Translation(s): العربية - English - Español - Français - Italiano - Русский
Root > sudo
Sudo (sometimes said to stand for Super-user do) is a program designed to let system administrators allow some users to execute some commands as root (or any other user). The basic philosophy is to give as few privileges as possible. Sudo can also be used to log which user ran a command and when.
Contents
Reasons people do and do not use sudo
Why some people do not use sudo
Historically, Unix-like systems did not use sudo. Allowing sudo access creates the risk of damage, whether through mistakes, bugs in the sudo program itself and may encourage people to run commands as root by making it 'too easy' to gain privileges.
Lot of Debian administrators do not install sudo. Instead, they run commands as root (for example with su - from a normal user account) when they need. This avoids needing to type "sudo" in front of every command.
Why some people use sudo
Using sudo could be more familiar to newer users coming from other distributions. It is better (safer) than allowing a normal user to open a session as root as:
Nobody needs to know the root password (sudo prompts for the current user's password).
- Extra privileges can be granted to individual users temporarily, and then taken away without the need for a password change.
It's easy to run only the commands that require special privileges via sudo; the rest of the time, you work as an unprivileged user, which reduces the damage that mistakes can cause.
- Auditing/logging: when a sudo command is executed, the original username and the command are logged.
For the reasons above, switching to root using sudo -i (or sudo su) is usually deprecated because it cancels most of the above features.
Installing sudo
Unlike other distributions such as Ubuntu, Debian does not require sudo to be installed at all.
To install sudo you need to become root using, for example, the su command, install the sudo package, add your user to the sudo group and then log out and then log in again.
If a root password was not set during your Debian installation, the normal user account that was created at installation will be able to run 'sudo' with no password: log in as that account and run sudo passwd to set a root password before continuing.
$ su --login Password: ## (enter here the password of the root user that you specified during your Debian installation, and press Enter) # apt install sudo # adduser jhon-smith sudo
(Obviously replace "jhon-smith" with your personal username)
Then log out and log back in again.
Configuring sudo
The main sudo configuration file is /etc/sudoers. This file is read-only, even for root: there is a visudo command which allows root to edit the file but it is better to put local configuration in a new file in /etc/sudoers.d. Using /etc/sudoers.d/ will ensure local changes remain in effect, even if the Debian package maintainer changes /etc/sudoers in a new version of the sudo package.
The example below sets up a clean environment, including a secure path; allows the root user to run any command; allows any members of the sudo group to run any command as root; allows the user deb to run the piuparts command; and loads other configuration from the files in /etc/sudoers.d.
Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Defaults use_pty root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL deb ALL=/usr/sbin/piuparts @includedir /etc/sudoers.d
The percent sign (%) is used to indicate a group in the configuration file (see the %sudo line below. By default Debian does not provide a wheel group, unlike other the BSD family of operating systems).
Requiring the root password
If you want to require the root password for use of sudo, rather than the user's password, add the line:
Defaults rootpw
to a file in /etc/sudoers.d.
Not requiring any password
If you want sudo group members to execute commands without any password (which is usually a bad idea), add the line:
%sudo ALL=(ALL) NOPASSWD: ALL
to a file in /etc/sudoers.d. Be aware that this will allow anyone compromising that user account to obtain root access very easily.
Customizing the timeout period
By default, after asking for a password, your credentials are cached by sudo for 15 minutes. You can change this behavior by setting a different timeout for a specific user:
Defaults:foobar timestamp_timeout=30
Granting sudo access
Debian's default configuration allows users in the sudo group to run any command via sudo.
Verifying sudo membership
Once logged in as a user, you can verify whether or not the user belongs to group=sudo using either the id or groups commands. E.g., a user with id=foo should see:
$ groups foo sudo
If sudo is not present in the output, the user does not belong to the sudo group. Similarly, the output from command=id should look something like
uid=1001(foo) gid=1001(foo) groups=1001(foo),27(sudo)
Add a user from the command line
To add an existing user with id=foo to group=sudo:
$ sudo adduser foo sudo
Alternatively, you can first get root (e.g., sudo su -) and then run the same commands without prefix=sudo:
# adduser foo # adduser foo sudo
After being added to a new group the user must log out and then log back in again for the new group to take effect. Groups are only assigned to users at login time. A most common source of confusion is that people add themselves to a new group but then do not log out and back in again and then have problems because the group is not assigned; be sure to verify group membership.
Creating users with sudo access
Creating a new user with sudo access while installing Debian
As of DebianSqueeze, if you give root an empty password during installation, sudo will be installed and the user account that was created at installation will be able to use sudo to gain root access (it will be added to the sudo group). The system will also configure gksu and aptitude to use sudo. You should still verify group membership after logging in as the installed user.
Creating a new user with sudo access from the command line
A user that already has sudo can create another user (example id=foo) with sudo group membership from the commandline:
$ sudo adduser foo -G sudo
(or first get root as in previous section). You should then login as the new user and verify group membership.
Problems and tips
Sorry, user jdoe is not allowed to execute ...
If you get an error like this:
$ sudo test We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for jdoe: Sorry, user jdoe is not allowed to execute '/usr/bin/test' as root on localhost.
This message means what it says: the user you're running as isn't allowed to execute the given command on the given machine. One confusing possible reason for this is that the administrator has just added user jdoe to a privileged group - but you're still using the old login, which doesn't have that new group information, and therefore has no new sudo-ing rights. People in this situation are usually advised to log out completely and back in again, though you can sometimes get away with just performing a "re-login on the spot" with su - $USER or changing group with newgrp sudo.
sudoers is read-only
Yes, the file /etc/sudoers is intentionally set read-only, even for root!
The explanation is that it was set up this way to motivate admins to only ever edit it via the command visudo, which provides additional checking before leaving the new file in place. You might think that the fix for a mangled /etc/sudoers, the fix may be as simple as su -c visudo, but sudo is often used in a place where simply su'ing to root is not possible since you simply don't know the root password.
Beware, most text editors will let you edit the file without complaining about the read-only bit, so you might not automatically get this additional protection.
See also
Manpages: sudoers(5), sudo(8), visudo(8), sudoedit(8), sudoreplay(8)
Doas - A lighter and more minimalistic tool for the same purpose, with simpler configuration.
CategoryRoot | CategorySystemSecurity | CategorySystemAdministration