The
sudo command allows users to do tasks on a Red Hat Enterprise Linux system as another user.
sudo is different from the
su command and is more flexible and more secure. One significant advantage is that it can log usage. By default the program saves log data in the file
/var/log/secure.
The
sudo program uses a configuration file
/etc/sudoers to store rules that are used to decide whether a command is allowed or not. It is recommended that a program
visudo provided with the
sudo package be used to edit the
/etc/sudoers file.
Assume that we want to be able to run programs as root from a user called normaluser. First lets attempt to use
sudo to run a privileged command:
$ sudo /sbin/service sendmail restart
Password:
normaluser is not in the sudoers file. This incident will be reported.
|
The
sudo command has logged the attempt to the log file
/var/log/secure:
# tail /var/log/secure
...
Aug 2 14:37:49 somehost sudo: normaluser : user NOT in sudoers ;
TTY=pts/2 ; PWD=/home/normaluser ; USER=root ;
COMMAND=/sbin/service sendmail restart
|
A special group 'wheel' exists on a Red Hat Enterprise Linux system that is traditionally used for privileged activity.
Add to the user the supplementary group 'wheel' (this command must be done as root):
# usermod -G normaluser,wheel normaluser
|
Verify that the user is now a member of the group wheel:
# groups normaluser
normaluser : normaluser wheel
|
Edit the file
/etc/sudoers using the
visudo command:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
|
Notice that the
/etc/sudoers file has examples and comments. To allow members of the group 'wheel' to run commands through
sudo as root, uncomment the line:
...
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
...
|
The visudo program uses key bindings and commands within the editor from the
vi editor. To make changes in the
visudo program, hit the 'i' key (Insert mode). Use the cursor keys on your keyboard to move the cursor to the correct position, and hit 'Delete' key to remove the '#' character.
To 'write out' or save the changes, hit the escape key, and then ':write' and then ':quit' to exit:
...
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
#Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
# ALL ALL = NOPASSWD: /usr/bin/mindspring
|
Now run the privileged commands again as normaluser:
$ sudo /sbin/service sendmail restart
Password:
Shutting down sendmail: [ OK ]
Shutting down sm-client: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
|
The
/var/log/secure file will also record the successfull use of sudo:
# tail /var/log/secure
...
Aug 2 15:05:49 somehost sudo: normaluser : TTY=pts/2 ;
PWD=/home/normaluser ; USER=root ;
COMMAND=/sbin/service sendmail restart
|
