The “Sudo” Command on CentOS October 27, 2012Posted by Tournas Dimitrios in Linux.
In Linux (and Unix in general) , there is a SuperUser named Root (the Windows equivalent of Root is Administrators group) . The root-user is the “King of the box” , he has even the “power” to destroy the system . Each Linux distribution has a slightly different approach when dealing with “root” accounts . For example , Debian distributions (like Ubuntu) doesn’t use Root-user by default , this means that you cannot login as Root directly or use the “su” command to become the Root user . While in Ubuntu , the first user that’s set up during the installation process has rights to run anything with sudo , in CentOs the first user is a “full privileged” account (Root) . By default , the only way to run programs with root privileges on CentOs is to log in as root , or by running “su” in a terminal (elevating user permissions) . However , certain tasks (root programs) have also to be run by unauthorized users with “full privilege rights ” . Assigning root privileges to every user is a very bad thing (hope there are no disagreements ) . Ideally, some unauthorized users are assigned “full privilege rights” only to run certain programs as Root without having to know the root password .
On CentOs , none user has “sudo” privileges by default . Though , the administrator can assign these privileges to users that he think they should . This means that in the terminal , these users can use “sudo” for commands they have been permitted , by simply prep-ending “sudo” to all these commands and providing their password (not root’s password) . Of course some preparation has to be done first , the administrator has to configure the “/etc/sudoers” file . Instead of directly editing this file , it is highly recommended to use the “visudo” utility . visudo edits the /etc/sudoers file in a safe fashion , locks the file against multiple simultaneous edits , provides basic sanity checks , and checks for parse errors . If the /etc/sudoers file is currently being edited you will receive a message to try again later . Upon finding an error ,visudo will print a message stating the line number(s) where the error occurred and the user will receive the “What now?” prompt . At this point the user may enter “e” to re-edit the sudoers file , “x” to exit without saving the changes , or “Q” to quit and save changes . The “Q” option should be used with extreme care because if visudo believes there to be a parse error , so will sudo and no one will be able to sudo again until the error is fixed . If “e” is typed to edit the /etc/sudoers file after a parse error has been detected , the cursor will be placed on the line where the error occurred (if the editor supports this feature) .
- By default , the Root account password is locked in Ubuntu
- visudo’s editor is the well known Vi – editor , though it can be changed (do a man visudo for more information)
A display similar to the following is shown with visudo :
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # Runas alias specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
Some examples :
- The “#” sign , denotes a comment line
- enables a user to run any commands
youruser ALL=(ALL) ALL
- enables a user to run any commands without the need to pass a password
ec2-user ALL = NOPASSWD : ALL
- specify a list of commands
otheruser ALL= /sbin/mount , /sbin/umount
- the percentage-sign designates a group
%users ALL=/sbin/mount /cdrom,/sbin/ umount /cdrom
- remove password protection like so :
%users ALL=NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom