---January 13, 2005
You mignt want to have a look at what "Tidy for FreeBSD" has done to the title of the page, though, 'cos it don't look too tidy, to me!
---January 28, 2005
My fault.. been doing a lot of cleaning up with tidy, but apparently a little too quick and didn't check the errors closely enough.
Fri Mar 25 05:07:33 2005:
I find this article to be very useful as i always used to think whether is the principle sudo possible and now it became possible ...:). It wud be better if the Security part regarding environmental variables part is more elaborated.... Anyway, thanks for the article as it was useful for me, beginner...
Tue Mar 29 02:39:07 2005:
Is it possible to specify the list of commands that are not allowed.
Tue Mar 29 10:02:16 2005:
Yes, it's POSSIBLE to say "these are the commands that you can't run", but it's not a good idea to do so. From the man page:
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the SERVERS Host_Alias,
jill may run any commands in the directory
/usr/bin/ except for those commands belonging
to the SU and SHELLS Cmnd_Aliases.
But (also from the man page):
It is generally not effective to "subtract"
commands from ALL using the ! operator. A
user can trivially circumvent this by copying
the desired command to a different name and
then executing that. For example:
Tue Mar 29 15:25:19 2005:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the
commands listed in SU or SHELLS since he can
simply copy those commands to a different
name, or use a shell escape from an editor
or other program. Therefore, these kind of
restrictions should be considered advisory
at best (and rein- forced by policy).
Thank you for your response. So if I understand correctly, there is no effective way of subtractinga list of commands?
Tue Mar 29 16:48:18 2005:
Correct.. list the allowed commands or directory
Wed Dec 28 09:35:42 2005:
very nice article! thank you :)
Thu Jan 26 15:50:37 2006:
Thanks for the article! I was actually trying to configure sudo last night for the first time and got kinda lost with the man pages. Then I found your article and now I can at least configure the sudoers file and test some users capabilities. I am trying to find a solution for my programmers where I don't have to give them the root password as they frequently need to su as another user on the system to troubleshoot their issues. So after going through various newsgroups, it seemed like sudo would be able to accomplish this. Is this assumption correct? Is the syntax "sudo su - 'username'" after I configure the sudoers file w/ the usernames of my programmers? Thanks for your help!
Thu Jan 26 16:16:59 2006:
They just do
sudo su -
Or "sudo command"
if you've only given them access to specific commands.
(I'm assuming they want to be root - if it is some other user, then
yes, sudo "su -" username would be it)
Sun Jan 29 23:38:41 2006:
So I configured the sudoers file so when my programmers log in, they type "su - 'username of who they want to be'" and it works! Thanks!
How come there are some files owned by user "8036" and some owned by root in my SUDO directory?
case in point:
-rw-r--r-- 1 8036 system 640 Jan 25 16:56 sudoers
-rw-r--r-- 1 8036 system 60958 Nov 08 10:22 sudoers.cat
-rw-r--r-- 1 root system 57536 Jan 25 16:34 sudoers.man
-rw-r--r-- 1 8036 system 57727 Nov 08 10:22 sudoers.man.in
-rw-r--r-- 1 8036 system 44838 Nov 28 2004 sudoers.pod
-rw-r--r-- 1 8036 system 2902 Feb 12 2004 sudoers2ldif
-rw-r--r-- 1 8036 system 9920 Aug 02 2004 testsudoers.c
-rw-r--r-- 1 8036 system 6350 Jun 06 2004 tgetpass.c
-rw-r--r-- 1 root system 5232 Jan 25 16:36 tgetpass.o
-rw-r--r-- 1 8036 system 1814 Sep 11 2004 utimes.c
-rw-r--r-- 1 8036 system 1195 Nov 08 10:22 version.h
-rwxr-xr-x 1 root system 188507 Jan 25 16:37 visudo
Mon Jan 30 10:25:27 2006:
The install had files owned by "8036". You don't have a user with that id.
That's not at all unusual and nothing to be concerned about, though you may want to change these just so it doesn't bite you if you ever do add a user and use that id.
Mon Jan 30 16:26:05 2006:
Mon Jan 30 17:24:45 2006:
What line would I put into my sudoers file to restrict users from su'ing to root.
I have user1 in group1 being able to su to other users w/o passwords which is what I want.
But I want to restrict user1 to su to root. They can su to other users but I don't want them to su to root.
right now user1 can su to root w/o a password.
Is there a way to do this?
Mon Jan 30 18:14:44 2006:
Sure - see the "Limiting Commands" at the end of the article above.
Mon Oct 9 20:47:41 2006:
Nice article. Just what I needed. Though the one liner text boxes are a little irritating to scroll and read through.
Mon Oct 9 21:01:16 2006:
Use the "Printer Friendly" link.
for WHY we have those.
Mon Dec 4 19:33:34 2006:
Really nice article. Was really helful
How can I configure sudo so that it will be able to monitor all activities performed by the pseudo administrators and report on any discrepancies.
Mon Dec 4 20:02:44 2006:
If you enable logging, you can track every command.. but it isn't up to sudo to decide something is a "discrepancy" - that's your job. If you don't want to let someone use a particular command, then configure it so.
Wed Mar 7 06:57:05 2007:
I wanted to create a user with the access to stop/start apache, so i created this line :
%adminx ALL=NOPASSWD: /etc/rc.d/init.d/httpd
When i login as the user ( which belongs to the "adminx" group ), i got this error message when i issued command "/etc/rc.d/init.d/httpd restart" :
rm:cannot remove `/var/run/httpd.pid' : Permission Denied
Touch:cannot touch `/var/locl/subsys/httpd' : Permission Denied
What should i do to enable that particular to stop/start httpd service?
Wed Mar 7 11:50:48 2007:
Apache runs as root during startup. This could get pretty complicated.. I think I'd use a setuid wrapper instead..
Wed Jun 20 20:03:20 2007:
Nice article. Thanks. Is this possible to somehow set a command prompt when working with sudo? Say, I want the prompt to be % how can I set it?
Wed Jun 20 20:21:57 2007:
You mean when you start a sudo shell..
Probably - can't think about it right now..
Wed Aug 15 09:59:48 2007:
Thank you I found the sudo article useful. good intro for a beginner :)
Fri Jan 4 17:16:20 2008:
I have one qustion:
How can I do so, that userA give permissions to userB to execute some commands, without userA to have access on the permissions on the another users(C,D...) ?
Fri Jan 4 18:34:48 2008:
User A can't give permissions - root gives permissions with the conf file. Look at the examples.
Thu Jan 10 21:03:27 2008:
I think in this way as sample: userA has permission of #sudo -f /etc/allow/sudoers to allow userB to do something and #sudo -f /etc/deny/sudoers to restore the original config file! Is it possible?
file /etc/allow/sudoers the file with the permissions for userB...
of course userA can never give another permissions to userC.
Sun Jan 27 17:56:03 2008:
Great guide but i can't start visudo?
I get this answer; visudo: /etc/sudoers: Permission denied,
Do you have a solution for this?
Sun Jan 27 18:04:42 2008:
Are you root?
Sun Jan 27 18:33:25 2008:
No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.
Sun Jan 27 18:42:37 2008:
No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.
Sun Jan 27 19:07:45 2008:
OK, so you were not in sudoers and you've lost your root password? See (link)
Sun Jan 27 19:53:16 2008:
I know my password it did not work in su, authentication error. The problem started with a chown command i guess, don't remember exactly what i did wrong.
My ls -l command give this; ---s--x--x 1 keeej root 91776 /usr/bin/sudo. I'm i root anyway? If so how to fix that? Ps sorry about the dubbel posting above Ds
Sun Jan 27 20:06:41 2008:
If you are already root, you can just edit the sudoers file directly: visudoers is simply to keep two roots from mucking there at the same time.
sudo should be owned by root: it's setuid (that "s") for the owner - which has to be root.
---s--x--x 1 root root 81644 Jan 14 15:36 /usr/bin/sudo
So if you ARE root:
chown root /usr/bin/sudo
Sun Jan 27 21:11:47 2008:
Thank you for your effort but operation denied.
Maybe its time for a reinstall?
Sun Jan 27 21:32:11 2008:
Or you might try booting to single user and see if you can fix up things there.
Wed Mar 26 14:11:19 2008:
very usefull indeed...
Fri Jul 4 18:26:56 2008:
Thanks for this article, the manpage was extremely intimidating, but this gives me basically everything I need. Respect knuckles.
Sat Jul 5 14:14:45 2008:
Nice article! Keep the articles coming :)
Tue Sep 8 09:46:39 2009:
Thank you. most helpful. I can understand the meaning of all the ALLs now :)
Tue Oct 13 13:36:26 2009:
Very good !
Tue Nov 3 11:25:52 2009:
Tue Mar 2 13:33:17 2010:
Updated sudo packages fix escalation vulnerabilities: (link)
Fri May 14 17:50:17 2010:
You just saved me from spending the rest of the afternoon trying to make sense of the man page.
Sat Jul 10 16:33:41 2010:
I am using sudo inside a script. When it runs unix command it ask for password and always I have to provide it manually. Is there any way I can provide it dynamically ?
sudo cp file1.txt target_dir
Sat Jul 10 16:56:16 2010:
You can set it to use no password, you can use the -A option, you can run your script with Expect or you can use a setuid program.
Thu Aug 5 07:24:20 2010:
I wanted to stop haproxy service using the nagios nrpe plugin. I am able to stop the service using the sudo command from nagios user. But when i try stopping the service from remote nagios server. I am unable to do that.
When i try stopping the service remotely typically a shell script is executed by nagios user on the client machine. But it does not stops the service.
The shell script is as follows:
sudo /etc/init.d/haproxy stop
echo "Stopped HA Proxy"
The output on the remote end is 'Stopped HA Proxy' but exactly the service is not stopped. Whereas if i run the same command in the script or script itself as nagios user. The service is stopped properly.
I will be seeking help.. Thanks is advance
Tue Aug 17 21:42:51 2010:
I tried using sudo and was warned that if I continued to use it I would lose important files
Tue Aug 17 21:48:04 2010:
Warned by who?
Do you mean the warning that sudo prints the first time you use it??????
Tue Aug 17 22:22:58 2010:
The first time I used it without success, my computer crashed. The second time, I got the warning. From who, I don't know.
Tue Aug 17 23:15:30 2010:
I don't think you should be using sudo and maybe you shouldn't be using Linux at all.
Sat Oct 23 13:03:41 2010:
if you give permission passwd to user so mean that user can change password root also. do you have any solution to protect this?
Sat Oct 23 13:15:49 2010:
"do you have any solution to protect this"
Specify the commands you want to allow.
Sat Oct 23 13:28:44 2010:
if you allow a sudo user to change password for default user.
this condtion sudo user can change password also.
so how can we solve this problem?
Sat Oct 23 18:12:45 2010:
No, that is not the case at all. You have not bothered to read this page, have you? Read the section on limiting commands.
Sun Oct 24 05:25:47 2010:
let do it by yourself first.
example: visudo -f /etc/sudoers
tony ALL = ALL NOPASSWD:/usr/bin/passwd
then create alias for user tony to user command passwd
echo "alias passwd="sudo /usr/bin/passwd" >> /home/tony/.bashrc
then tony can use this command to change password root
then its allow tony to change password
u ever think about this problem?
hope you reply me soon .. thank you for your information.
Sun Oct 24 11:38:16 2010:
If they need to change their own password, they do it while logged in normally, without sudo. You don't LET them run "passwd" with sudo.
That's not entirely foolproof, of course. See (link)
Mon Oct 25 09:52:34 2010:
what can we do if like this? if we not allow that user to run sudo how can they run another command?
i can fix alias for that user but that user can run sudo /usr/bin/passwd as well.
if i block sudo that user can not do anything.
can u example for me?
thank you in advance for your response
Mon Oct 25 10:43:28 2010:
As is explained right here on this page, you can limit a sudo user to the specific commands you need them to be able to run. As explained in the other link I gave you, you do have to be careful that none of those commands give shell access.
Life is not perfect. When you trust people with power because they need it for some task, you always run some risk that they will abuse that power.
I think your basic issue is that you have not really read this page or the sudo man page and therefore do not understand what I have been trying to tell you. Read the section on Limiting Commands above and also that other link I gave you.
In the example I gave in Limiting Commands, Jim can't run just "sudo". He can't get a shell. He CAN run "sudo kill" or "sudo linuxconf" and the commands in /usr/sbin/Jim (which presumably he cannot write to) but that's it. He wouldn't be able to run "sudo passwd root" or "sudo passwd" anything.
If you still do not understand this, I can't offer you anything more. You need to READ.
Sat Dec 11 01:04:57 2010:
In effect nice article, i'm trying to give rights to a beginner user on "/etc/init.d/networking restart" cause we have a realy bad (public wifi) connection and need to regularly have a dhcp request done to the provider...
(the fact is that the "Network manager" of Gnome crashes sometimes so a networking restart is the more efficient to arrange it)
So i thought about adding this line to my sudoers file:
theuser themachine= /etc/init.d/networking restart
but i have a permission denied when theuser runs /etc/init.d/networking restart :
Reconfiguring network interfaces...ifdown: failed to open statefile /etc/network/run/ifstate: Permission denied
ifup: failed to open statefile /etc/network/run/ifstate: Permission denied
Sat Dec 11 01:57:08 2010:
The user has to run
sudo /etc/init.d/networking restart
Fri Jul 15 01:51:30 2011:
Thanks a lot for the easy to understand article.
I have configured sudo and its working as its suppose to, no problem there.
however, I am getting a small glitch (weird actually) when I do "visudo -s sudoers".
when I try to save the file visudo returns with " what now?" though visudo doesn't throw any format errors along with it, just "what now" as if its the default option. I do a "Q" to save the file and sudo works perfectly afterwards, but as per my understanding visudo should not return with "what now?" if there aren't any errors and should save the file directly.
Any help will be much appreciated.
Thu Jul 28 01:44:05 2011:
Hi, i have a particular user with sudo permissions, but enable to find his entry in visudo file. so how did he got that sudo effects and were can i disable his sudo entry. plz respond......
Thx in advance...........
Thu Jul 28 10:18:44 2011:
Why do you say he has sudo permissions?
Tue Aug 16 12:27:43 2011:
Hi, I'm new to sudo so please excuse my pundit question. Can I, with sudo, enable a user to run all commands in an environment but only on specific directories. An example, we have websphere admins who need root access to do their software deployments. The WAS application/install/deployments all resides on a non-OS filesystem/directory. The users however need to be able to use rm/chmod/vi/ln commands and much more within this directory. Now, what I know I can do, is to list all hundred commands to be used, or is there an easier way? In short, I want the users to be able to do what they want anywhere on the system but systems directories and files.
Tue Aug 16 12:44:09 2011:
No, you'd be better to give specific permissions to those directories. See (link)
Wed Aug 31 09:17:30 2011:
Thanks Tony for this nice article !
One question more :
I access a program via a web page who ask for a root account in order to run.
I log first to the server and then sudo but when I access the web page, my sudo user can't log.
Is there a way to log as a sudo user on the web page and make the program run ?
Tue Oct 4 12:35:29 2011:
I have a command like xm console <hostname> I added xm console to the sudoers files and at the prompt I am typing xm console <actual-hostname>.
It is not executing the command.Can you please tell why this could be happening.
Tue Oct 4 12:47:57 2011:
No. Just add "xm".
Tue Oct 4 17:16:11 2011:
If you want something that only does "xm console", you need to create another command that does that and passes the other argument and add THAT to sudoers.
Fri Oct 7 08:50:18 2011:
Can you please explain with an example.What I understand is create a alais for the xm console command and they pass the hostname from the command line is that right.
Fri Oct 7 13:21:14 2011:
No, you don't want an alias. You want an actual script or executable.
Wed Oct 19 13:08:15 2011:
hi, i prevented the "su" command from sudo users. i want prevent the sudo user to become root or any other user. but with "sudo vi" command user is able to execute shell command and with "!bash" command user become root...how can i prevent this (without restricting the vi editor).thank you...
Wed Oct 19 14:19:50 2011:
See the manual and search for "shell escapes".
for example (though you have 'info sudoers' also)
Fri Oct 21 11:09:53 2011:
i installed sudo in Sun blade T6320 server & also edit visudo file for user entry and syslog.conf file for log checking .But i am unable to see sudo log(What command were run by sudo user)...........
Fri Oct 21 11:20:02 2011:
Did you remember to modify syslog.conf (sudo logs to local2 by default, see your sample.syslog.conf file in your sudo fules)?
You'd need to signal syslogd after that, too.
Mon Oct 31 17:40:50 2011:
If you sudo a job as another user my_target_user, and the initial unix session you invoked the sudo command terminates, does the script you submit under the target user terminates too ? or will it run under its own sheell under the target user you sudo to ?
Mon Oct 31 17:56:42 2011:
Mon Nov 21 10:27:05 2011:
After restart the service(svcadm restart system-log)and editing syslog.conf file.I am able to see the log(User login details) in /var/log/sudo.log
But unable to see the what's command fired by perticular user...
Mon Nov 21 10:43:25 2011:
You've missed something or didn't use visudo..
Mon Jan 2 13:05:10 2012:
Is there a way to get the actual user name using the sudo user name ?
Mon Jan 2 13:21:12 2012:
Did you read the section on logging? The name appears in the logs.
Tue Jan 3 06:23:36 2012:
I am not the admin and will not know anything about the logs(location) in sudoer file. Apart from logs, is there any other way to get the actual user from sudo user name ?
Tue Jan 3 11:43:33 2012:
You are not making sense. If you aren't an administrative user, of course you have no access to what other people did.
Thu Jan 26 09:30:53 2012:
Hi we have the environment where we have shell access through sudo which we dont change.here I have a query how we can audit the logs for the sudo user.
so we want after doing sudo what user do , evertying should be logged .
$ sudo bash
now i am as root so what ever I do how we can get it logged
Please suggest how we can get this possible
Thu Jan 26 14:48:40 2012:
Did you read the article or just jump down to ask your question??
Fri Mar 23 10:01:55 2012:
I wanted to restrit the user to run the init command but i want to give them permission the can copy and delete the file with the help of sudo. pls help me regarding same.
Thanks in advance.
Fri Mar 23 10:46:26 2012:
I'm sorry - I don't understand what you want.
Mon Apr 23 20:45:19 2012:
I give you props for answering all of the questions, and I like the comment to anonymous about (s)he should not be using unix. Great comment.
Just imagine if everyone actually read the article first before asking questions, you would have nothing to do other then to receive praise ;)
Mon May 14 13:33:34 2012:
I have a question. Is there any possibility that the user can only access sudo nano /etc/myserver.conf and must not edit files like sudo nano /etc/passwd, sudo nano /etc/myserver.conf, etc.
Mon May 14 15:54:52 2012:
Not easily. You'd need to have an editor that doesn't allow you to read or write any other file. You could edit source to make such a thing, of course.
Mon Jul 23 06:41:28 2012:
Lawrence, could u pls tell me how to disable access for more than 1 user at a time in /etc/sudoers file, I know by manually edit the file(visudo) and comment out (#)..
Is there any way to do by scripting, since I have to disable access for more than 20 users, It is eating more time with manual edit of file and do comment out every time.
thanks in advance...
Mon Jul 23 10:59:22 2012:
Yes, you could do it with a script. No, I'm not going to write such a script for you.
Thu Aug 2 09:39:20 2012:
Want to restrict chmod & chown command to run by user using SUDO permission in a specific directory only?
I can run these command by SUDO system-wide, but on server I want to give access to these commands in /var/www/html directory only.
How to restrict to run commands in specific directory through SUDO?
Thu Aug 2 09:53:36 2012:
"restrict to run commands in specific directory"
Can't be done with just sudo. Difficult to do, period. You'd need to replace the chown/chmod commands and let the user run THOSE with sudo and writing those to cover every case will NOT be easy.
Fri Sep 21 15:17:07 2012:
I just had to do my last SCO Openserver migration, we need to have certain acocunts have the ability to run commands using asroot. I have it setup, but when I login as myself and not as root I tried to run a 'w' cmd. The only users that showed up as logged in were me. When I do it as root, no big deal. Thoughts?
Thanks in advance!
Fri Sep 21 19:58:23 2012:
asroot and sudo are wary of privilege escalation.. or maybe you have wrong perms on the wtmp files.
Fri Oct 19 15:25:50 2012:
This article is great for configuring sudo. But show an actual example of using sudo please.
Fri Oct 19 15:42:25 2012:
There are several examples in the article - quite a few, in fact. Did you actually READ it?
Fri Nov 30 14:17:16 2012:
Great article, keeping in mind the complicated nature of sudo setup per se. Nice explanation too over how the changes will behave.
Tue Mar 5 16:27:51 2013:
hi there, just want to say thanks for this article and all the comments too. I think i'm nearly there in solving this. I'm trying to rsync apache logs from a remote to a local server and in my sudoers file have this
loguser ALL= /usr/bin/rsync, /usr/bin/tail, /var/log/httpd
but i also need to allow loguser to change directory and when I run my rsync file i get this:-
sending incremental file list
rsync: change_dir "/var/log/httpd" failed: Permission denied (13)
What do i need to add to allow 'change_dir' for loguser? Hope you can advise. Thanks Lou
Thu Aug 15 01:33:33 2013:
Hello I installed minecraft using sudo thinking that was how things were installed (im new to linux). Well now im trying to uninstall it but it has a little lock on the minecraft icon and I cannot uninstall it. I read somewhere else that I had to go to properties then permissions and change what I was allowed to do, but I cant change anything and at the bottom of the window it says "You are not the owner, so you cannot change these permissions" please help.
Thu Aug 15 09:51:20 2013:
Did you try removing it with sudo?
Fri Aug 16 16:43:39 2013:
Lou - I was sure I had answered your question earlier, but I see not.
I think that you are sudo'd on one side, but not the other.. the sudo does not pass through to the other rsync; you only have the perms of the rsync account you used.
Sat Feb 22 08:40:46 2014:
This arctical Simply Great!
One Question Lawrence , Can we read the setuid or Binary Files by any means ?
Sat Feb 22 11:31:14 2014:
You can see the setuid bits with "ls -l". The "file" command can help you determine whether a file is text or not.
Thu Dec 18 17:08:47 2014:
Hi, I have quick question I am trying to setup a script to find the sudo privileges for all users on a server, I am facing an issue with command "sudo -l -U username" on specifically sudo version 1.6xx (the command works fine with sudo versions 1.8x or later). Not sure what other options we have to get the sudo privileges for other users, please share if I can use some other flags on all sudo versions. Thanks in advance!!
Sudo version 1.6.7p5
server1# sudo -l -U amohamme
sudo: Illegal option -U
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
[-u username/#uid] -s | <command>
server2:/# sudo -V |head -1
Sudo version 1.8.9p5
server2:/# sudo -l -U amohamme
User amohamme may run the following commands on txcomregappqa51:
(ALL) NOPASSWD: /usr/bin/su -, /usr/bin/su - root, /bin/su -, /bin/su - root
Thu Dec 18 18:56:40 2014:
It's not a quick question for me - I have no idea about version specific bugs. Someone else reading this might know, though I bet chances are slim.
Mon Feb 2 11:32:19 2015:
$ sudo -l
Matching Defaults entries for dineshr on this host:
logfile=/var/log/sudo.log, syslog=auth, syslog_badpri=notice, syslog_goodpri=notice
User dineshr may run the following commands on this host:
(root) NOPASSWD: /bin/su - dedw_adm
I'm new to Unix. How could i use this sudo access further for informatica related stuffs.
Mon Feb 2 14:03:22 2015:
I have no idea what "informatica related stuffs" means. Read the article.
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.