASSWD :  ALL
  •  specify a list of commands
    otheruser  ALL= /sbin/mount , /sbin/umount 
  •  the percentage-sign designates a group
    %users ALL=/sbin/mount /cdrom,/sbin/ umount /cdrom 
  • remove password protection like so :
    %users ALL=NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom 


1. Caroline - November 16, 2012

i will get in touch with this post and site as well , giving this kind of post is really happy. looking for someone here. anyway waiting for another post here.

2. Hardening Linux by Disabling SSH Password Authentication (allow only RSA) « Tournas Dimitrios - January 4, 2013

[…] The “Sudo” Command on CentOS […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: