4.4.3.2. The sudo Command
The
sudo
command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo
, they are prompted for their own password. Then, once authenticated and assuming that the command is permitted, the administrative command is executed as if by the root user.
The basic format of the
sudo
command is as follows:
sudo <command>
In the above example, <command> would be replaced by a command normally reserved for the root user, such as
mount
.
Important
Users of the
sudo
command should take extra care to log out before walking away from their machines since sudoers can use the command again without being asked for a password within a five minute period. This setting can be altered via the configuration file, /etc/sudoers
.
The
sudo
command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers
configuration file are allowed to use the sudo
command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled, as shown in Section 4.4.1, “Allowing Root Access”.
The
sudo
command also provides a comprehensive audit trail. Each successful authentication is logged to the file /var/log/messages
and the command issued along with the issuer's user name is logged to the file /var/log/secure
.
Another advantage of the
sudo
command is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the
sudo
configuration file, /etc/sudoers
, should use the visudo
command.
To give someone full administrative privileges, type
visudo
and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user,
juan
, can use sudo
from any host and execute any command.
The example below illustrates the granularity possible when configuring
sudo
:
%users localhost=/sbin/shutdown -h now
This example states that any user can issue the command
/sbin/shutdown -h now
as long as it is issued from the console.
The man page for
sudoers
has a detailed listing of options for this file.