User Tools

Site Tools


sudo

Sudo

In Linux (and Unix in general), there is a SuperUser named Root. The Windows equivalent of Root is Administrators group. The SuperUser can do anything and everything, and thus doing daily work as the SuperUser can be dangerous. You could type a command incorrectly and destroy the system.

Ideally, you should run as a user that has only the privileges needed for the task at hand. In some cases, this is necessarily Root, but most of the time it is a regular user.

By default, the Root account password is locked in Ubuntu, and therefore Vinux. This means that you cannot login as Root directly or use the su command to become the Root user.

Please keep in mind, a substantial number of Vinux users are new to Linux. There is a learning curve associated with any OS and many new users try to take shortcuts by enabling the root account, logging in as root, and changing ownership of system files.

Advantages and Disadvantages

Benefits of using sudo

  1. The Ubuntu installer has fewer questions to ask.
  2. Users don't have to remember an extra password (i.e. the root password), which they are likely to forget (or write down so anyone can crack into their account easily).
  3. It avoids the "I can do anything" interactive login by default (e.g. the tendency by users to login as an "Administrator" user in Microsoft Windows systems), you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.
  4. sudo adds a log entry of the command(s) run (in /var/log/auth.log). If you mess up, you can always go back and see what commands were run. It is also nice for auditing.
  5. Every cracker trying to brute-force their way into your box will know it has an account named Root and will try that first. What they don't know is what the usernames of your other users are. Since the Root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.
  6. Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the Root account.
  7. sudo can be setup with a much more fine-grained security policy.
  8. The Root account password does not need to be shared with everybody who needs to perform some type of administrative task(s) on the system (see the previous bullet).
  9. The authentication automatically expires after a short time (which can be set to as little as desired or 0); so if you walk away from the terminal after running commands as Root using sudo, you will not be leaving a Root terminal open indefinitely.

Downsides of using sudo

Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:

  1. Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents. You could also pass the whole command to a shell process run under sudo to have the file written to with root permissions, such as sudo sh -c "ls > /root/somefile".
  2. In a lot of office environments the ONLY local user on a system is Root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, Root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled Root password is needed here. The local user account should have its $HOME on a local disk, _not_ on NFS (or any other networked filesystem), and a .profile/.bashrc that doesn't reference any files on NFS mounts. This is usually the case for Root, but if adding a non-Root rescue account, you will have to take these precautions manually.

Alternatively, a sysadmin type account can be implemented as a local user on all systems, and granted proper sudo privileges. As explained in the benefits section above, commands can be easily tracked and audited.

Usage

When using sudo, your password is stored by default for 15 minutes. After that time, you will need to enter your password again.

Your password will not be shown on the screen as you type it, not even as a row of stars. It is being entered with each keystroke!

Sudo

To use sudo on the command line, preface the command with sudo, as below: Example #1

sudo chown bob:bob /home/bob/* 

Example #2

sudo /etc/init.d/networking restart

To repeat the last command entered, except with sudo prepended to it, run:

sudo !! 

Graphical sudo

You should never use normal sudo to start graphical applications as Root. You should use gksudo to run such programs. gksudo sets HOME=~root, and copies .Xauthority to a tmp directory. This prevents files in your home directory becoming owned by Root. (AFAICT, this is all that's special about the environment of the started process with gksudo vs. sudo).

Examples:

gksudo gedit /etc/fstab

Adjusting Sudo Behavior

In Ubuntu and thus Vinux pretty much anything that a typical user will want or need to do is posible using sudo to gain admin privilidges. This is what is needed on a single user system, but perhaps you share a computer with a co-worker or family member. You can create an account for them and control what they can and can't do according with the confidence you have in them and their abilities. For example you may want your to give your kid the capability to read any file on the computer, but not allow modifications, or let her/him install or remove system software. You may run some command frequently, perhaps via an alias to save on typing, that has little or no chance of doing anything to harm your system or data and not want to be prompted for you password to run it. Or you may wish to change the frequency of password prompts. While advanced sys-admin tasks are not the focus of this wiki a bit of sudo configuration can help even less experienced Linux users. The main way to configure sudo behavior is editing a sudoers file. While for more complex systems creating per user sudoers files is generally recommended, it is probably more common to modify /etc/sudoers for less complex situations. Very Important: You can break essential functionality by incorrectly modifying sudoers files, so although you can use normal editing methods to change sudo configuration there is a special tool called visudo that checks for improper syntax before sudoers changes are saved.

Visudo

The visudo tool checks for syntax erros before saving changes to sudoers files. It works with standard text editors. I think the "vi" in "visudo" stands for the VI text editor, but visudo works with the editor of your choice, by default the system's default editor is used. To change the editor you use with visudo run a command like

sudo export EDITOR=ed

to use ed as the default editor for the life of the session in the active terminal or console. Replace ed with another editor if desired,

sudo export EDITOR=nano

for example.

more imformation

sudo.txt · Last modified: 2014/01/28 21:07 by Burt Henry