sudo command is a special command which is used to execute normal user commands with root privileges without logging as the root user. The sudo term is the short form of the “SuperUser Do” or “substitute user do“. This is not a security problem because in order to execute commands as root the user should have already provided the required privileges in the
/etc/sudoers file. If not the user can not execute commands with root privileges. The sudo command also used to run commands with different user privileges. The sudo command provides the root or superuser privileges for only the current command or application. So this means sudo provides temporary administrative rights to the current normal user.
The sudo is create in 1980 but gained popularity in 1994 with the unofficial for called “CU sudo“. Then with extra development by fixing issues, problems and integration with more Linux distributions the name changed into “sudo“.
sudo Command Syntax
sudo command is used at the start of the command which means the root privielges are elevated before the execution of the command.
sudo PARAMETER COMMAND
- PARAMETER is the sudo command parameters.
- COMMAND is the command which will be executed with root or different user privilege.
Even sudo command a lot of options or parameters the most popular options are like below.
|-b||Run command background|
|-E||Preserve the environment|
|-h||Display help information|
|-l||List allowed commands|
|-s||Run specified shell environment|
|-u||Run with specified user privileges other than root|
|-V||Print verbose or debug output|
Display sudo Command Help Information
The sudo command provides the -h option in order to list help information with available options. Alternatively the long format of the -h option which is –help can be also used to print help.
$ sudo -h
Run Command with Root Privilege
According to its syntax, the sudo command can be used to run different commands with the root privileges like below. In the following example, we will print the
/etc/passwd content using the
cat command. Normally the passwd file can be only read by the root user. The current user password will be asked for authentication. After successful authentication, the password will be cached and will not be asked for a short period.
$ sudo cat /etc/passwd
The output is like below. Where every user in the system is listed with the information like loginshell, userid, home directory etc.
[sudo] password for ismail: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
Add User To Sudoers File
In order to use the sudo command the current user should be added to the sudo configuration file named
/etc/sudoers . This file stores configuration about the sudo command like which user can run the sudo command and what privileges can be provided. The sudoers file can be edited in different ways like using a regular text file editor but the
visudo command is provided to edit sudoers file in a more fashionable way.
$ sudo visudo
For example, we can skip asking a password for every sudo command execution for the user
ismail with the following line. In the following line, the user ismail can run every command as root and other users without asking a password.
ismail ALL=(ALL) NOPASSWD:ALL
In the following configuration, we will enable the passwordless execution but restrict the commands the user can run. The user can only run the
/bin/rmdir commands. The commands should be provided with their full or absolute paths.
ismail ALL=(ALL) NOPASSWD:/bin/mkdir,/bin/rmdir
We can configure the sudo permissions for a specific Linux group. In the following example we will give the
admin group the sudo privileges for all commands without password.
%admin% ALL=(ALL) NOPASSWD:ALL
List Sudoer User Privileges and Rights
The sudo command provides the -l option in order to list current user sudoer file configuration and privileges. This will list secure paths for the current user where these paths executables can be executed securely. Also available commands for the current user listed like below.
$ sudo -l
Run Command As Different User
Even the sudo command is mainly used and popular for executing commands with root privileges it can be also used for to execute commands with different user privileges. The
-u option is used to set the username as a parameter. In the following example we will execute the mkdir command with the user
$ sudo -u ali mkdir /home/ali/backup
Sudo Environment Variables
As a command line or bash tool, the sudo command comes with useful environment variables. These environment variables are used to set current users and new user environments.
SUDO_ASKPASS is used to enable or disable asking password for the user.
SUDO_COMMAND is set the command executed by the sudo.
SUDO_EDITOR is the editor used to edit sudoers file which is nano in most of the cases.
SUDO_PROMPT used as the default password prompt.
SUDO_UID stores the user id of the user who invoked sudo command.
Sudo Command Examples
In this part, we will make some examples of popular use cases about the sudo command. In the following example, we will edit the index.html file with the
www user privileges.
$ sudo -u www vim /var/www/html/index.html $ sudo -u www vim /var/www/html/index.php $ sudo -u www vim /var/www/html/index.cgi
In the following example, the log files about the system will be displayed. Normally these log files are only viewed by the root and admin users.
$ sudo -u adm cat /var/log/syslog
We can edit another user’s home directory content like a file. In the following example, we will change the file which is owned and stored by the ahmet home user directory.
$ sudo -u ahmet vim /home/ahmet/names.txt
The system can be shutdown using the sudo command with a normal user like below.
$ sudo shutdown
If you want to change a different user password and do not want to log in to this user or root you can use the sudo to change another user password like below. In the following example, the user named elif password will be changed.
$ sudo -u elif passwd
Run Multiple Commands with sudo
Single sudo may run multiple commands at a single execution. This is mainly related to the bash features where a single line may contain multiple commands which are separated with the
$ sudo sh -c "cd /home/ismail; mkdir backup; cd backup; touch text.txt"
Multiple commands can be also executed with different user privileges like below.
$ sudo -u ismail sh -c "cd /home/ismail; mkdir backup; cd backup; touch text.txt"
Compare su vs sudo Command
su is another command which is used to change the current user into the root or another user. It may seem the su and sudo commands are the same but they are not. sudo the command executes given commands without changing the current user sessions by just changing the command execution privileges. Where the su command directly changes the current user session into other users and you can not make operations with the previous user unless not change back to this user.
Messed Up with Sudoers File
You can edit the sudoers file in different ways. But the best way is using the
visudo command which will open the sudo command with a default text editor. But if you create a regular text file and copy ass a sudoers file and if you have a typing error the sudoers file format will be corrupt and the sudoers file will not work. Please take the following suggestion into consideration when editing the sudoers file to prevent errors and malfunction.
- Do not edit sudoers file directly and use the visudo command which will check the edited sudoers file when exiting.
- If there is an error in the sudoers file and can not use the sudo command use the su command which will log in as the root user.
- If you made an error in sudoers file and can not run the sudo command and using this system as VM just shut down the system and mount the disk file and change the sudoers file.