Linux follows the very tough permission model. A root user can do anything but normal user has no permissions. To run any command, they need to ask for permissions from the superuser. The easy and common way to grant administrative privileges to non-root users is, a user can use su command and temporarily become the root but users must know the root’s password. In corporate world this is very dangerous because all the privileges of root are granted to any user, who can do anything. For Example –
[userA@rhel7 ~]$ su - Password:
It’s asking for the password of superuser.
To overcome above mentioned risk, sudo command comes in trend. It allows a user to run a command as a root or as any other user after providing the user’s own password for authentication. These information are defined in the /etc/sudoers file. Before describing “sudo” command I want to talk a bit about visudo
What is visudo –
visudo is a command to edit configuration file for sudo command located at /etc/sudoers.You should not edit this file directly with normal editor, always use visudo for safety and security. Eiditing /etc/sudoers file requires superuser’s privileges.
visudo command cannot allow to edit /etc/sudoers file simultaneously by just locking the file and if someone tries to access the same it will get a message to try later.
[root@rhel7 ~]# visudo visudo: /etc/sudoers busy, try again later
It also checks the syntax of edits and provide basic sanity checks which are very helpful. If it identifies any error, then visudo won’t allow to save the file with edits.
Set rules in sudoers file –
A common question arises in everyone’s mind, how we define the rules in sudoers file? So, before editing it’s better to understand the existing configuration which defines which users can run what software on which machines. Syntax of pre-defined rule is given below –
root ALL=(ALL:ALL) ALL
This allows root to run any command anywhere.Meaning of this line is –
username hosts=(users:groups) commands
ALL means, the user can run all commands on all hosts, as all users and groups. So, root has all the privileges to run any command as any user or group.
Let considered an example and provide ALL power to userA as root.
userA ALL=(ALL:ALL) ALL
If you wish to use command without password then use PASSWD parameter –
userA ALL(ALL:ALL) NOPASSWD:ALL
In below example userA only start, stop and restart the “httpd” service
userA ALL=(root) /usr/bin/systemctl, /usr/sbin/httpd start stop restart
User can check wether the command is working or not. Then follow the below procedure to check –
[root@rhel7 ~]# su - userA Last login: Thu Sep 13 15:01:18 EDT 2018 on pts/0 [userA@rhel7 ~]$ sudo -u root systemctl stop httpd [sudo] password for userA: [userA@rhel7 ~]$
Note – We can also use vim with visudo.
export VISUAL=vim; visudo
Using nano with visudo
export VISUAL=nano; visudo
Assign privileges to a group –
You can asign similar privileges to multiple users just by making a group them. There is one predefined group is in sudoers file. Members of this group can use sudo to run any commands as any user, including superuser. We can add users to this group. It is normally configured like –
%wheel ALL=(ALL) ALL
Use command to add user in wheel group –
usermod -aG wheel username