Jay Taylor's notes
back to listing indexUnderstanding and using sudo in Unix or Linux (with examples)
[web search]Using sudo
Learn to use Linux "sudo" for more security.
Most systems have some way of letting ordinary users perform certain tasks as root or some other privileged user. SCO Open Server has "asroot" and can also directly assign "authorizations" such as backup privileges or being able to change other user's passwords. SCO Unixware/Open Unix 8 have a similar facility in "tfadmin".
Many other Unixes, and Linux, use "sudo".
The configuration of sudo is by the /etc/sudoers file. I'm sure that there are more poorly written man pages, but "man sudoers" is among my all time favorites for obfuscation and poor explanation. The creation of the file and the actual use of sudo isn't all that bad though.
First a little background. The sudo program itself is a setuid binary. If you examine its permissions, you will see:
---s--x--x 1 root root 81644 Jan 14 15:36 /usr/bin/sudo
That "s" means that this is a "setuid" program. You and everyone else have execute permission on this, so you can run it. When you do that, because it is setuid and owned by root, your effective user id becomes root- if you could get to a shell from sudo, you effectively WOULD be root- you could remove any file on the system, etc. That's why setuid programs have to be carefully written, and something like sudo (which is going to allow access to other programs) has to be especially careful.
A setuid program doesn't necessarily mean root access. A setuid program owned by a different user would give you that user's effective id. The sudo program can also change your effective id while it is running- I'll be showing an example of that here.
Finally, setuid and sudo are NOT the same thing as the administrative roles of Unixware or the authorizations and privileges of SCO Openserver. Those are entirely different concepts and I won't be talking about those things in this article.
/etc/sudoers
You use "visudo" to edit the sudoers file. There are two reasons for that- it prevents two users from editing the file at the same time, and it also provides limited syntax checking. Even if you are the only root user, you need the syntax checking, so use "visudo".
We're going to start with the simplest setup of all: giving someone full root access. You might think there's no reason to do this- it would make more sense just to give them the root password, wouldn't it? Well, maybe, but then they can login as root also- with sudo they will have to use the sudo command and we can require a password that IS NOT root's password. Sudo commands can be logged, so we can keep track of what the person did. We can turn their sudo capability on or off at will without affecting other sudo users- no need to change the root password back and forth. This is a great way to keep track of consultants and other support people who may need root power, but you want to keep tabs on what they do. Of course there's a strong implication of honesty here- such a user could edit the sudo logs to hide any mischief.
So, here's a simple /etc/sudoers file (remember, edit with "visudo") to give "jim" access to root commands.
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # User privilege specification root ALL=(ALL) ALL jim ALL=(ALL) ALL
That's it. With this in place, "jim" can use sudo to run any command with root privileges. Here's "jim" catting /etc/shadow:
[jim@lnxserve jim]$ head -5 /etc/shadow cat: /etc/shadow: Permission denied [jim@lnxserve jim]$ sudo head -5 /etc/shadow Password: root:$bukQnNBS$dkGDMUTf1.W5r1VE4OYLy.:11595:0:99999:7::: bin:*:11595:0:99999:7::: daemon:*:11595:0:99999:7::: adm:*:11595:0:99999:7::: lp:*:11595:0:99999:7::: [jim@lnxserve jim]$
Note that "jim" does not get root's PATH; his PATH is used by sudo (with exceptions noted later). If "jim" wanted to run (for example) lpc, he'd have to explicitly do "sudo /usr/sbin/lpc". That's typical, although sudo can be compiled to use its own compiled in PATH instead.
The password requested is NOT root's. In this case, "jim" has to provide his own login password to get sudo to work.
By default, sudo remembers the password for 5 minutes and won't ask again if reinvoked within that time:
[jim@lnxserve jim]$ sudo head -5 /etc/shadow root:$bukQnNBS$dkGDMUTf1.W5r1VE4OYLy.:11595:0:99999:7::: bin:*:11595:0:99999:7::: daemon:*:11595:0:99999:7::: adm:*:11595:0:99999:7::: lp:*:11595:0:99999:7::: [jim@lnxserve jim]$
The password behavior is entirely configurable: the password can be set to time out earlier, later, never or to be required always. Additionally, the password requested can be root's instead of their own. Let's change "jim" a bit by adding this line:
# Defaults specification Defaults:jim timestamp_timeout=0, runaspw, passwd_tries=1
This changes three things. First, "jim" needs root's password to run sudo (because of "runaspw"). Second, the password will not be remembered (timestamp_timeout), and he gets only one chance to enter it (the default is three tries).
If we set timestamp_timeout to -1, "jim" will only have to prove that he knows the password once. After that, it will not be forgotten, even if he logs out.
Different users can, of course, have different defaults. Here I've changed "jim", and added a new user "linda"
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Defaults:jim timestamp_timeout=0 Defaults:linda timestamp_timeout=-1, runaspw # User privilege specification root ALL=(ALL) ALL jim ALL=(ALL) ALL linda ALL=(ALL) ALL
Jim and Linda have different defaults. A "Default" not followed by a ":" and a user name will apply to everyone (example further on).
Logging
Now let's add some logging. Without doing anything special, sudo logs authentication failures to syslog, but by adding another default, we can track every command run:
Defaults logfile=/var/log/sudolog
Notice that this time there is no ":". This default therefore applies to everyone.
With this in place, all sudo commands will be logged:
# /var/log/sudolog Feb 24 06:56:59 : jim : TTY=tty4 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow Feb 24 06:58:49 : jim : TTY=tty4 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat /etc/shadow
There's a limitation though:
[jim@lnxserve jim]$ sudo cat /etc/shadow > /tmp/shadow Password: [jim@lnxserve jim]$ sudo cat /var/log/sudo* Feb 24 06:56:59 : jim : TTY=tty4 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow Feb 24 06:58:49 : jim : TTY=tty4 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat /etc/shadow Feb 24 07:02:35 : jim : TTY=pts/0 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow Feb 24 07:02:49 : jim : TTY=pts/0 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /var/log/sudolog [jim@lnxserve jim]$
The redirection to /tmp/shadow does not show up in the log. That makes perfect sense: redirection is done by the shell before the commands are run, so sudo doesn't even see the redirection at all.
Security
You might at this point suddenly think "Oh no- that means a sudo user could overwrite important files". We haven't limited the sudo users command set yet, but even if we do, what stops them from using such commands to pervert system files or other commands?
Well, remember that the shell does the redirection BEFORE sudo runs. If the redirection can't be done because of permissions, the command will fail.
[jim@lnxserve /tmp]$ sudo date > /etc/shadow bash: /etc/shadow: Permission denied [jim@lnxserve /tmp]$
So that's one thing you don't need to worry about. Actually, sudo itself makes reasonable efforts to protect you from malicious michief by a sudo user. Running "sudo -V" as root shows sudo's settings; part of that is environment variables that it will not pass on or that it will check for dangerous content:
Sudo version 1.6.4 ... (stuff deleted) Environment variables to check for sanity: LANGUAGE LANG LC_* Environment variables to remove: BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN IFS
That's the default list; you can add or subtract from it in /etc/sudoers. Note that if you do add or subtract variables, "sudo -V" doesn't reflect those changes.
Let's try that out with our test user. First, we need a simple shell script that will show us the value of environment variables. I'll call it "showme":
We'll have "jim" try it out before making any changes to sudoers:
[jim@lnxserve jim]$ cat showme set | grep [jim@lnxserve jim]$ export ENV [jim@lnxserve jim]$ ./showme ENV BASH_ENV=/home/jim/.bashrc [jim@lnxserve jim]$ sudo ./showme ENV SUDO_COMMAND='./showme ENV'
The ENV variable is not picked up by sudo even though it was marked for export. Ordinarily, environment variables would be passed:
[jim@lnxserve jim]$ export BOOP=betty [jim@lnxserve jim]$ ./showme BOOP BOOP=betty [jim@lnxserve jim]$ sudo ./showme BOOP BOOP=betty SUDO_COMMAND='./showme BOOP' [jim@lnxserve jim]$
But we can add to the list of variables to discard:
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Defaults:jim timestamp_timeout=-1, env_delete+="BOOP"
Note the "+=" to ADD to the environment list. If we had just used "=", that would have replaced all of sudo's defaults. You can also use "-=" to subtract a default variable and allow it to be passwd.
Now "jim" won't get BOOP in his sudo environment.
[jim@lnxserve jim]$ sudo ./showme BOOP SUDO_COMMAND='./showme BOOP'
Sudo also rearranges your PATH internally. That can be a little confusing:
[jim@lnxserve jim]$ cat ./showme echo "I'm in /home/jim" set | grep [jim@lnxserve jim]$ cat ./bin/showme echo "I'm in /home/jim/bin" set | grep [jim@lnxserve jim]$ export PATH=".:$PATH" [jim@lnxserve jim]$ showme PATH I'm in /home/jim PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin [jim@lnxserve jim]$ sudo showme PATH I'm in /home/jim/bin PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin SUDO_COMMAND='/home/jim/bin/showme PATH' [jim@lnxserve jim]$
Although PATH still shows "." at the beginning, the showme in /bin is what is run by sudo. Internally sudo has ignored the leading "." and moved on to find "showme" in /home/jim/bin. Now let's remove the /home/jim/bin/showme:
[jim@lnxserve jim]$ rm bin/showme [jim@lnxserve jim]$ sudo showme PATH sudo: ignoring `showme' found in '.' Use `sudo ./showme' if this is the `showme' you wish to run. [jim@lnxserve jim]$ sudo ./showme PATH I'm in /home/jim PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin SUDO_COMMAND='./showme PATH' [jim@lnxserve jim]$
Limiting commands
There's more that sudo does to protect tyou from malicious mischief. The :man sudo" pages cover that completely. Let's continue with our examples; it's time to limit "jim" to specific commands. There are two ways to do that. We can specifically list commands, or we can say that jim can only run commands in a certain directory. A combination of those methods is useful:
jim ALL= /bin/kill,/sbin/linuxconf, /usr/sbin/jim/
The careful reader will note that there was a bit of a change here. The line used to read "jim ALL=(ALL) ALL", but now there's only one "ALL" left. Reading the man page can easily leave you quite confused as to what those three "ALL"'s meant. In the example above, ALL refers to machines- the assumption is that this is a network wide sudoers file. In the case of this machine (lnxserve) we could do this:
jim lnxserve= /bin/kill, /usr/sbin/jim/
So what was the "(ALL)" for? Well, here;s a clue:
jim lnxserve=(paul,linda) /bin/kill, /usr/sbin/jim/
That says that jim can (using "sudo -u ") run commands as paul or linda.
This is perfect for giving jim the power to kill paul or linda's processes without giving him anything else. There is one thing we need to add though: if we just left it like this, jim is forced to use "sudo -u paul" or "sudo -u linda" every time. We can add a default "runas_default":
Defaults:jim timestamp_timeout=-1, env_delete+="BOOP", runas_default=linda
I hope that this introduction will get you started. Now that you have the basics, the man pages for sudo and sudoers should make more sense.
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
-> -> Understanding and using sudo in Unix or Linux (with examples)
Inexpensive and informative Apple related e-books:
Take Control of Upgrading to Mavericks
Take Control of Automating Your Mac
Take Control of OS X Server
Take Control of Security for Mac Users
Take Control of Apple TV
More Articles by Tony Lawrence
Find me on Google+
© 2015-02-02 Tony Lawrence
---January 13, 2005
You mignt want to have a look at what "Tidy for FreeBSD" has done to the title of the page, though, 'cos it don't look too tidy, to me!
---January 28, 2005
My fault.. been doing a lot of cleaning up with tidy, but apparently a little too quick and didn't check the errors closely enough.
--TonyLawrence
Fri Mar 25 05:07:33 2005: 233 anonymous
I find this article to be very useful as i always used to think whether is the principle sudo possible and now it became possible ...:). It wud be better if the Security part regarding environmental variables part is more elaborated.... Anyway, thanks for the article as it was useful for me, beginner...
Tue Mar 29 02:39:07 2005: 241 anonymous
Is it possible to specify the list of commands that are not allowed.
Tue Mar 29 10:02:16 2005: 243 TonyLawrence
Yes, it's POSSIBLE to say "these are the commands that you can't run", but it's not a good idea to do so. From the man page:
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the SERVERS Host_Alias, jill may run any commands in the directory /usr/bin/ except for those commands belonging to the SU and SHELLS Cmnd_Aliases.
But (also from the man page):
It is generally not effective to "subtract" commands from ALL using the ! operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and rein- forced by policy).
Tue Mar 29 15:25:19 2005: 245 anonymous
Thank you for your response. So if I understand correctly, there is no effective way of subtractinga list of commands?
Tue Mar 29 16:48:18 2005: 246 TonyLawrence
Correct.. list the allowed commands or directory
Wed Dec 28 09:35:42 2005: 1463 channelspace
very nice article! thank you :)
Thu Jan 26 15:50:37 2006: 1568 Dan
Thanks for the article! I was actually trying to configure sudo last night for the first time and got kinda lost with the man pages. Then I found your article and now I can at least configure the sudoers file and test some users capabilities. I am trying to find a solution for my programmers where I don't have to give them the root password as they frequently need to su as another user on the system to troubleshoot their issues. So after going through various newsgroups, it seemed like sudo would be able to accomplish this. Is this assumption correct? Is the syntax "sudo su - 'username'" after I configure the sudoers file w/ the usernames of my programmers? Thanks for your help!
Thu Jan 26 16:16:59 2006: 1569 TonyLawrence
Nope.
They just do
sudo su -
Nothing more.
Or "sudo command"
if you've only given them access to specific commands.
(I'm assuming they want to be root - if it is some other user, then yes, sudo "su -" username would be it)
Sun Jan 29 23:38:41 2006: 1588 Dan
So I configured the sudoers file so when my programmers log in, they type "su - 'username of who they want to be'" and it works! Thanks!
How come there are some files owned by user "8036" and some owned by root in my SUDO directory?
case in point:
-rw-r--r-- 1 8036 system 640 Jan 25 16:56 sudoers
-rw-r--r-- 1 8036 system 60958 Nov 08 10:22 sudoers.cat
-rw-r--r-- 1 root system 57536 Jan 25 16:34 sudoers.man
-rw-r--r-- 1 8036 system 57727 Nov 08 10:22 sudoers.man.in
-rw-r--r-- 1 8036 system 44838 Nov 28 2004 sudoers.pod
-rw-r--r-- 1 8036 system 2902 Feb 12 2004 sudoers2ldif
-rw-r--r-- 1 8036 system 9920 Aug 02 2004 testsudoers.c
-rw-r--r-- 1 8036 system 6350 Jun 06 2004 tgetpass.c
-rw-r--r-- 1 root system 5232 Jan 25 16:36 tgetpass.o
-rw-r--r-- 1 8036 system 1814 Sep 11 2004 utimes.c
-rw-r--r-- 1 8036 system 1195 Nov 08 10:22 version.h
-rwxr-xr-x 1 root system 188507 Jan 25 16:37 visudo
Thanks!
Mon Jan 30 10:25:27 2006: 1589 TonyLawrence
The install had files owned by "8036". You don't have a user with that id.
That's not at all unusual and nothing to be concerned about, though you may want to change these just so it doesn't bite you if you ever do add a user and use that id.
Mon Jan 30 16:26:05 2006: 1591 Dan
Thanks!
Mon Jan 30 17:24:45 2006: 1592 Dan
What line would I put into my sudoers file to restrict users from su'ing to root.
I have user1 in group1 being able to su to other users w/o passwords which is what I want.
But I want to restrict user1 to su to root. They can su to other users but I don't want them to su to root.
right now user1 can su to root w/o a password.
Is there a way to do this?
Thanks!
Mon Jan 30 18:14:44 2006: 1593 TonyLawrence
Sure - see the "Limiting Commands" at the end of the article above.
Mon Oct 9 20:47:41 2006: 2508 anonymous
Nice article. Just what I needed. Though the one liner text boxes are a little irritating to scroll and read through.
Mon Oct 9 21:01:16 2006: 2509 TonyLawrence
Use the "Printer Friendly" link.
See (link) for WHY we have those.
Mon Dec 4 19:33:34 2006: 2687 anonymous
Really nice article. Was really helful
How can I configure sudo so that it will be able to monitor all activities performed by the pseudo administrators and report on any discrepancies.
Cheers
Mon Dec 4 20:02:44 2006: 2688 TonyLawrence
If you enable logging, you can track every command.. but it isn't up to sudo to decide something is a "discrepancy" - that's your job. If you don't want to let someone use a particular command, then configure it so.
Wed Mar 7 06:57:05 2007: 2905 erimin
I wanted to create a user with the access to stop/start apache, so i created this line :
%adminx ALL=NOPASSWD: /etc/rc.d/init.d/httpd
When i login as the user ( which belongs to the "adminx" group ), i got this error message when i issued command "/etc/rc.d/init.d/httpd restart" :
rm:cannot remove `/var/run/httpd.pid' : Permission Denied
Starting httpd:
Touch:cannot touch `/var/locl/subsys/httpd' : Permission Denied
What should i do to enable that particular to stop/start httpd service?
Wed Mar 7 11:50:48 2007: 2906 TonyLawrence
Apache runs as root during startup. This could get pretty complicated.. I think I'd use a setuid wrapper instead..
Wed Jun 20 20:03:20 2007: 3038 yanM
Nice article. Thanks. Is this possible to somehow set a command prompt when working with sudo? Say, I want the prompt to be % how can I set it?
Wed Jun 20 20:21:57 2007: 3039 TonyLawrence
You mean when you start a sudo shell..
Probably - can't think about it right now..
Wed Aug 15 09:59:48 2007: 3078 GermanJulian
(
Thank you I found the sudo article useful. good intro for a beginner :)
Fri Jan 4 17:16:20 2008: 3393 anonymous
Nice article!
I have one qustion:
How can I do so, that userA give permissions to userB to execute some commands, without userA to have access on the permissions on the another users(C,D...) ?
Fri Jan 4 18:34:48 2008: 3394 TonyLawrence
User A can't give permissions - root gives permissions with the conf file. Look at the examples.
Thu Jan 10 21:03:27 2008: 3434 anonymous
I think in this way as sample: userA has permission of #sudo -f /etc/allow/sudoers to allow userB to do something and #sudo -f /etc/deny/sudoers to restore the original config file! Is it possible?
file /etc/allow/sudoers the file with the permissions for userB...
of course userA can never give another permissions to userC.
Sun Jan 27 17:56:03 2008: 3537 pl1sk3n
Great guide but i can't start visudo?
I get this answer; visudo: /etc/sudoers: Permission denied,
Do you have a solution for this?
Sun Jan 27 18:04:42 2008: 3538 TonyLawrence
Are you root?
Sun Jan 27 18:33:25 2008: 3539 pl1sk3n
No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.
Sun Jan 27 18:42:37 2008: 3540 pl1sk3n
No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.
Sun Jan 27 19:07:45 2008: 3541 TonyLawrence
OK, so you were not in sudoers and you've lost your root password? See (link)
Sun Jan 27 19:53:16 2008: 3542 pl1sk3n
I know my password it did not work in su, authentication error. The problem started with a chown command i guess, don't remember exactly what i did wrong.
My ls -l command give this; ---s--x--x 1 keeej root 91776 /usr/bin/sudo. I'm i root anyway? If so how to fix that? Ps sorry about the dubbel posting above Ds
Sun Jan 27 20:06:41 2008: 3543 TonyLawrence
If you are already root, you can just edit the sudoers file directly: visudoers is simply to keep two roots from mucking there at the same time.
sudo should be owned by root: it's setuid (that "s") for the owner - which has to be root.
---s--x--x 1 root root 81644 Jan 14 15:36 /usr/bin/sudo
So if you ARE root:
chown root /usr/bin/sudo
Sun Jan 27 21:11:47 2008: 3544 pl1sk3n
Thank you for your effort but operation denied.
Maybe its time for a reinstall?
Rgds
Sun Jan 27 21:32:11 2008: 3545 TonyLawrence
Or you might try booting to single user and see if you can fix up things there.
Wed Mar 26 14:11:19 2008: 3901 anonymous
very usefull indeed...
Fri Jul 4 18:26:56 2008: 4390 amoe
Thanks for this article, the manpage was extremely intimidating, but this gives me basically everything I need. Respect knuckles.
Sat Jul 5 14:14:45 2008: 4391 MohamedMansour
Nice article! Keep the articles coming :)
Tue Sep 8 09:46:39 2009: 6870 anonymous
Thank you. most helpful. I can understand the meaning of all the ALLs now :)
Tue Oct 13 13:36:26 2009: 7220 MukeshDhiman
Very good !
Tue Nov 3 11:25:52 2009: 7415 Omar
Well done.
Regards
Omar Sattar
Tue Mar 2 13:33:17 2010: 8165 TonyLawrence
Updated sudo packages fix escalation vulnerabilities: (link)
Fri May 14 17:50:17 2010: 8595 Ian
Great article.
You just saved me from spending the rest of the afternoon trying to make sense of the man page.
Thank You!
Sat Jul 10 16:33:41 2010: 8807 bipul
I am using sudo inside a script. When it runs unix command it ask for password and always I have to provide it manually. Is there any way I can provide it dynamically ?
eg :
#!/bin/ksh
sudo cp file1.txt target_dir
Sat Jul 10 16:56:16 2010: 8808 TonyLawrence
You can set it to use no password, you can use the -A option, you can run your script with Expect or you can use a setuid program.
Thu Aug 5 07:24:20 2010: 8875 Navneet
Hi,
I wanted to stop haproxy service using the nagios nrpe plugin. I am able to stop the service using the sudo command from nagios user. But when i try stopping the service from remote nagios server. I am unable to do that.
When i try stopping the service remotely typically a shell script is executed by nagios user on the client machine. But it does not stops the service.
The shell script is as follows:
#!/bin/sh
sudo /etc/init.d/haproxy stop
echo "Stopped HA Proxy"
The output on the remote end is 'Stopped HA Proxy' but exactly the service is not stopped. Whereas if i run the same command in the script or script itself as nagios user. The service is stopped properly.
I will be seeking help.. Thanks is advance
Regards,
NAV
Tue Aug 17 21:42:51 2010: 8907 anonymous
I tried using sudo and was warned that if I continued to use it I would lose important files
Tue Aug 17 21:48:04 2010: 8908 TonyLawrence
Warned by who?
Do you mean the warning that sudo prints the first time you use it??????
Tue Aug 17 22:22:58 2010: 8909 anonymous
Hi,
The first time I used it without success, my computer crashed. The second time, I got the warning. From who, I don't know.
Tue Aug 17 23:15:30 2010: 8910 TonyLawrence
I don't think you should be using sudo and maybe you shouldn't be using Linux at all.
Sat Oct 23 13:03:41 2010: 9055 kimvirith
if you give permission passwd to user so mean that user can change password root also. do you have any solution to protect this?
Sat Oct 23 13:15:49 2010: 9056 TonyLawrence
"do you have any solution to protect this"
Specify the commands you want to allow.
Sat Oct 23 13:28:44 2010: 9057 anonymous
if you allow a sudo user to change password for default user.
this condtion sudo user can change password also.
so how can we solve this problem?
Sat Oct 23 18:12:45 2010: 9058 TonyLawrence
No, that is not the case at all. You have not bothered to read this page, have you? Read the section on limiting commands.
Sun Oct 24 05:25:47 2010: 9060 anonymous
let do it by yourself first.
example: visudo -f /etc/sudoers
tony ALL = ALL NOPASSWD:/usr/bin/passwd
then create alias for user tony to user command passwd
echo "alias passwd="sudo /usr/bin/passwd" >> /home/tony/.bashrc
then tony can use this command to change password root
passwd root
then its allow tony to change password
u ever think about this problem?
hope you reply me soon .. thank you for your information.
Sun Oct 24 11:38:16 2010: 9062 TonyLawrence
If they need to change their own password, they do it while logged in normally, without sudo. You don't LET them run "passwd" with sudo.
That's not entirely foolproof, of course. See (link) for more.
Mon Oct 25 09:52:34 2010: 9065 anonymous
what can we do if like this? if we not allow that user to run sudo how can they run another command?
i can fix alias for that user but that user can run sudo /usr/bin/passwd as well.
if i block sudo that user can not do anything.
can u example for me?
thank you in advance for your response
Mon Oct 25 10:43:28 2010: 9066 TonyLawrence
As is explained right here on this page, you can limit a sudo user to the specific commands you need them to be able to run. As explained in the other link I gave you, you do have to be careful that none of those commands give shell access.
Life is not perfect. When you trust people with power because they need it for some task, you always run some risk that they will abuse that power.
I think your basic issue is that you have not really read this page or the sudo man page and therefore do not understand what I have been trying to tell you. Read the section on Limiting Commands above and also that other link I gave you.
In the example I gave in Limiting Commands, Jim can't run just "sudo". He can't get a shell. He CAN run "sudo kill" or "sudo linuxconf" and the commands in /usr/sbin/Jim (which presumably he cannot write to) but that's it. He wouldn't be able to run "sudo passwd root" or "sudo passwd" anything.
If you still do not understand this, I can't offer you anything more. You need to READ.
Sat Dec 11 01:04:57 2010: 9158 albeba
Hi,
In effect nice article, i'm trying to give rights to a beginner user on "/etc/init.d/networking restart" cause we have a realy bad (public wifi) connection and need to regularly have a dhcp request done to the provider...
(the fact is that the "Network manager" of Gnome crashes sometimes so a networking restart is the more efficient to arrange it)
So i thought about adding this line to my sudoers file:
theuser themachine= /etc/init.d/networking restart
but i have a permission denied when theuser runs /etc/init.d/networking restart :
Reconfiguring network interfaces...ifdown: failed to open statefile /etc/network/run/ifstate: Permission denied
ifup: failed to open statefile /etc/network/run/ifstate: Permission denied
failed.
Sat Dec 11 01:57:08 2010: 9159 TonyLawrence
The user has to run
sudo /etc/init.d/networking restart
Fri Jul 15 01:51:30 2011: 9621 Gora
Hi,
Thanks a lot for the easy to understand article.
I have configured sudo and its working as its suppose to, no problem there.
however, I am getting a small glitch (weird actually) when I do "visudo -s sudoers".
when I try to save the file visudo returns with " what now?" though visudo doesn't throw any format errors along with it, just "what now" as if its the default option. I do a "Q" to save the file and sudo works perfectly afterwards, but as per my understanding visudo should not return with "what now?" if there aren't any errors and should save the file directly.
Any help will be much appreciated.
Thu Jul 28 01:44:05 2011: 9654 rahul
Hi, i have a particular user with sudo permissions, but enable to find his entry in visudo file. so how did he got that sudo effects and were can i disable his sudo entry. plz respond......
Thx in advance...........
Thu Jul 28 10:18:44 2011: 9655 TonyLawrence
Why do you say he has sudo permissions?
Tue Aug 16 12:27:43 2011: 9715 Will
Hi, I'm new to sudo so please excuse my pundit question. Can I, with sudo, enable a user to run all commands in an environment but only on specific directories. An example, we have websphere admins who need root access to do their software deployments. The WAS application/install/deployments all resides on a non-OS filesystem/directory. The users however need to be able to use rm/chmod/vi/ln commands and much more within this directory. Now, what I know I can do, is to list all hundred commands to be used, or is there an easier way? In short, I want the users to be able to do what they want anywhere on the system but systems directories and files.
TX
Tue Aug 16 12:44:09 2011: 9716 TonyLawrence
No, you'd be better to give specific permissions to those directories. See (link)
Wed Aug 31 09:17:30 2011: 9757 Michel
Thanks Tony for this nice article !
One question more :
I access a program via a web page who ask for a root account in order to run.
I log first to the server and then sudo but when I access the web page, my sudo user can't log.
Is there a way to log as a sudo user on the web page and make the program run ?
Regards,
Michel
Tue Oct 4 12:35:29 2011: 9899 anonymous
I have a command like xm console <hostname> I added xm console to the sudoers files and at the prompt I am typing xm console <actual-hostname>.
It is not executing the command.Can you please tell why this could be happening.
Tue Oct 4 12:47:57 2011: 9900 TonyLawrence
No. Just add "xm".
Tue Oct 4 17:16:11 2011: 9901 TonyLawrence
If you want something that only does "xm console", you need to create another command that does that and passes the other argument and add THAT to sudoers.
Fri Oct 7 08:50:18 2011: 9930 anonymous
Hi ,
Can you please explain with an example.What I understand is create a alais for the xm console command and they pass the hostname from the command line is that right.
Fri Oct 7 13:21:14 2011: 9938 TonyLawrence
No, you don't want an alias. You want an actual script or executable.
Wed Oct 19 13:08:15 2011: 10044 olemp
hi, i prevented the "su" command from sudo users. i want prevent the sudo user to become root or any other user. but with "sudo vi" command user is able to execute shell command and with "!bash" command user become root...how can i prevent this (without restricting the vi editor).thank you...
Wed Oct 19 14:19:50 2011: 10045 TonyLawrence
See the manual and search for "shell escapes".
(link) for example (though you have 'info sudoers' also)
Fri Oct 21 11:09:53 2011: 10052 IMRAN
Hi ,
i installed sudo in Sun blade T6320 server & also edit visudo file for user entry and syslog.conf file for log checking .But i am unable to see sudo log(What command were run by sudo user)...........
Fri Oct 21 11:20:02 2011: 10053 TonyLawrence
Did you remember to modify syslog.conf (sudo logs to local2 by default, see your sample.syslog.conf file in your sudo fules)?
You'd need to signal syslogd after that, too.
Mon Oct 31 17:40:50 2011: 10101 MarcCahill
If you sudo a job as another user my_target_user, and the initial unix session you invoked the sudo command terminates, does the script you submit under the target user terminates too ? or will it run under its own sheell under the target user you sudo to ?
Mon Oct 31 17:56:42 2011: 10102 TonyLawrence
Use "nohup".
Mon Nov 21 10:27:05 2011: 10212 IMRAN
hi ,
After restart the service(svcadm restart system-log)and editing syslog.conf file.I am able to see the log(User login details) in /var/log/sudo.log
But unable to see the what's command fired by perticular user...
Mon Nov 21 10:43:25 2011: 10214 TonyLawrence
You've missed something or didn't use visudo..
Mon Jan 2 13:05:10 2012: 10430 anonymous
Is there a way to get the actual user name using the sudo user name ?
Mon Jan 2 13:21:12 2012: 10431 TonyLawrence
Did you read the section on logging? The name appears in the logs.
Tue Jan 3 06:23:36 2012: 10436 anonymous
I am not the admin and will not know anything about the logs(location) in sudoer file. Apart from logs, is there any other way to get the actual user from sudo user name ?
Tue Jan 3 11:43:33 2012: 10438 TonyLawrence
You are not making sense. If you aren't an administrative user, of course you have no access to what other people did.
Thu Jan 26 09:30:53 2012: 10506 anonymous
Hi we have the environment where we have shell access through sudo which we dont change.here I have a query how we can audit the logs for the sudo user.
so we want after doing sudo what user do , evertying should be logged .
for example:
$ sudo bash
now i am as root so what ever I do how we can get it logged
Please suggest how we can get this possible
Thu Jan 26 14:48:40 2012: 10509 anonymous
Did you read the article or just jump down to ask your question??
Fri Mar 23 10:01:55 2012: 10767 Kuldeep
Hi,
I wanted to restrit the user to run the init command but i want to give them permission the can copy and delete the file with the help of sudo. pls help me regarding same.
Thanks in advance.
Fri Mar 23 10:46:26 2012: 10769 TonyLawrence
I'm sorry - I don't understand what you want.
Mon Apr 23 20:45:19 2012: 10883 anonymous
I give you props for answering all of the questions, and I like the comment to anonymous about (s)he should not be using unix. Great comment.
Just imagine if everyone actually read the article first before asking questions, you would have nothing to do other then to receive praise ;)
Mon May 14 13:33:34 2012: 10953 kashif
Good Article,
I have a question. Is there any possibility that the user can only access sudo nano /etc/myserver.conf and must not edit files like sudo nano /etc/passwd, sudo nano /etc/myserver.conf, etc.
Thanks
Mon May 14 15:54:52 2012: 10954 TonyLawrence
Not easily. You'd need to have an editor that doesn't allow you to read or write any other file. You could edit source to make such a thing, of course.
Mon Jul 23 06:41:28 2012: 11213 sri
Lawrence, could u pls tell me how to disable access for more than 1 user at a time in /etc/sudoers file, I know by manually edit the file(visudo) and comment out (#)..
Is there any way to do by scripting, since I have to disable access for more than 20 users, It is eating more time with manual edit of file and do comment out every time.
thanks in advance...
Mon Jul 23 10:59:22 2012: 11214 TonyLawrence
Yes, you could do it with a script. No, I'm not going to write such a script for you.
Thu Aug 2 09:39:20 2012: 11226 Prashant
Want to restrict chmod & chown command to run by user using SUDO permission in a specific directory only?
I can run these command by SUDO system-wide, but on server I want to give access to these commands in /var/www/html directory only.
How to restrict to run commands in specific directory through SUDO?
Thu Aug 2 09:53:36 2012: 11227 TonyLawrence
"restrict to run commands in specific directory"
Can't be done with just sudo. Difficult to do, period. You'd need to replace the chown/chmod commands and let the user run THOSE with sudo and writing those to cover every case will NOT be easy.
Fri Sep 21 15:17:07 2012: 11341 AM
I just had to do my last SCO Openserver migration, we need to have certain acocunts have the ability to run commands using asroot. I have it setup, but when I login as myself and not as root I tried to run a 'w' cmd. The only users that showed up as logged in were me. When I do it as root, no big deal. Thoughts?
Thanks in advance!
Fri Sep 21 19:58:23 2012: 11343 TonyLawrence
asroot and sudo are wary of privilege escalation.. or maybe you have wrong perms on the wtmp files.
Fri Oct 19 15:25:50 2012: 11390 anonymous
This article is great for configuring sudo. But show an actual example of using sudo please.
Fri Oct 19 15:42:25 2012: 11391 TonyLawrence
There are several examples in the article - quite a few, in fact. Did you actually READ it?
Fri Nov 30 14:17:16 2012: 11449 Ritendra
Great article, keeping in mind the complicated nature of sudo setup per se. Nice explanation too over how the changes will behave.
Tue Mar 5 16:27:51 2013: 11930 lou
hi there, just want to say thanks for this article and all the comments too. I think i'm nearly there in solving this. I'm trying to rsync apache logs from a remote to a local server and in my sudoers file have this
loguser ALL= /usr/bin/rsync, /usr/bin/tail, /var/log/httpd
but i also need to allow loguser to change directory and when I run my rsync file i get this:-
sending incremental file list
rsync: change_dir "/var/log/httpd" failed: Permission denied (13)
What do i need to add to allow 'change_dir' for loguser? Hope you can advise. Thanks Lou
Thu Aug 15 01:33:33 2013: 12262 anonymous
Hello I installed minecraft using sudo thinking that was how things were installed (im new to linux). Well now im trying to uninstall it but it has a little lock on the minecraft icon and I cannot uninstall it. I read somewhere else that I had to go to properties then permissions and change what I was allowed to do, but I cant change anything and at the bottom of the window it says "You are not the owner, so you cannot change these permissions" please help.
Thu Aug 15 09:51:20 2013: 12263 TonyLawrence
Did you try removing it with sudo?
Fri Aug 16 16:43:39 2013: 12264 TonyLawrence
Lou - I was sure I had answered your question earlier, but I see not.
I think that you are sudo'd on one side, but not the other.. the sudo does not pass through to the other rsync; you only have the perms of the rsync account you used.
Sat Feb 22 08:40:46 2014: 12421 Karn
This arctical Simply Great!
One Question Lawrence , Can we read the setuid or Binary Files by any means ?
-Karn
Sat Feb 22 11:31:14 2014: 12422 TonyLawrence
You can see the setuid bits with "ls -l". The "file" command can help you determine whether a file is text or not.
Thu Dec 18 17:08:47 2014: 12588 azam
Hi, I have quick question I am trying to setup a script to find the sudo privileges for all users on a server, I am facing an issue with command "sudo -l -U username" on specifically sudo version 1.6xx (the command works fine with sudo versions 1.8x or later). Not sure what other options we have to get the sudo privileges for other users, please share if I can use some other flags on all sudo versions. Thanks in advance!!
Sudo version 1.6.7p5
server1# sudo -l -U amohamme
sudo: Illegal option -U
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
[-u username/#uid] -s | <command>
server2:/# sudo -V |head -1
Sudo version 1.8.9p5
server2:/# sudo -l -U amohamme
User amohamme may run the following commands on txcomregappqa51:
(ALL) NOPASSWD: /usr/bin/su -, /usr/bin/su - root, /bin/su -, /bin/su - root
Thu Dec 18 18:56:40 2014: 12589 TonyLawrence
It's not a quick question for me - I have no idea about version specific bugs. Someone else reading this might know, though I bet chances are slim.
Mon Feb 2 11:32:19 2015: 12607 Dinesh
$ sudo -l
Matching Defaults entries for dineshr on this host:
logfile=/var/log/sudo.log, syslog=auth, syslog_badpri=notice, syslog_goodpri=notice
User dineshr may run the following commands on this host:
(root) NOPASSWD: /bin/su - dedw_adm
I'm new to Unix. How could i use this sudo access further for informatica related stuffs.
Mon Feb 2 14:03:22 2015: 12608 TonyLawrence
I have no idea what "informatica related stuffs" means. Read the article.
------------------------
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Additional Info
The less accurate your mental model of a given process is, the less accurate is any guess you make about its malfunction. (Tony Lawrence)
The people I distrust most are those who want to improve our lives but have only one course of action in mind. (Frank Herbert)
This post tagged:
Skills Tests
Unix/Linux Book Reviews
My Unix/Linux Troubleshooting Book
This site runs on Linode
Buy Kerio from a dealer who knows tech:
I sell and support
Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals