7 Useful steps to configure ‘sudo’ in Linux

Sudo stands for SuperUserDo, which is a default utility on Unix-Linux based systems. In Linux, normal users are not allowed to execute any administrative commands. But, we can use this mechanism to allow a regular user to run any application or command as a root user or permit only a few commands to specific users. Only those users who have the information in the ‘/etc/sudoers’ (which is the main configuration file for sudo) file are granted the permission to run/execute the sudo prefix command.

Using root account is quite dangerous on a day to day activities as it has the full privileges to perform any kind of actions whatsoever in the system. If anything happens by accident like a typo, when you are executing command can easily destroy the entire system with no scope of recovery except to do the re-installation. There are many risks like this, so it is better to avoid using a root account except only some specific situations which are explicitly required. Therefore, it is always recommended to use a normal account with sudo privilege, instead of root, as we know that sudo has some extra security checks like, if we execute any administrative commands it will ask the user to authenticate the password, then the users have to enter his password in-order to fulfill the execution.

In most the Linux distros, we can grant the sudo privilege by simply adding the users into the sudo group. The name of the sudo group in Redhat/Centos/Fedora is “wheel” which is mostly enabled by default if not, then edit the /etc/sudoers file by using ‘visudo’ command in the Terminal or we can directly access this file by using ‘vi or vim. Here you can see the three different following entries in the sudoers file can provide the privileges to use sudo prefix.

## Allow root to run any commands anywhere
root ALL=(ALL) ALL

## It means all the user with the root privilege can execute all the command as like root

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL

## It means all the users that belong to the wheel group can execute all the command as like root

## Allows people in group wheel to run all commands
username ALL=(ALL) ALL

## It means only the given user can execute all the commands as like root

In this article, we will see the steps to the sudoers configuration in Linux System. It will help all desktop users, developers, and system admins. The following steps are in this guide tested on RHEL and CentOS 7.8. You can use this guide for all the versions of RHEL, CentOS, Fedora, and mostly it will be identical for other distros also.

Prerequisites :

Operating System : CentOS 7
package : sudo
User account : root user or another account with sudo privileges
Access Point : Terminal Access / Command Line Interface

By default, all Linux distros come with a pre-installed package of sudo. You can check whether the packages are available or not in the system by using the following commands from the given options:

Option -A: Open your terminal and simply type ‘sudo’ without quote and press enter.

Output: If the sudo package is not installed in the system, then it will display the output as like below:

-bash: /usr/bin/sudo: No such file or directory

If the package is available in the system, then it will display the result as below:

usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file …

Option -B: To check the package by using yum or rpm utilities.

# yum list installed | grep sudo OR # rpm -qi sudo

libsss_sudo.x86_64 1.16.4–37.el7 @anaconda
sudo.x86_64 1.8.23–9.el7 @base

In the above output, you can see the package sudo is discovered in the system. If not, it will display either a “blank message” or “package sudo is not installed” message. To install the packages, we can use the following ‘yum’ command. Yum is a very powerful utility in Linux to check many things related to package management. To find more about yum command, click here.

1. Find one of the following options, to create a new user with sudo privilege (i) Use the following command to create a new user in Linux

# useradd linuxteck

# passwd linuxteck (create a password)

(ii) Now we can add the new user (linuxteck) to the wheel group

# usermod -aG wheel linuxteck

Instead of using the above steps ( i and ii ), we can also use the following command in a single line to create a new sudo user. There are many methods to create a user in Linux. If you need to brush-up the ‘useradd’ related commands in Linux click here

# useradd -G wheel linuxteck

(iii) Now, we can use the ‘id’ command to get the user and group information of the newly created user (linuxteck)

uid=1005(linuxteck) gid=1005(linuxteck) groups=1005(linuxteck),10(wheel)

(iv) Now we can test the sudo prefix with the new user account. For that, we use ‘su’ command to switch user account from root to the standard user (linuxteck) account OR open a different terminal and log in as a new user. Here I will use the 1st option.

[[email protected] ~]# su — linuxteck ## To switch

[[email protected] ~]$ ## After switched

total 48
dr-xr-x — -. 5 root root 245 May 31 14:40 .
dr-xr-xr-x. 17 root root 224 May 22 09:01 ..
-rw — — — -. 1 root root 1865 May 22 09:03 anaconda-ks.cfg
-rw — — — -. 1 root root 2955 Jun 5 23:13 .bash_history
-rw-r — r — . 1 root root 18 Dec 29 2013 .bash_logout
-rw-r — r — . 1 root root 176 Dec 29 2013 .bash_profile
-rw-r — r — . 1 root root 176 Dec 29 2013 .bashrc
drwx — — — . 4 root root 31 May 22 09:06 .cache
drwx — — — . 4 root root 30 May 22 09:06 .config
-rw-r — r — . 1 root root 100 Dec 29 2013 .cshrc
drwx — — — . 3 root root 25 May 22 09:04 .dbus
-rw-r — r — . 1 root root 15264 Sep 18 2019 epel-release-latest-7.noarch.rpm
-rw-r — r — . 1 root root 1913 May 22 09:05 initial-setup-ks.cfg
-rw-r — r — . 1 root root 129 Dec 29 2013 .tcshrc

2. How to permit a particular user to run/execute only specific commands as sudo?

In this example, we are granting permission to the user “john” to execute only a single command “systemctl restart network “ as sudo. For a better understanding, let’s execute the same above command, with and without the privilege of sudo.

(i) Without privilege:

$ sudo systemctl restart network
[sudo] password for john:

john is not in the sudoers file. This incident will be reported.

(ii) With privilege:

john ALL = /usr/bin/systemctl restart network

john ALL = /usr/bin/systemctl restart network,/usr/bin/systemctl status network

3. How to permit users to run/execute a command using sudo without a password check?

john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart network,/usr/bin/systemctl status network

4. How to modify the default sudo password prompt timeout?

Defaults:linuxteck timestamp_timeout=15

5. How to run the command as another user with sudo prefix?

britto ALL = (john) /usr/bin/systemctl status network

save and close the file using ‘:wq’

$ sudo -u john systemctl status network
[sudo] password for britto:

● network.service — LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
Active: active (exited) since Sun 2020–06–07 11:22:58 IST; 11h ago
Docs: man:systemd-sysv-generator(8)
Process: 5844 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
Process: 6016 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
Tasks: 0

6. How to create a customised log file for sudo?

Just all the following entry in the sudoers file to achieve this task

Defaults logfile=”/var/log/sudo.log”

Jun 7 23:54:45 : linuxteck : TTY=pts/0 ; PWD=/home/linuxteck ; USER=root ;
COMMAND=/bin/bash
Jun 7 23:55:08 : john : TTY=pts/1 ; PWD=/home/john ; USER=root ;
COMMAND=/bin/systemctl status network

How can we use sudo command in Linux

The Global Syntax of sudo command in Linux:

7. How to verify if a user belongs to sudoer or not?

User britto is not allowed to run sudo on centos.

Matching Defaults entries for john on centos:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep=”COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS”, env_keep+=”MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”, env_keep+=”LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES”, env_keep+=”LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY”, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User john may run the following commands on centos:
(ALL) NOPASSWD: /usr/bin/systemctl restart network, /usr/bin/systemctl status network

Thank you for taking the time to read! I hope this article will help you to understand the 7 useful sudoers configuration for setting ‘sudo’ in Linux. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well.

Thank you!

Originally published at https://www.linuxteck.com on June 11, 2020.