sudo

sudo #

sudo (short for superuser do) is a powerful command that allows authorized users to execute commands as the root user or another user, as specified by the security policy in the /etc/sudoers file. The sudo group is a group of users who have the privilege to run commands as the root user by using the sudo command.

Relation to the root user #

The root user is the superuser on a Unix/Linux system and has complete control over the system. The sudo command allows authorized users to execute commands as the root user, effectively granting them root privileges for specific tasks. This is a safer approach than directly logging in as the root user, as it reduces the risk of unintentional changes and provides an audit trail of the commands executed with sudo.

The sudo Command #

To execute a command with root privileges, simply prepend sudo to the command you wish to run. When you use sudo for the first time in a session, you’ll be prompted to enter your password. This password is not displayed on the screen as you type it. If the authentication is successful, the command will be executed with root privileges, and subsequent sudo commands within a short time span will not require a password.

Some common uses include:

sudo apt install tree           # Install the 'tree' package
sudo vi /etc/hosts              # Edit the protected 'hosts' file
sudo systemctl restart apache2  # Restart the `apache2` service

The sudo Group #

By default, only users who are members of the sudo group are allowed to execute commands as the root user. To add a user to the sudo group, run the following command with sudo privileges:

sudo usermod -aG sudo username

The /etc/sudoers File #

The /etc/sudoers file is the main configuration file that determines which users have sudo privileges and the extent of those privileges. It is recommended not to edit this file directly but to use the visudo command instead, as it performs syntax checking and prevents you from saving a malformed configuration that could lock you out of the system.

sudo visudo

The /etc/sudoers file contains rules in the following format:

user host=(target_user) commands
  • user → The user or group allowed to run commands as the target_user.
  • host → The host on which the rule is applicable.
  • target_user → The user that the command will be executed as.
  • commands → A list of commands that can be executed.

Assume that you have a user named alice and you want to give her permission to run systemctl commands to manage the nginx service on a specific host called appserver. The rule would look like this:

alice appserver=(root) /bin/systemctl start nginx, /bin/systemctl stop nginx

To allow all users in the sudo group to execute any command as the root user on any host, the rule would look like this:

%sudo ALL=(ALL:ALL) ALL

The % symbol indicates that the rule applies to a group rather than a specific user. The ALL:ALL syntax means that the user can execute commands as any user and any group.