Jay Taylor's notes

back to listing index

Understanding and using sudo in Unix or Linux (with examples)

[web search]
Original source (aplawrence.com)
Tags: configuration linux documentation sudo aplawrence.com
Clipped on: 2015-12-11


Using sudo

Learn to use Linux "sudo" for more security.

Most systems have some way of letting ordinary users perform certain tasks as root or some other privileged user. SCO Open Server has "asroot" and can also directly assign "authorizations" such as backup privileges or being able to change other user's passwords. SCO Unixware/Open Unix 8 have a similar facility in "tfadmin".

Many other Unixes, and Linux, use "sudo".

The configuration of sudo is by the /etc/sudoers file. I'm sure that there are more poorly written man pages, but "man sudoers" is among my all time favorites for obfuscation and poor explanation. The creation of the file and the actual use of sudo isn't all that bad though.

First a little background. The sudo program itself is a setuid binary. If you examine its permissions, you will see:

---s--x--x    1 root   root   81644 Jan 14 15:36 /usr/bin/sudo

That "s" means that this is a "setuid" program. You and everyone else have execute permission on this, so you can run it. When you do that, because it is setuid and owned by root, your effective user id becomes root- if you could get to a shell from sudo, you effectively WOULD be root- you could remove any file on the system, etc. That's why setuid programs have to be carefully written, and something like sudo (which is going to allow access to other programs) has to be especially careful.

A setuid program doesn't necessarily mean root access. A setuid program owned by a different user would give you that user's effective id. The sudo program can also change your effective id while it is running- I'll be showing an example of that here.

Finally, setuid and sudo are NOT the same thing as the administrative roles of Unixware or the authorizations and privileges of SCO Openserver. Those are entirely different concepts and I won't be talking about those things in this article.


You use "visudo" to edit the sudoers file. There are two reasons for that- it prevents two users from editing the file at the same time, and it also provides limited syntax checking. Even if you are the only root user, you need the syntax checking, so use "visudo".

We're going to start with the simplest setup of all: giving someone full root access. You might think there's no reason to do this- it would make more sense just to give them the root password, wouldn't it? Well, maybe, but then they can login as root also- with sudo they will have to use the sudo command and we can require a password that IS NOT root's password. Sudo commands can be logged, so we can keep track of what the person did. We can turn their sudo capability on or off at will without affecting other sudo users- no need to change the root password back and forth. This is a great way to keep track of consultants and other support people who may need root power, but you want to keep tabs on what they do. Of course there's a strong implication of honesty here- such a user could edit the sudo logs to hide any mischief.

So, here's a simple /etc/sudoers file (remember, edit with "visudo") to give "jim" access to root commands.

# sudoers file.
# This file MUST be edited with the 'visudo' command as root.

# User privilege specification
root    ALL=(ALL) ALL
jim     ALL=(ALL)       ALL

That's it. With this in place, "jim" can use sudo to run any command with root privileges. Here's "jim" catting /etc/shadow:

[jim@lnxserve jim]$ head -5 /etc/shadow
cat: /etc/shadow: Permission denied
[jim@lnxserve jim]$ sudo head -5 /etc/shadow
[jim@lnxserve jim]$ 

Note that "jim" does not get root's PATH; his PATH is used by sudo (with exceptions noted later). If "jim" wanted to run (for example) lpc, he'd have to explicitly do "sudo /usr/sbin/lpc". That's typical, although sudo can be compiled to use its own compiled in PATH instead.

The password requested is NOT root's. In this case, "jim" has to provide his own login password to get sudo to work.

By default, sudo remembers the password for 5 minutes and won't ask again if reinvoked within that time:

[jim@lnxserve jim]$ sudo head -5 /etc/shadow
[jim@lnxserve jim]$ 

The password behavior is entirely configurable: the password can be set to time out earlier, later, never or to be required always. Additionally, the password requested can be root's instead of their own. Let's change "jim" a bit by adding this line:

# Defaults specification
Defaults:jim    timestamp_timeout=0, runaspw, passwd_tries=1

This changes three things. First, "jim" needs root's password to run sudo (because of "runaspw"). Second, the password will not be remembered (timestamp_timeout), and he gets only one chance to enter it (the default is three tries).

If we set timestamp_timeout to -1, "jim" will only have to prove that he knows the password once. After that, it will not be forgotten, even if he logs out.

Different users can, of course, have different defaults. Here I've changed "jim", and added a new user "linda"

# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
Defaults:jim    timestamp_timeout=0 
Defaults:linda  timestamp_timeout=-1, runaspw

# User privilege specification
root    ALL=(ALL) ALL
jim     ALL=(ALL)       ALL
linda   ALL=(ALL)       ALL

Jim and Linda have different defaults. A "Default" not followed by a ":" and a user name will apply to everyone (example further on).


Now let's add some logging. Without doing anything special, sudo logs authentication failures to syslog, but by adding another default, we can track every command run:

Defaults logfile=/var/log/sudolog

Notice that this time there is no ":". This default therefore applies to everyone.

With this in place, all sudo commands will be logged:

# /var/log/sudolog
Feb 24 06:56:59 : jim : TTY=tty4 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 06:58:49 : jim : TTY=tty4 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat /etc/shadow

There's a limitation though:

[jim@lnxserve jim]$ sudo cat /etc/shadow > /tmp/shadow
[jim@lnxserve jim]$ sudo cat /var/log/sudo*
Feb 24 06:56:59 : jim : TTY=tty4 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 06:58:49 : jim : TTY=tty4 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 07:02:35 : jim : TTY=pts/0 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /etc/shadow
Feb 24 07:02:49 : jim : TTY=pts/0 ; PWD=/home/jim ; USER=root ; COMMAND=/bin/cat /var/log/sudolog
[jim@lnxserve jim]$ 

The redirection to /tmp/shadow does not show up in the log. That makes perfect sense: redirection is done by the shell before the commands are run, so sudo doesn't even see the redirection at all.


You might at this point suddenly think "Oh no- that means a sudo user could overwrite important files". We haven't limited the sudo users command set yet, but even if we do, what stops them from using such commands to pervert system files or other commands?

Well, remember that the shell does the redirection BEFORE sudo runs. If the redirection can't be done because of permissions, the command will fail.

[jim@lnxserve /tmp]$ sudo date > /etc/shadow
bash: /etc/shadow: Permission denied
[jim@lnxserve /tmp]$

So that's one thing you don't need to worry about. Actually, sudo itself makes reasonable efforts to protect you from malicious michief by a sudo user. Running "sudo -V" as root shows sudo's settings; part of that is environment variables that it will not pass on or that it will check for dangerous content:

Sudo version 1.6.4
... (stuff deleted)
Environment variables to check for sanity:
Environment variables to remove:

That's the default list; you can add or subtract from it in /etc/sudoers. Note that if you do add or subtract variables, "sudo -V" doesn't reflect those changes.

Let's try that out with our test user. First, we need a simple shell script that will show us the value of environment variables. I'll call it "showme":

We'll have "jim" try it out before making any changes to sudoers:

[jim@lnxserve jim]$ cat showme
set | grep 
[jim@lnxserve jim]$ export ENV
[jim@lnxserve jim]$ ./showme ENV
[jim@lnxserve jim]$ sudo ./showme ENV

The ENV variable is not picked up by sudo even though it was marked for export. Ordinarily, environment variables would be passed:

[jim@lnxserve jim]$ export BOOP=betty
[jim@lnxserve jim]$ ./showme BOOP
[jim@lnxserve jim]$ sudo ./showme BOOP
[jim@lnxserve jim]$ 

But we can add to the list of variables to discard:

# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
Defaults:jim    timestamp_timeout=-1, env_delete+="BOOP"

Note the "+=" to ADD to the environment list. If we had just used "=", that would have replaced all of sudo's defaults. You can also use "-=" to subtract a default variable and allow it to be passwd.

Now "jim" won't get BOOP in his sudo environment.

[jim@lnxserve jim]$ sudo ./showme BOOP

Sudo also rearranges your PATH internally. That can be a little confusing:

[jim@lnxserve jim]$ cat ./showme
echo "I'm in /home/jim"
set | grep 
[jim@lnxserve jim]$ cat ./bin/showme
echo "I'm in /home/jim/bin"
set | grep 
[jim@lnxserve jim]$ export PATH=".:$PATH"
[jim@lnxserve jim]$ showme PATH
I'm in /home/jim
[jim@lnxserve jim]$ sudo showme PATH
I'm in /home/jim/bin
SUDO_COMMAND='/home/jim/bin/showme PATH'
[jim@lnxserve jim]$ 

Although PATH still shows "." at the beginning, the showme in /bin is what is run by sudo. Internally sudo has ignored the leading "." and moved on to find "showme" in /home/jim/bin. Now let's remove the /home/jim/bin/showme:

[jim@lnxserve jim]$ rm bin/showme
[jim@lnxserve jim]$ sudo showme PATH
sudo: ignoring `showme' found in '.'
Use `sudo ./showme' if this is the `showme' you wish to run.
[jim@lnxserve jim]$ sudo ./showme PATH
I'm in /home/jim
[jim@lnxserve jim]$ 

Limiting commands

There's more that sudo does to protect tyou from malicious mischief. The :man sudo" pages cover that completely. Let's continue with our examples; it's time to limit "jim" to specific commands. There are two ways to do that. We can specifically list commands, or we can say that jim can only run commands in a certain directory. A combination of those methods is useful:

jim     ALL=    /bin/kill,/sbin/linuxconf, /usr/sbin/jim/

The careful reader will note that there was a bit of a change here. The line used to read "jim ALL=(ALL) ALL", but now there's only one "ALL" left. Reading the man page can easily leave you quite confused as to what those three "ALL"'s meant. In the example above, ALL refers to machines- the assumption is that this is a network wide sudoers file. In the case of this machine (lnxserve) we could do this:

jim     lnxserve=       /bin/kill, /usr/sbin/jim/

So what was the "(ALL)" for? Well, here;s a clue:

jim     lnxserve=(paul,linda)   /bin/kill, /usr/sbin/jim/

That says that jim can (using "sudo -u ") run commands as paul or linda.

This is perfect for giving jim the power to kill paul or linda's processes without giving him anything else. There is one thing we need to add though: if we just left it like this, jim is forced to use "sudo -u paul" or "sudo -u linda" every time. We can add a default "runas_default":

Defaults:jim    timestamp_timeout=-1, env_delete+="BOOP", runas_default=linda

I hope that this introduction will get you started. Now that you have the basics, the man pages for sudo and sudoers should make more sense.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Understanding and using sudo in Unix or Linux (with examples)


More Articles by Tony Lawrence

Find me on Google+

© 2015-02-02 Tony Lawrence

---January 13, 2005

You mignt want to have a look at what "Tidy for FreeBSD" has done to the title of the page, though, 'cos it don't look too tidy, to me!

---January 28, 2005

My fault.. been doing a lot of cleaning up with tidy, but apparently a little too quick and didn't check the errors closely enough.


Fri Mar 25 05:07:33 2005: 233   anonymous

I find this article to be very useful as i always used to think whether is the principle sudo possible and now it became possible ...:). It wud be better if the Security part regarding environmental variables part is more elaborated.... Anyway, thanks for the article as it was useful for me, beginner...

Tue Mar 29 02:39:07 2005: 241   anonymous

Is it possible to specify the list of commands that are not allowed.

Tue Mar 29 10:02:16 2005: 243   TonyLawrence

Image (Asset 2/10) alt=
Yes, it's POSSIBLE to say "these are the commands that you can't run", but it's not a good idea to do so. From the man page:

        jill           SERVERS = /usr/bin/, !SU, !SHELLS 

For any machine in the SERVERS Host_Alias, jill may run any commands in the directory /usr/bin/ except for those commands belonging to the SU and SHELLS Cmnd_Aliases.

But (also from the man page):

       It is generally not effective to "subtract"
       commands from ALL using the ! operator.  A
       user can trivially circumvent this by copying
       the desired command to a different name and
       then executing that.  For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and rein- forced by policy).

Tue Mar 29 15:25:19 2005: 245   anonymous

Thank you for your response. So if I understand correctly, there is no effective way of subtractinga list of commands?

Tue Mar 29 16:48:18 2005: 246   TonyLawrence

Image (Asset 3/10) alt=
Correct.. list the allowed commands or directory

Wed Dec 28 09:35:42 2005: 1463   channelspace

very nice article! thank you :)

Thu Jan 26 15:50:37 2006: 1568   Dan

Thanks for the article! I was actually trying to configure sudo last night for the first time and got kinda lost with the man pages. Then I found your article and now I can at least configure the sudoers file and test some users capabilities. I am trying to find a solution for my programmers where I don't have to give them the root password as they frequently need to su as another user on the system to troubleshoot their issues. So after going through various newsgroups, it seemed like sudo would be able to accomplish this. Is this assumption correct? Is the syntax "sudo su - 'username'" after I configure the sudoers file w/ the usernames of my programmers? Thanks for your help!

Thu Jan 26 16:16:59 2006: 1569   TonyLawrence

Image (Asset 4/10) alt=

They just do

sudo su -

Nothing more.

Or "sudo command"

if you've only given them access to specific commands.

(I'm assuming they want to be root - if it is some other user, then yes, sudo "su -" username would be it)

Sun Jan 29 23:38:41 2006: 1588   Dan

So I configured the sudoers file so when my programmers log in, they type "su - 'username of who they want to be'" and it works! Thanks!

How come there are some files owned by user "8036" and some owned by root in my SUDO directory?

case in point:

-rw-r--r-- 1 8036 system 640 Jan 25 16:56 sudoers
-rw-r--r-- 1 8036 system 60958 Nov 08 10:22 sudoers.cat
-rw-r--r-- 1 root system 57536 Jan 25 16:34 sudoers.man
-rw-r--r-- 1 8036 system 57727 Nov 08 10:22 sudoers.man.in
-rw-r--r-- 1 8036 system 44838 Nov 28 2004 sudoers.pod
-rw-r--r-- 1 8036 system 2902 Feb 12 2004 sudoers2ldif
-rw-r--r-- 1 8036 system 9920 Aug 02 2004 testsudoers.c
-rw-r--r-- 1 8036 system 6350 Jun 06 2004 tgetpass.c
-rw-r--r-- 1 root system 5232 Jan 25 16:36 tgetpass.o
-rw-r--r-- 1 8036 system 1814 Sep 11 2004 utimes.c
-rw-r--r-- 1 8036 system 1195 Nov 08 10:22 version.h
-rwxr-xr-x 1 root system 188507 Jan 25 16:37 visudo


Mon Jan 30 10:25:27 2006: 1589   TonyLawrence

Image (Asset 5/10) alt=
The install had files owned by "8036". You don't have a user with that id.

That's not at all unusual and nothing to be concerned about, though you may want to change these just so it doesn't bite you if you ever do add a user and use that id.

Mon Jan 30 16:26:05 2006: 1591   Dan


Mon Jan 30 17:24:45 2006: 1592   Dan

What line would I put into my sudoers file to restrict users from su'ing to root.

I have user1 in group1 being able to su to other users w/o passwords which is what I want.

But I want to restrict user1 to su to root. They can su to other users but I don't want them to su to root.

right now user1 can su to root w/o a password.

Is there a way to do this?


Mon Jan 30 18:14:44 2006: 1593   TonyLawrence

Image (Asset 6/10) alt=
Sure - see the "Limiting Commands" at the end of the article above.

Mon Oct 9 20:47:41 2006: 2508   anonymous

Nice article. Just what I needed. Though the one liner text boxes are a little irritating to scroll and read through.

Mon Oct 9 21:01:16 2006: 2509   TonyLawrence

Image (Asset 7/10) alt=
Use the "Printer Friendly" link.

See (link) for WHY we have those.

Mon Dec 4 19:33:34 2006: 2687   anonymous

Really nice article. Was really helful
How can I configure sudo so that it will be able to monitor all activities performed by the pseudo administrators and report on any discrepancies.

Mon Dec 4 20:02:44 2006: 2688   TonyLawrence

Image (Asset 8/10) alt=
If you enable logging, you can track every command.. but it isn't up to sudo to decide something is a "discrepancy" - that's your job. If you don't want to let someone use a particular command, then configure it so.

Wed Mar 7 06:57:05 2007: 2905   erimin

I wanted to create a user with the access to stop/start apache, so i created this line :

%adminx ALL=NOPASSWD: /etc/rc.d/init.d/httpd

When i login as the user ( which belongs to the "adminx" group ), i got this error message when i issued command "/etc/rc.d/init.d/httpd restart" :

rm:cannot remove `/var/run/httpd.pid' : Permission Denied
Starting httpd:
Touch:cannot touch `/var/locl/subsys/httpd' : Permission Denied

What should i do to enable that particular to stop/start httpd service?

Wed Mar 7 11:50:48 2007: 2906   TonyLawrence

Image (Asset 9/10) alt=
Apache runs as root during startup. This could get pretty complicated.. I think I'd use a setuid wrapper instead..

Wed Jun 20 20:03:20 2007: 3038   yanM

Nice article. Thanks. Is this possible to somehow set a command prompt when working with sudo? Say, I want the prompt to be % how can I set it?

Wed Jun 20 20:21:57 2007: 3039   TonyLawrence

Image (Asset 10/10) alt=
You mean when you start a sudo shell..

Probably - can't think about it right now..

Wed Aug 15 09:59:48 2007: 3078   GermanJulian


Thank you I found the sudo article useful. good intro for a beginner :)

Fri Jan 4 17:16:20 2008: 3393   anonymous

Nice article!
I have one qustion:
How can I do so, that userA give permissions to userB to execute some commands, without userA to have access on the permissions on the another users(C,D...) ?

Fri Jan 4 18:34:48 2008: 3394   TonyLawrence

User A can't give permissions - root gives permissions with the conf file. Look at the examples.

Thu Jan 10 21:03:27 2008: 3434   anonymous

I think in this way as sample: userA has permission of #sudo -f /etc/allow/sudoers to allow userB to do something and #sudo -f /etc/deny/sudoers to restore the original config file! Is it possible?
file /etc/allow/sudoers the file with the permissions for userB...
of course userA can never give another permissions to userC.

Sun Jan 27 17:56:03 2008: 3537   pl1sk3n

Great guide but i can't start visudo?
I get this answer; visudo: /etc/sudoers: Permission denied,
Do you have a solution for this?

Sun Jan 27 18:04:42 2008: 3538   TonyLawrence

Are you root?

Sun Jan 27 18:33:25 2008: 3539   pl1sk3n

No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.

Sun Jan 27 18:42:37 2008: 3540   pl1sk3n

No i'm not root. If i use sudo ill get the setuid as you now. If i try su it ask for password, i have tried everything and nothing worked.Im totally locked out, can't even fix my internet connection.

Sun Jan 27 19:07:45 2008: 3541   TonyLawrence

OK, so you were not in sudoers and you've lost your root password? See (link)

Sun Jan 27 19:53:16 2008: 3542   pl1sk3n

I know my password it did not work in su, authentication error. The problem started with a chown command i guess, don't remember exactly what i did wrong.
My ls -l command give this; ---s--x--x 1 keeej root 91776 /usr/bin/sudo. I'm i root anyway? If so how to fix that? Ps sorry about the dubbel posting above Ds

Sun Jan 27 20:06:41 2008: 3543   TonyLawrence

If you are already root, you can just edit the sudoers file directly: visudoers is simply to keep two roots from mucking there at the same time.

sudo should be owned by root: it's setuid (that "s") for the owner - which has to be root.

---s--x--x 1 root root 81644 Jan 14 15:36 /usr/bin/sudo

So if you ARE root:

chown root /usr/bin/sudo

Sun Jan 27 21:11:47 2008: 3544   pl1sk3n

Thank you for your effort but operation denied.
Maybe its time for a reinstall?

Sun Jan 27 21:32:11 2008: 3545   TonyLawrence

Or you might try booting to single user and see if you can fix up things there.

Wed Mar 26 14:11:19 2008: 3901   anonymous

very usefull indeed...

Fri Jul 4 18:26:56 2008: 4390   amoe

Thanks for this article, the manpage was extremely intimidating, but this gives me basically everything I need. Respect knuckles.

Sat Jul 5 14:14:45 2008: 4391   MohamedMansour

Nice article! Keep the articles coming :)

Tue Sep 8 09:46:39 2009: 6870   anonymous

Thank you. most helpful. I can understand the meaning of all the ALLs now :)

Tue Oct 13 13:36:26 2009: 7220   MukeshDhiman

Very good !

Tue Nov 3 11:25:52 2009: 7415   Omar

Well done.


Omar Sattar

Tue Mar 2 13:33:17 2010: 8165   TonyLawrence

Updated sudo packages fix escalation vulnerabilities: (link)

Fri May 14 17:50:17 2010: 8595   Ian

Great article.
You just saved me from spending the rest of the afternoon trying to make sense of the man page.
Thank You!

Sat Jul 10 16:33:41 2010: 8807   bipul

I am using sudo inside a script. When it runs unix command it ask for password and always I have to provide it manually. Is there any way I can provide it dynamically ?
eg :
sudo cp file1.txt target_dir

Sat Jul 10 16:56:16 2010: 8808   TonyLawrence

You can set it to use no password, you can use the -A option, you can run your script with Expect or you can use a setuid program.

Thu Aug 5 07:24:20 2010: 8875   Navneet


I wanted to stop haproxy service using the nagios nrpe plugin. I am able to stop the service using the sudo command from nagios user. But when i try stopping the service from remote nagios server. I am unable to do that.

When i try stopping the service remotely typically a shell script is executed by nagios user on the client machine. But it does not stops the service.

The shell script is as follows:

sudo /etc/init.d/haproxy stop
echo "Stopped HA Proxy"

The output on the remote end is 'Stopped HA Proxy' but exactly the service is not stopped. Whereas if i run the same command in the script or script itself as nagios user. The service is stopped properly.

I will be seeking help.. Thanks is advance


Tue Aug 17 21:42:51 2010: 8907   anonymous

I tried using sudo and was warned that if I continued to use it I would lose important files

Tue Aug 17 21:48:04 2010: 8908   TonyLawrence

Warned by who?

Do you mean the warning that sudo prints the first time you use it??????

Tue Aug 17 22:22:58 2010: 8909   anonymous


The first time I used it without success, my computer crashed. The second time, I got the warning. From who, I don't know.

Tue Aug 17 23:15:30 2010: 8910   TonyLawrence

I don't think you should be using sudo and maybe you shouldn't be using Linux at all.

Sat Oct 23 13:03:41 2010: 9055   kimvirith

if you give permission passwd to user so mean that user can change password root also. do you have any solution to protect this?

Sat Oct 23 13:15:49 2010: 9056   TonyLawrence

"do you have any solution to protect this"

Specify the commands you want to allow.

Sat Oct 23 13:28:44 2010: 9057   anonymous

if you allow a sudo user to change password for default user.
this condtion sudo user can change password also.
so how can we solve this problem?

Sat Oct 23 18:12:45 2010: 9058   TonyLawrence

No, that is not the case at all. You have not bothered to read this page, have you? Read the section on limiting commands.

Sun Oct 24 05:25:47 2010: 9060   anonymous

let do it by yourself first.
example: visudo -f /etc/sudoers
tony ALL = ALL NOPASSWD:/usr/bin/passwd
then create alias for user tony to user command passwd
echo "alias passwd="sudo /usr/bin/passwd" >> /home/tony/.bashrc
then tony can use this command to change password root
passwd root
then its allow tony to change password
u ever think about this problem?
hope you reply me soon .. thank you for your information.

Sun Oct 24 11:38:16 2010: 9062   TonyLawrence

If they need to change their own password, they do it while logged in normally, without sudo. You don't LET them run "passwd" with sudo.

That's not entirely foolproof, of course. See (link) for more.

Mon Oct 25 09:52:34 2010: 9065   anonymous

what can we do if like this? if we not allow that user to run sudo how can they run another command?
i can fix alias for that user but that user can run sudo /usr/bin/passwd as well.
if i block sudo that user can not do anything.
can u example for me?
thank you in advance for your response

Mon Oct 25 10:43:28 2010: 9066   TonyLawrence

As is explained right here on this page, you can limit a sudo user to the specific commands you need them to be able to run. As explained in the other link I gave you, you do have to be careful that none of those commands give shell access.

Life is not perfect. When you trust people with power because they need it for some task, you always run some risk that they will abuse that power.

I think your basic issue is that you have not really read this page or the sudo man page and therefore do not understand what I have been trying to tell you. Read the section on Limiting Commands above and also that other link I gave you.

In the example I gave in Limiting Commands, Jim can't run just "sudo". He can't get a shell. He CAN run "sudo kill" or "sudo linuxconf" and the commands in /usr/sbin/Jim (which presumably he cannot write to) but that's it. He wouldn't be able to run "sudo passwd root" or "sudo passwd" anything.

If you still do not understand this, I can't offer you anything more. You need to READ.

Sat Dec 11 01:04:57 2010: 9158   albeba

In effect nice article, i'm trying to give rights to a beginner user on "/etc/init.d/networking restart" cause we have a realy bad (public wifi) connection and need to regularly have a dhcp request done to the provider...
(the fact is that the "Network manager" of Gnome crashes sometimes so a networking restart is the more efficient to arrange it)

So i thought about adding this line to my sudoers file:

theuser themachine= /etc/init.d/networking restart

but i have a permission denied when theuser runs /etc/init.d/networking restart :

Reconfiguring network interfaces...ifdown: failed to open statefile /etc/network/run/ifstate: Permission denied
ifup: failed to open statefile /etc/network/run/ifstate: Permission denied

Sat Dec 11 01:57:08 2010: 9159   TonyLawrence

The user has to run

sudo /etc/init.d/networking restart

Fri Jul 15 01:51:30 2011: 9621   Gora

Thanks a lot for the easy to understand article.
I have configured sudo and its working as its suppose to, no problem there.
however, I am getting a small glitch (weird actually) when I do "visudo -s sudoers".
when I try to save the file visudo returns with " what now?" though visudo doesn't throw any format errors along with it, just "what now" as if its the default option. I do a "Q" to save the file and sudo works perfectly afterwards, but as per my understanding visudo should not return with "what now?" if there aren't any errors and should save the file directly.
Any help will be much appreciated.

Thu Jul 28 01:44:05 2011: 9654   rahul

Hi, i have a particular user with sudo permissions, but enable to find his entry in visudo file. so how did he got that sudo effects and were can i disable his sudo entry. plz respond......

Thx in advance...........

Thu Jul 28 10:18:44 2011: 9655   TonyLawrence

Why do you say he has sudo permissions?

Tue Aug 16 12:27:43 2011: 9715   Will

Hi, I'm new to sudo so please excuse my pundit question. Can I, with sudo, enable a user to run all commands in an environment but only on specific directories. An example, we have websphere admins who need root access to do their software deployments. The WAS application/install/deployments all resides on a non-OS filesystem/directory. The users however need to be able to use rm/chmod/vi/ln commands and much more within this directory. Now, what I know I can do, is to list all hundred commands to be used, or is there an easier way? In short, I want the users to be able to do what they want anywhere on the system but systems directories and files.

Tue Aug 16 12:44:09 2011: 9716   TonyLawrence

No, you'd be better to give specific permissions to those directories. See (link)

Wed Aug 31 09:17:30 2011: 9757   Michel

Thanks Tony for this nice article !

One question more :
I access a program via a web page who ask for a root account in order to run.
I log first to the server and then sudo but when I access the web page, my sudo user can't log.
Is there a way to log as a sudo user on the web page and make the program run ?


Tue Oct 4 12:35:29 2011: 9899   anonymous

I have a command like xm console <hostname> I added xm console to the sudoers files and at the prompt I am typing xm console <actual-hostname>.
It is not executing the command.Can you please tell why this could be happening.

Tue Oct 4 12:47:57 2011: 9900   TonyLawrence

No. Just add "xm".

Tue Oct 4 17:16:11 2011: 9901   TonyLawrence

If you want something that only does "xm console", you need to create another command that does that and passes the other argument and add THAT to sudoers.

Fri Oct 7 08:50:18 2011: 9930   anonymous

Hi ,
Can you please explain with an example.What I understand is create a alais for the xm console command and they pass the hostname from the command line is that right.

Fri Oct 7 13:21:14 2011: 9938   TonyLawrence

No, you don't want an alias. You want an actual script or executable.

Wed Oct 19 13:08:15 2011: 10044   olemp

hi, i prevented the "su" command from sudo users. i want prevent the sudo user to become root or any other user. but with "sudo vi" command user is able to execute shell command and with "!bash" command user become root...how can i prevent this (without restricting the vi editor).thank you...

Wed Oct 19 14:19:50 2011: 10045   TonyLawrence

See the manual and search for "shell escapes".

(link) for example (though you have 'info sudoers' also)

Fri Oct 21 11:09:53 2011: 10052   IMRAN

Hi ,
i installed sudo in Sun blade T6320 server & also edit visudo file for user entry and syslog.conf file for log checking .But i am unable to see sudo log(What command were run by sudo user)...........

Fri Oct 21 11:20:02 2011: 10053   TonyLawrence

Did you remember to modify syslog.conf (sudo logs to local2 by default, see your sample.syslog.conf file in your sudo fules)?

You'd need to signal syslogd after that, too.

Mon Oct 31 17:40:50 2011: 10101   MarcCahill

If you sudo a job as another user my_target_user, and the initial unix session you invoked the sudo command terminates, does the script you submit under the target user terminates too ? or will it run under its own sheell under the target user you sudo to ?

Mon Oct 31 17:56:42 2011: 10102   TonyLawrence

Use "nohup".

Mon Nov 21 10:27:05 2011: 10212   IMRAN

hi ,
After restart the service(svcadm restart system-log)and editing syslog.conf file.I am able to see the log(User login details) in /var/log/sudo.log
But unable to see the what's command fired by perticular user...

Mon Nov 21 10:43:25 2011: 10214   TonyLawrence

You've missed something or didn't use visudo..

Mon Jan 2 13:05:10 2012: 10430   anonymous

Is there a way to get the actual user name using the sudo user name ?

Mon Jan 2 13:21:12 2012: 10431   TonyLawrence

Did you read the section on logging? The name appears in the logs.

Tue Jan 3 06:23:36 2012: 10436   anonymous

I am not the admin and will not know anything about the logs(location) in sudoer file. Apart from logs, is there any other way to get the actual user from sudo user name ?

Tue Jan 3 11:43:33 2012: 10438   TonyLawrence

You are not making sense. If you aren't an administrative user, of course you have no access to what other people did.

Thu Jan 26 09:30:53 2012: 10506   anonymous

Hi we have the environment where we have shell access through sudo which we dont change.here I have a query how we can audit the logs for the sudo user.
so we want after doing sudo what user do , evertying should be logged .
for example:
$ sudo bash
now i am as root so what ever I do how we can get it logged
Please suggest how we can get this possible

Thu Jan 26 14:48:40 2012: 10509   anonymous

Did you read the article or just jump down to ask your question??

Fri Mar 23 10:01:55 2012: 10767   Kuldeep

I wanted to restrit the user to run the init command but i want to give them permission the can copy and delete the file with the help of sudo. pls help me regarding same.
Thanks in advance.

Fri Mar 23 10:46:26 2012: 10769   TonyLawrence

I'm sorry - I don't understand what you want.

Mon Apr 23 20:45:19 2012: 10883   anonymous

I give you props for answering all of the questions, and I like the comment to anonymous about (s)he should not be using unix. Great comment.
Just imagine if everyone actually read the article first before asking questions, you would have nothing to do other then to receive praise ;)

Mon May 14 13:33:34 2012: 10953   kashif

Good Article,
I have a question. Is there any possibility that the user can only access sudo nano /etc/myserver.conf and must not edit files like sudo nano /etc/passwd, sudo nano /etc/myserver.conf, etc.

Mon May 14 15:54:52 2012: 10954   TonyLawrence

Not easily. You'd need to have an editor that doesn't allow you to read or write any other file. You could edit source to make such a thing, of course.

Mon Jul 23 06:41:28 2012: 11213   sri

Lawrence, could u pls tell me how to disable access for more than 1 user at a time in /etc/sudoers file, I know by manually edit the file(visudo) and comment out (#)..

Is there any way to do by scripting, since I have to disable access for more than 20 users, It is eating more time with manual edit of file and do comment out every time.

thanks in advance...

Mon Jul 23 10:59:22 2012: 11214   TonyLawrence

Yes, you could do it with a script. No, I'm not going to write such a script for you.

Thu Aug 2 09:39:20 2012: 11226   Prashant

Want to restrict chmod & chown command to run by user using SUDO permission in a specific directory only?

I can run these command by SUDO system-wide, but on server I want to give access to these commands in /var/www/html directory only.

How to restrict to run commands in specific directory through SUDO?

Thu Aug 2 09:53:36 2012: 11227   TonyLawrence

"restrict to run commands in specific directory"

Can't be done with just sudo. Difficult to do, period. You'd need to replace the chown/chmod commands and let the user run THOSE with sudo and writing those to cover every case will NOT be easy.

Fri Sep 21 15:17:07 2012: 11341   AM

I just had to do my last SCO Openserver migration, we need to have certain acocunts have the ability to run commands using asroot. I have it setup, but when I login as myself and not as root I tried to run a 'w' cmd. The only users that showed up as logged in were me. When I do it as root, no big deal. Thoughts?

Thanks in advance!

Fri Sep 21 19:58:23 2012: 11343   TonyLawrence

asroot and sudo are wary of privilege escalation.. or maybe you have wrong perms on the wtmp files.

Fri Oct 19 15:25:50 2012: 11390   anonymous

This article is great for configuring sudo. But show an actual example of using sudo please.

Fri Oct 19 15:42:25 2012: 11391   TonyLawrence

There are several examples in the article - quite a few, in fact. Did you actually READ it?

Fri Nov 30 14:17:16 2012: 11449   Ritendra

Great article, keeping in mind the complicated nature of sudo setup per se. Nice explanation too over how the changes will behave.

Tue Mar 5 16:27:51 2013: 11930   lou

hi there, just want to say thanks for this article and all the comments too. I think i'm nearly there in solving this. I'm trying to rsync apache logs from a remote to a local server and in my sudoers file have this
loguser ALL= /usr/bin/rsync, /usr/bin/tail, /var/log/httpd
but i also need to allow loguser to change directory and when I run my rsync file i get this:-
sending incremental file list
rsync: change_dir "/var/log/httpd" failed: Permission denied (13)

What do i need to add to allow 'change_dir' for loguser? Hope you can advise. Thanks Lou

Thu Aug 15 01:33:33 2013: 12262   anonymous

Hello I installed minecraft using sudo thinking that was how things were installed (im new to linux). Well now im trying to uninstall it but it has a little lock on the minecraft icon and I cannot uninstall it. I read somewhere else that I had to go to properties then permissions and change what I was allowed to do, but I cant change anything and at the bottom of the window it says "You are not the owner, so you cannot change these permissions" please help.

Thu Aug 15 09:51:20 2013: 12263   TonyLawrence

Did you try removing it with sudo?

Fri Aug 16 16:43:39 2013: 12264   TonyLawrence

Lou - I was sure I had answered your question earlier, but I see not.

I think that you are sudo'd on one side, but not the other.. the sudo does not pass through to the other rsync; you only have the perms of the rsync account you used.

Sat Feb 22 08:40:46 2014: 12421   Karn

This arctical Simply Great!

One Question Lawrence , Can we read the setuid or Binary Files by any means ?

Sat Feb 22 11:31:14 2014: 12422   TonyLawrence

You can see the setuid bits with "ls -l". The "file" command can help you determine whether a file is text or not.

Thu Dec 18 17:08:47 2014: 12588   azam

Hi, I have quick question I am trying to setup a script to find the sudo privileges for all users on a server, I am facing an issue with command "sudo -l -U username" on specifically sudo version 1.6xx (the command works fine with sudo versions 1.8x or later). Not sure what other options we have to get the sudo privileges for other users, please share if I can use some other flags on all sudo versions. Thanks in advance!!

Sudo version 1.6.7p5
server1# sudo -l -U amohamme
sudo: Illegal option -U
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
[-u username/#uid] -s | <command>

server2:/# sudo -V |head -1
Sudo version 1.8.9p5
server2:/# sudo -l -U amohamme
User amohamme may run the following commands on txcomregappqa51:
(ALL) NOPASSWD: /usr/bin/su -, /usr/bin/su - root, /bin/su -, /bin/su - root

Thu Dec 18 18:56:40 2014: 12589   TonyLawrence

It's not a quick question for me - I have no idea about version specific bugs. Someone else reading this might know, though I bet chances are slim.

Mon Feb 2 11:32:19 2015: 12607   Dinesh

$ sudo -l
Matching Defaults entries for dineshr on this host:
logfile=/var/log/sudo.log, syslog=auth, syslog_badpri=notice, syslog_goodpri=notice

User dineshr may run the following commands on this host:
(root) NOPASSWD: /bin/su - dedw_adm

I'm new to Unix. How could i use this sudo access further for informatica related stuffs.

Mon Feb 2 14:03:22 2015: 12608   TonyLawrence

I have no idea what "informatica related stuffs" means. Read the article.


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


2 people like this. Be the first of your friends.
    +81   Recommend this on Google

    Additional Info

    The less accurate your mental model of a given process is, the less accurate is any guess you make about its malfunction. (Tony Lawrence)

    The people I distrust most are those who want to improve our lives but have only one course of action in mind. (Frank Herbert)

    This post tagged: