Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
- 1 Rationale
- 2 Installation
- 3 Usage
- 4 Configuration
- 5 Tips and tricks
- 6 Debugging Sudo
- 7 Example Sudoers
Sudo is an alternative to su for running commands as root. Unlike su, which launches a root shell that allows all further commands root access, sudo instead grants temporary privilege escalation to a single command. By enabling root privileges only when needed, sudo usage reduces the likelyhood that a typo or a bug in an invoked command will ruin the system. Sudo can also be used to run commands as other users; additionally, sudo logs all commands and failed access attempts for security auditing.
To install sudo:
# pacman -Syu sudo
Use of sudo will be unavailable to users until configured.
With sudo, users can prefix commands with Template:Codeline to run them with superuser (or other) privileges. For example:
$ sudo pacman -Syu
See the sudo manual for more information.
The configuration file for sudo is Template:Filename. This file should not be edited directly! Instead, run
# EDITOR=nano visudo
The Template:Filename file should always be edited with the Template:Codeline command. Template:Codeline locks the Template:Filename file, saves edits to a temporary file, and checks that file's grammar before copying it to Template:Filename. It is imperative that Template:Filename be free of syntax errors since Template:Codeline will not run otherwise.
The default editor is Template:Codeline, which will be used if you do not preface the command with EDITOR=nano. You can use other editors, for example, Gedit:
# EDITOR=gedit visudo
You can permanently change the setting system-wide to e.g. Template:Codeline by appending
to your Template:Filename file. This won't take effect for already-running shells.
# Defaults specification # Reset environment by default Defaults env_reset # Set default EDITOR to vim, and do not allow visudo to use EDITOR/VISUAL. Defaults editor=/usr/bin/vim, !env_editor
Note you must still run the command Template:Codeline as root even if using a different editor.
To allow a user to gain full root privileges when he/she precedes a command with "sudo", add the following line:
USER_NAME ALL=(ALL) ALL
and/or to allow a user sudo access from the local machine only:
USER_NAME HOSTNAME=(ALL) ALL
and/or to allow members of group wheel sudo access requiring no password:
%wheel ALL=(ALL) NOPASSWD: ALL
where USER_NAME is the user name of the individual.
sudoers default file permissions
The owner and group for the sudoers file must both be 0. The file permissions should be set to 0440. These permissions are set by default, but if you accidentally change them, they should be changed back immediately.
# chown -c root:root /etc/sudoers # chmod -c 0440 /etc/sudoers
Password cache timeout
where the password expires for user USER_NAME if unused for over 20 minutes. Values between 0 and 1 are also allowed.
Tips and tricks
Enabling tab-completion in bash
Tab-completion, by default, will not work when a user is initially added to the sudoers file. For example, normally john only needs to type:
and the shell will complete the command for him as:
If, however, john is added to the sudoers file and he types:
the shell will do nothing.
To enable tab-completion with sudo, add the following to your Template:Filename:
complete -cf sudo
Alternatively, you could also install and enable bash-completion to get smarter tab-completion for commands like sudo, see bash#Auto-completion for more information.
Run X11 apps using sudo
To allow sudo to start graphical application in X11, you need to add
Defaults env_keep += "HOME"
Disable per-terminal sudo
If you are annoyed by sudo's defaults that require you to enter your password every time you open a new terminal, disable tty_tickets:
Environment variables (Outdated?)
If you have a lot of environment variables, or you export your proxy settings via export http_proxy="...", when using sudo these variables do not get passed to the root account unless you run sudo with the Template:Codeline option.
$ sudo -E pacman -Syu
Because of this you may wish to add an alias in Template:Filename:
alias sudo="sudo -E"
Another way of fixing this would be to add in Template:Filename:
If you want to just pass *_proxy variables, add the following:
Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"
Add /sbin and /usr/sbin to root's PATH
If you want to run administrative commands (those in /sbin or /usr/sbin) with sudo without using their full path, add:
This allows you to do:
$ sudo command
$ sudo /sbin/command
$ sudo /usr/sbin/command
If you use a lot of aliases, you might have noticed that they do not carry over to the root account when using sudo. However, there is an easy way to make them work. Simply add the following to your Template:Filename or Template:Filename:
alias sudo='sudo '
Users can configure sudo to display clever insults when an incorrect password is entered instead of printing the default "wrong password" message. Find the Defaults line in Template:Filename and append "insults" after a comma to existing options. The final result might look like this:
#Defaults specification Defaults insults
To test, type Template:Codeline to end the current session a let sudo ask for the password again.
Users can configure sudo to ask for the root password instead of the user password by adding "rootpw" to the Defaults line in Template:Filename:
Disable root login
With sudo installed and configured, users may wish to disable the root login. Without root, attackers must first guess a user name configured as a sudoer as well as the user password.
The account can be locked via Template:Codeline:
# passwd -l root
A similar command unlocks root.
$ sudo passwd -u root
Alternatively, edit Template:Filename and replace the root's encrypted password with "!":
To enable root login again:
$ sudo passwd root
kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately one can tell kdesu to use sudo instead of su. Create/edit the file Template:Filename:
When disabling the root account, it is nessecary to change the policykit configuration for local authorification to reflect that. The default is to ask for root password, so that must be changed. With polkit-1, this can be achieved by editing /etc/polkit-1/localauthority.conf.d/50-localauthority.conf so that
is replaced by something else, depending on the system configuration. It can be a list of users and groups, for example
For more information, see man pklocalauthority
SSH TTY Issues
SSH does not allocate a tty by default when running a remote command. Without a tty, sudo cannot disable echo when prompting for a password. You can use ssh's "-tt" option to force it to allocate a tty. (use -tt twice).
The Defaults option requiretty only allows the user to run sudo if they have a tty
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. You have to run "ssh -t hostname sudo <cmd>". # #Defaults requiretty
Display User Privileges
You can find out what privileges a particular user has with the following command:
sudo -lU askapache
Or view your own with
Matching Defaults entries for askapache on this host: loglinelen=0, logfile=/var/log/sudo.log, log_year, syslog=auth, email@example.com, mail_badpass, mail_no_user, mail_no_perms, env_reset, always_set_home, tty_tickets, lecture=always, pwfeedback, rootpw, set_home User askapache may run the following commands on this host: (ALL) ALL, (ALL) NOPASSWD: /usr/sbin/lsof, /bin/nice, /bin/netstat, /usr/bin/su, /usr/bin/locate, /usr/bin/find, /usr/bin/rsync, /usr/bin/strace, (ALL) /bin/nice, /bin/kill, /usr/bin/nice, /usr/bin/ionice, /usr/bin/top, /usr/bin/kill, /usr/bin/killall, /usr/bin/ps, /usr/bin/pkill, (ALL) /usr/sbin/gparted, /usr/bin/pacman (ALL) /usr/local/bin/synergyc, /usr/local/bin/synergys, (ALL) /usr/bin/vim, /usr/bin/nano, /usr/bin/cat (root) NOPASSWD: /usr/local/bin/synergyc
This is especially helpful for those using terminal multiplexers like screen, tmux, or ratpoison, and those using sudo from scripts/cronjobs.
Cmnd_Alias WHEELER = /usr/sbin/lsof, /bin/nice, /bin/ps, /usr/bin/top, /usr/local/bin/nano, /bin/netstat, /usr/bin/locate, /usr/bin/find, /usr/bin/rsync Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/nice, /usr/bin/ionice, /usr/bin/top, /usr/bin/kill, /usr/bin/killall, /usr/bin/ps, /usr/bin/pkill Cmnd_Alias EDITS = /usr/bin/vim, /usr/bin/nano, /usr/bin/cat, /usr/bin/vi Cmnd_Alias ARCHLINUX = /usr/sbin/gparted, /usr/bin/pacman, /usr/bin/pacman-color root ALL = (ALL) ALL askapache ALL = (ALL) ALL, NOPASSWD: WHEELER, NOPASSWD: PROCESSES, NOPASSWD: ARCHLINUX, NOPASSWD: EDITS Defaults !requiretty, !tty_tickets, !umask Defaults visiblepw, path_info, insults, lecture=always Defaults loglinelen = 0, logfile =/var/log/sudo.log, log_year, log_host, syslog=auth Defaults firstname.lastname@example.org, mail_badpass, mail_no_user, mail_no_perms Defaults passwd_tries = 8, passwd_timeout = 1 Defaults env_reset, always_set_home, set_home, set_logname Defaults !env_editor, editor="/usr/bin/vim:/usr/bin/vi:/usr/bin/nano" Defaults timestamp_timeout=360 Defaults passprompt="Sudo invoked by [%u] on [%H] - Cmd run as %U - Password for user %p:"