visudo

What is sudo command in linux?

In a typical linux server you have three types of users:

  • super or root user has full access to server
  • system user (non-interactive) has limited access to server
  • normal user (interactive) has limited access to server

Root or super user has administrative permissions and can perform all operations or run any command on a server while normal user can not run all commands.

Sometimes, you may want multiple users to login to your server and perform different operations some of them may need to run some specific commands that normal user do not have access to.

Sudo utility is designed to overcome this proble, Normally sudo user can run all commands but in some case we want normal user to have access to specific commands.

What is /etc/sudoers file?

The /etc/sudoers file controls who can run what commands. Normal linux user can not run all commands however in some case if you want them ro run privileged commands you can define them in /etc/sudoers file.

The sudo command is basically a command that allow user to execute a command as another user. It is basically allowing normal users to execute commands usually reserved to the root user.

The visudo command is a safe and secure way of editing the /etc/sudoers file on the linux system.

/etc/sudoers file contains four basic aliases:

  • User_Alias
  • Runas_Alias
  • Host_Alias
  • Cmnd_Alias

User Aliases

User Alias are used to specify groups of users. You can specify usernames, system groups (prefixed by a %) and netgroups (prefixed by a +) as follows: 

# setting ADMINS alias for system group admin
 User_Alias ADMINS = %admin

 # DEVS alias is set for users sandip, john and brad
 User_Alias DEVS =sandip, john, brad

 # DEVOPS alias set for users sandip and mac
 User_Alias DEVOPS = sandip, mac

 # You can also use ! to exclude users from an alias
 User_Alias LIMITED_USERS = USERS, !DEVS, !DEVOPS

Runsas Aliases

Runas Aliases are almost the same as user aliases but you are allowed to specify users by uid's. 

 # UID 0 is normally used for root
 # Note the hash (#) on the following line indicates a uid, not a comment.
 Runas_Alias ROOT = #0

 # setting ADMINS alias for system group admin
 # with the addition of "root"
 Runas_Alias ADMINS = %admin, root

Host Aliases

A host alias is a list of hostname, ip addresses, networks and netgroups (prefixed with a +). 

 # This is all the servers
 Host_Alias SERVERS = 192.168.0.1, 192.168.0.2, server1

 # This is the whole network
 Host_Alias NETWORK = 192.168.0.0/255.255.255.0

 # And this is every machine in the network that is not a server
 Host_Alias WORKSTATIONS = NETWORK, !SERVERS

Command Aliases

Command aliases are lists of commands and directories. If you specify a directory it will include any file within that directory but not in any subdirectories. 

 # All the shutdown commands
 Cmnd_Alias HTTPD_CMDS = /sbin/service httpd start, /sbin/service httpd stop

 # Web commands
 Cmnd_Alias APACHE_CMDS = /etc/init.d/apache2

Sample /etc/sudoers file

Let's check one example of this file content: Following line of code allows ubuntu user to have full access without asking password once user is logged in: 

# User rules for ubuntu                                                                                                                                
ubuntu ALL=(ALL) NOPASSWD:ALL