Sudo Command in Linux

Learn via video courses
Topics Covered

"The sudo (Super User DO) command in Linux is crucial for executing commands with superuser privileges, similar to the ""run as administrator"" feature in Windows. It provides a secure way of granting temporary elevated access, differentiating itself from the su command.

Users needing sudo access must be listed in the ""/etc/sudoers"" file, editable using the ""visudo"" command. Unlike using the root password, sudo typically requires user authentication. This article explores the usage of sudo, its comparison with su, and guidelines for granting sudo access effectively."

What is Sudo Command?

The sudo command Linuxnux, often known as "superuser do," enables a user with the necessary permissions to run a command in the role of another user on Unix-like operating systems. By default, sudo runs commands as root.

We can have several administrators thanks to sudo. These users must have an entry in the "/etc/sudoers" file to be able to use the sudo command. Keep in mind that you must use the sudo command to see or change the sudoers file. It is advised to use the "visudo" command to modify the sudoers file.

By default, sudo requires users to verify their identity using a password that is not the root password but rather the user's password.

Syntax

The general syntax for the sudo command in Linux is described below:

Installing the Sudo Command

Most Linux distributions come with the sudo command package pre-installed. The following actions must be taken to ensure that the package is installed on our system:

  1. Open your terminal.
  2. Type sudo and press the enter key.
  3. If we have the sudo package installed, it will display a brief message.
  4. Otherwise, A message stating that the sudo command was not found, will be displayed on the screen
  5. If the package isn't already installed, we may quickly install it by using the distribution's package manager.

Install Sudo on Fedora and CentOS

Install Sudo on Debian and Ubuntu

How to Use Sudo Command

To use sudo, just prefix the command with sudo:

Where command is the command you wish to use sudo for.

Sudo will read the /etc/sudoers file and determine whether the calling user has sudo assess permission. When you use sudo for the first time in a session, you will be requested for the user password, and the command will be run as root.

Option

The following command line options are accepted by sudo:

  1. --V: The -- V (version) flag commands sudo to output the version number and then exit. If the invoking user is already root, the -- V option outputs a list of do's settings and the machine's local network addresses.
  2. --l : The -- l (list) option displays the commands that the user is permitted to use on the current host.
  3. --L : The -- L (list defaults) option displays a list of the parameters set in a Defaults line, along with a brief description of each. This option is beneficial when used with grep.
  4. --h : The -- h (help) option prompts sudo to produce a use message before exiting.
  5. --v : When offered the -- v (verify) option, sudo updates the user's timestamp and, if required, asks for the user's password. This causes the sudo timeout to be extended for another 5 minutes (or whatever the timeout is set to in sudoers), but it does not execute a command.
  6. --k : The sudo -- k (kill) option invalidates the user's timestamp by setting it to the epoch time. A password will be required the next time sudo is used. This option is password-free and was added to allow a user to withdraw sudo rights from the a.logout file.
  7. --K : The sudo -- K (sure kill) option completely removes the user's timestamp. Similarly, no password is required for this option. No password is required for this option.
  8. --b : The -- b (background) option instructs sudo to execute the specified command in the background. You cannot utilize shell job control to manage the process if you use the -b option.
  9. --p : The -- p (prompt) option allows you to use a custom password prompt instead of the default one. The percentage ('%') escapes listed below are supported:
    • %u expands to the login name of the invoking user
    • %U expands to the login name of the user who will execute the command (which is usually root)
    • %h expands to the local hostname, omitting the domain name
    •  %H is extended to the local hostname including the domain name ( If the machine's hostname is fully qualified or the "fqdn" sudoers option is set.)
    •  %% (two consecutive% characters) are combined into a single% character.
  10. --c: The -- c (class) argument instructs sudo to perform the supplied command with resources limited by the specified login class. The class parameter can be either a class name defined in /etc/login.conf or a single '-' character. A class of - indicates that the command should be limited by the user's default login privileges. If the class parameter indicates an existing user class, the command must be executed as root, or the sudo command must be run from a shell that is already root. This option is only accessible on systems with BSD login classes and sudo enabled with the —with-login cap option.
  11. --a : The -- a (authentication type) option instructs sudo to utilize the given authentication type when verifying the user, as permitted by /etc/login.conf. By adding an "auth-sudo" item to /etc/login.conf, the system administrator can define a list of sudo-specific authentication methods. This option is only accessible on systems that support BSD authentication and have sudo enabled with the —with-badmouth option.
  12. --u : The -- u (user) option instructs sudo to perform the provided command as a user other than root. #uid is used to specify an uid rather than a username.
  13. --s: The -- s (shell) option invokes the shell supplied by the SHELL environment variable, if it is set, or the shell defined in the file passwd.
  14. --H: The -- H (HOME) option sets the HOME environment variable to the target user's (root by default) home directory, as specified in passwd. Sudo does not alter HOME by default.
  15. --P: The -- P (preserve group vector) option instructs sudo to keep the user's group vector unchanged. By default, sudo will initialize the group vector with the target user's list of groups. However, the real and effective group IDs are still configured to match the target user.
  16. --rThe -- r (role) option assigns the role given by ROLE to the newly created (SELinux) security context.
  17. --t: The -- t (type) option forces the new (SELinux) security context to have the type (domain) given by TYPE. If no type is supplied, the default type is determined from the specified role.
  18. --S: The -- S (stdin) option instructs sudo to read the password from standard input rather than the terminal device.
  19. --: The -- option tells sudo to stop processing command line arguments. It is especially effective when used with the -s option.

Return Value

When a program or task runs successfully using sudo, sudo exits with a value of 0 (zero), and the command produces the desired output.

On the other hand, if an error or permissions issue arises, sudo will end with an exit value of 1 (one).

What is Sudo Su?

The su command, which stands for substitute user or switches user, allows the currently logged-in user to take over the identity of another user

Syntax

If no username is givenshesu takes over as the superuser (root).

With sudo su, the root is made available by demanding the password of the current user. As a result, the root may be accessed without the root password.

This is useful if you have forgotten the root password, which may be different from the password for your user account. While you may accomplish this in the meanwhile, you should reset the root password.

Difference Between Su and Sudo.

The major distinction between the two is that su requires the target account's password, whereas sudo requires the current user's password. As a result, using sudo is significantly safer because it does not involve the exchange of sensitive information.

Furthermore, when doing actions that require root access, use sudo. As a result, the current user is only granted power for the specified command. Su, on the other hand, totally changes the root user, exposing the entire system to the possibility of unintentional alteration.

Environment Variables

The following are the environment variables variablesdo:

TagDescription
EDITORIf VISUAL is not specified, this is the default editor to use in -e (sudoedit) mode.
HOMESet to the target user's homedir in -s or -H mode (or if sudo was set upwith the -enable-shell-sets-home option).
PATHSet to a reasonable value if the secure_path sudoers option is set.
SHELL Determines whether to launch the shell using the -s option.
SUDO_PROMPTUsed as the default password prompt
SUDO_USER Set to the login of the user who executed sudo
SUDO_COMMANDSet to the command run by sudo
SUDO_UIDSet to the uid of the user who executed sudo
SUDO_GIDSet to the gid of the user who executed sud
SUDO_PS1 PS1 will be set to its value if set.
USER Set to the target user (root unless the -u option is specified)
VISUAL Default editor to use in -e (sudoedit) mode.

Granting Sudo Privileges

To use the sudo command, a user must be a member of the sudo, sudoers, or wheel groups. A single-user system by default provides sudo capabilities to its user. Some users may be denied sudo access on a system or server that has numerous user accounts.

We advise granting permissions only when they are essential for the user to carry out everyday duties.

The steps for adding a user to the sudoers group are covered in the sections that follow.

RedHat and CentOS

In Redhat/CentOS, the wheel group manages sudo users. Use the following command to include a user in the wheel group:

Substitute your username for [username]. You might have to use the su command or log in as an administrator.

Debian and Ubuntu

In Debian/Ubuntu, the sudo group controls sudo users. The command to add a user to the sudo group is:

Substitute an authentic username for [username]. You might need to use the su command or log in as an administrator.

Using visudo and the sudoers Group

To give rights,usersare added to the sudoers file in certain current versions of Linux. This is accomplished with the visudo command.

  1. You can modify the configuration file by using the visudo command:
  1. This will open /etc/sudoers for editing. `Add the following code to add a user with full sudo privileges:
  1. Save and exit the file.

The sudo privileges that were granted are shown below:

Conclusion

After reading this article

  • You know about the sudo command in Linux, various options available in sudo, and when to use one.
  • You now know how to use the sudo command in lLinuxand how to create new users with sudo rights.
  • The distinction between the commands sudo and su must be clear.

To avoid potential security and system-wide risks, always remember to use sudo.