Differences between revisions 13 and 51 (spanning 38 versions)
Revision 13 as of 2009-08-30 05:23:47
Size: 4387
Editor: GeoffSimmons
Comment: Minor DebianBug reformatting.
Revision 51 as of 2021-05-18 06:10:46
Size: 10676
Comment: add categories
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#language
[[root]]
----
~+Sudo+~ is a program designed to let system administrators allow some users to execute some commands as [[root]] (or another user). The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log root activities: who ''sudo'' which command, and when.

{{{{#!wiki tip
== Sudo isn't enabled by default on Debian ==
Strictly speaking, {{{sudo}}} is installed and enabled (if you installed the Desktop task during the installation). However no rights are granted by default in Debian (as opposed to some others distributions).

'''How to execute a command as root: (in a default Debian installation)'''
 * When you installed the system, you chose a password for the {{{root}}} account.
 * Gnome prompts for that password (for the ''Administrative account'') when you launch a program that configures the system.
 * To execute a command as {{{root}}}, open a terminal as root ({{{Applications > Accessories > Root Terminal}}}), or run {{{su}}} from a regular terminal.
(Note: DebianTesting (Squeeze): will introduced a similar tool, [[PolicyKit]], targeted for Desktop/Laptop needs).
}}}}
#language en
##TRANSLATION-HEADER-START
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: [[ar/sudo|العربية]] - English - [[es/sudo|Español]] - [[fr/sudo|Français]] - [[it/sudo|Italiano]] - [[ru/sudo|Русский]]-~
##TRANSLATION-HEADER-END
----
[[Root]] > sudo
----
~+Sudo+~ (sometimes considered as short for '''S'''uper-'''u'''ser '''do''') is a program designed to let system administrators allow some users to execute some commands as [[root]] (or another user). The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log who ran which command and when.

== Why sudo? ==
Using {{{sudo}}} is better (safer) than opening a session as root for a number of reasons, including:
 * Nobody needs to know the root password ({{{sudo}}} prompts for the current user's password). Extra privileges can be granted to individual users temporarily, and then taken away without the need for a password change.
 * It's easy to run only the commands that require special privileges via {{{sudo}}}; the rest of the time, you work as an unprivileged user, which reduces the damage that mistakes can cause.
 * Auditing/logging: when a sudo command is executed, the original username and the command are logged.

For the reasons above, ''switching'' to root using {{{sudo -i}}} (or {{{sudo su}}}) is usually deprecated because it cancels the above features.

== Users and sudo ==

Debian's default configuration allows users in the `sudo` group to run any command via `sudo`.

=== Verifying sudo membership ===

Once logged in as a user, you can verify whether or not the user belongs to group=`sudo` using either the {{{id}}} or {{{groups}}} commands. E.g., a user with id=`foo` should see output from

 {{{#!plain
$ groups
}}}

like

 {{{#!plain
foo sudo
}}}

If `sudo` is not present in the output, the user does not belong to that group. Similarly, the more complex and variable output from command=`id` should look something like

 {{{#!plain
uid=1001(foo) gid=1001(foo) groups=1001(foo),27(sudo)
}}}

==== Add existing user from commandline ====

To add an existing user with id=`foo` to group=`sudo`:

 {{{#!plain
$ sudo adduser foo sudo
}}}

Alternatively, you can first get root (e.g., `sudo su -`) and then run the same commands without prefix=`sudo`:

 {{{#!plain
# adduser foo
# adduser foo sudo
}}}

After being added to a new group the user must log out and then log back in again for the new group to take effect. Groups are only assigned to users at login time. A most common source of confusion is that people add themselves to a new group but then do not log out and back in again and then have problems because the group is not assigned; be sure to [[#Verifying_sudo_membership|verify group membership]].

=== Creating users with sudo ===

You can also create new users with `sudo` membership:

==== Creating new user while installing OS ====

As of DebianSqueeze, if you give root an empty password during installation, {{{sudo}}} will be installed and the first user will be able to use it to gain root access (currently, the user will be added to the '''sudo''' group). The system will also configure {{{gksu}}} and {{{aptitude}}} to use {{{sudo}}}. You should still [[#Verifying_sudo_membership|verify group membership]] after logging in as the installed user.

==== Creating new user from commandline ====

A user which already has `sudo` can create another user (example id=`foo`) with `sudo` group membership from the commandline:

 {{{#!plain
$ sudo adduser foo -G sudo
}}}

(or first get root as in previous section).
You should then login as the new user and [[#Verifying_sudo_membership|verify group membership]].
Line 29: Line 90:
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Line 36: Line 98:
Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt Cmnd_Alias SHUTDOWN = /sbin/reboot, /sbin/poweroff
Line 44: Line 106:
# Users in the group wheel can execute any command impersonating any user.
#%wheel
ALL= ALL
# Allow members of group sudo to execute any command
%sudo
ALL=(ALL:ALL) ALL
Line 49: Line 111:
}}}-~

== Troubles and tweaks ==

#includedir /etc/sudoers.d
}}}-~

== Problems and tips ==

=== PATH not set ===

A typical error using sudo to install a package might result in:

{{{
dpkg: warning: 'ldconfig' not found in PATH or not executable.
dpkg: warning: 'start-stop-daemon' not found in PATH or not executable.
dpkg: error: 2 expected programs not found in PATH or not executable.
Note: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.
}}}

The packaged /etc/sudoers file contains this line:

{{{
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
}}}

Previous versions did not include that line. If you had a locally modified /etc/sudoers (most would) and then upgraded and kept your locally modified version then this required line is now missing. It no longer overrides your PATH when using sudo. This most likely results in PATH not being set properly and not including the system directories. The fix is to merge your local changes into the new package /etc/sudoers file. Or to put your local changes in the new /etc/sudoers.d/ location as a uniquely named file such as {{{/etc/sudoers.d/local-sudoers}}}. See DebianBug:639841 for details.
Line 56: Line 139:
$sudo test $ sudo test
Line 69: Line 152:
This messages typically means that the user isn't allowed to execute the action. This message means what it says: the user you're running as isn't allowed to execute the given command on the given machine. One confusing possible reason for this is that the administrator has just added user jdoe to a privileged group - but you're still using the old login, which doesn't have that new group information, and therefore has no new sudo-ing rights. People in this situation are usually advised to log out completely and back in again, though you can sometimes get away with just performing a "re-login on the spot" with {{{su - $USER}}}

=== The include directive ===

The standard {{{/etc/sudoers}}} in Wheezy as of 1.8.2-1 ends with a line:

 {{{#!plain
 #includedir /etc/sudoers.d
}}}

This makes it possible for other packages to provide snippets in {{{/etc/sudoers.d/<packagename>}}} which modify the configuration of {{{sudo}}}. It may look as if it needs to be edited to take out the leading numbersign (a.k.a. "hash" or "pound"), but no, the '#' is part of the directive!
Line 72: Line 165:
Yes, the file {{{/etc/sudoers}}} is set read-only, even for root!

The is because, one __must__ use the command {{{visudo}}} to edit {{{/etc/sudoers}}}.

=== CVE-2005-4158 ===

With the fix for CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars, the default behaviour of handling environment variables was switched to protect against malicious local users with sudo privileges getting sudo to do more than the malcontent was given privileges to do.

 sudo (1.6.8p7-1.3) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Reverse the environment semantic by forcing users to maintain a whitelist [env.c, Bug#342948, CVE-2005-4158]

As a result, unless you modify your sudoers file to contain '''Defaults env_reset''', you may experience problems using sudo like the following:

 * E138: Can’t write viminfo file $HOME/.viminfo!
 * dircolors: no SHELL environment variable, and no shell type option given
 * squidview: can't get your home directory, exiting

If you had more complex setups where you meant to pass through environment variables, your work around may be more complex or no longer possible.

Bug: DebianBug:342948

=== PASSWD option not working ===

sudo has a flag called '''exempt_group''' which contains a list of groups for which always NOPASSWD is true and setting PASSWD has no effect. On Debian Systems this list consists of the group '''sudo'''.

Yes, the file {{{/etc/sudoers}}} is intentionally set read-only, even for root!

The explanation usually offered is that it was set up this way to ensure that admins only ever edit it via the command {{{visudo}}}. However, this theory doesn't quite hold water. Being mode 0440 does nothing to impede {{{sudo nano /etc/sudoers}}} - most text editors will let you edit the file without complaining about the read-only bit. Besides, any time you do mangle {{{/etc/sudoers}}}, the fix may be as simple as {{{su -c visudo}}}, which is nothing compared to the kind of recovery procedure you'd have to go through if you broke something like {{{/etc/inittab}}} (mode 0644). So if there's a good reason for the unorthodox permissions, it's a mystery - contributions welcome.

=== Wrong HOME (and profile settings) behavior ===

If you are having problems when you {{{sudo}}} to your shell and your $HOME (and profile settings) doesn't work as expected because your new HOME is /root, you need to know that the default {{{sudo}}} configuration in Squeeze resets all environmental variables. To restore the old behavior of preserving the user's $HOME environment variable you can add this to your {{{/etc/sudoers}}} configuration file:

~-{{{#!plain
Defaults env_keep += HOME
}}}-~

=== Require root password ===

If you want to require the root password for use of sudo, rather than the user password, add the line:

~-{{{#!plain
Defaults rootpw
}}}-~

=== No password prompt for sudo user ===

If you want sudo group members to execute commands without password, add the line:

~-{{{#!plain
%sudo ALL=(ALL) NOPASSWD: ALL
}}}-~

For more information read the [[http://www.sudo.ws/sudo/stable.html#1.7.4|upstream changelog for version 1.7.4]].

=== Customize credentials cache timeout ===

As default, after asking a password, your credentials are cached by `sudo` and last for 15 minutes. You can change this behavior using the command {{{visudo}}} and customizing the timeout for a specific user:

~-{{{#!plain
Defaults:foobar timestamp_timeout=30
}}}-~

=== bash: useradd: command not found ===

Use
~-{{{#!plain
$ su -l
}}}-~
to start the root shell with an environment similar to a normal 'login' shell. This includes initializing the environment variable $PATH for user root instead of simply inheriting it from the normal (non-sudo) user who does not have /sbin on her/his $PATH. See
~-{{{#!plain
$ man su
}}}-~
This is how to enable sudo after a fresh install of Debian 10:
~-{{{#!plain
$ su -l
# adduser USERNAME sudo
# exit
}}}-~
Then, log out of the desktop environment and log in again.
You can check the success of the above by entering
~-{{{#!plain
$ groups
}}}-~

----
Line 100: Line 229:
 * Manpages: [[DebianMan:5/sudoers|sudoers(5)]], [[DebianMan:8/sudo|sudo(8)]], [[DebianMan:8/visudo|visudo(8)]], [[DebianMan:8/sudoedit|sudoedit(8)]]  * Manpages: [[DebianMan:5/sudoers|sudoers(5)]], [[DebianMan:8/sudo|sudo(8)]], [[DebianMan:8/visudo|visudo(8)]], [[DebianMan:8/sudoedit|sudoedit(8)]], [[DebianMan:8/sudoreplay|sudoreplay(8)]]
 * [[Doas]] - A lighter and more minimalistic tool for the same purpose, with simpler configuration.

----

CategoryRoot | CategorySystemSecurity | CategorySystemAdministration

Translation(s): العربية - English - Español - Français - Italiano - Русский


Root > sudo


Sudo (sometimes considered as short for Super-user do) is a program designed to let system administrators allow some users to execute some commands as root (or another user). The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log who ran which command and when.

Why sudo?

Using sudo is better (safer) than opening a session as root for a number of reasons, including:

  • Nobody needs to know the root password (sudo prompts for the current user's password). Extra privileges can be granted to individual users temporarily, and then taken away without the need for a password change.

  • It's easy to run only the commands that require special privileges via sudo; the rest of the time, you work as an unprivileged user, which reduces the damage that mistakes can cause.

  • Auditing/logging: when a sudo command is executed, the original username and the command are logged.

For the reasons above, switching to root using sudo -i (or sudo su) is usually deprecated because it cancels the above features.

Users and sudo

Debian's default configuration allows users in the sudo group to run any command via sudo.

Verifying sudo membership

Once logged in as a user, you can verify whether or not the user belongs to group=sudo using either the id or groups commands. E.g., a user with id=foo should see output from

  • $ groups

like

  • foo sudo

If sudo is not present in the output, the user does not belong to that group. Similarly, the more complex and variable output from command=id should look something like

  • uid=1001(foo) gid=1001(foo) groups=1001(foo),27(sudo)

Add existing user from commandline

To add an existing user with id=foo to group=sudo:

  • $ sudo adduser foo sudo

Alternatively, you can first get root (e.g., sudo su -) and then run the same commands without prefix=sudo:

  • # adduser foo
    # adduser foo sudo

After being added to a new group the user must log out and then log back in again for the new group to take effect. Groups are only assigned to users at login time. A most common source of confusion is that people add themselves to a new group but then do not log out and back in again and then have problems because the group is not assigned; be sure to verify group membership.

Creating users with sudo

You can also create new users with sudo membership:

Creating new user while installing OS

As of DebianSqueeze, if you give root an empty password during installation, sudo will be installed and the first user will be able to use it to gain root access (currently, the user will be added to the sudo group). The system will also configure gksu and aptitude to use sudo. You should still verify group membership after logging in as the installed user.

Creating new user from commandline

A user which already has sudo can create another user (example id=foo) with sudo group membership from the commandline:

  • $ sudo adduser foo -G sudo

(or first get root as in previous section). You should then login as the new user and verify group membership.

Configuration overview

Now, if you want to allow certain users to execute certain programs, here's a quick example (for more information, read the fine manual).

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification
User_Alias      MYADMINS = jdoe

# User alias specification

# Cmnd alias specification
Cmnd_Alias      SHUTDOWN = /sbin/reboot, /sbin/poweroff
Cmnd_Alias      PKGMGMT = /usr/bin/dpkg, /usr/bin/apt-get, /usr/bin/aptitude

# User privilege specification

# Users listed above (MYADMINS) can run package managers and reboot the system.
MYADMINS ALL = PKGMGMT, SHUTDOWN

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

#Default rule for root.
root    ALL=(ALL) ALL

#includedir /etc/sudoers.d

Problems and tips

PATH not set

A typical error using sudo to install a package might result in:

dpkg: warning: 'ldconfig' not found in PATH or not executable.
dpkg: warning: 'start-stop-daemon' not found in PATH or not executable.
dpkg: error: 2 expected programs not found in PATH or not executable.
Note: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

The packaged /etc/sudoers file contains this line:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Previous versions did not include that line. If you had a locally modified /etc/sudoers (most would) and then upgraded and kept your locally modified version then this required line is now missing. It no longer overrides your PATH when using sudo. This most likely results in PATH not being set properly and not including the system directories. The fix is to merge your local changes into the new package /etc/sudoers file. Or to put your local changes in the new /etc/sudoers.d/ location as a uniquely named file such as /etc/sudoers.d/local-sudoers. See 639841 for details.

Sorry, user jdoe is not allowed to execute ...

A typical session goes like this:

  • $ sudo test
    
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    
    [sudo] password for jdoe: 
    Sorry, user jdoe is not allowed to execute '/usr/bin/test' as root on localhost.

This message means what it says: the user you're running as isn't allowed to execute the given command on the given machine. One confusing possible reason for this is that the administrator has just added user jdoe to a privileged group - but you're still using the old login, which doesn't have that new group information, and therefore has no new sudo-ing rights. People in this situation are usually advised to log out completely and back in again, though you can sometimes get away with just performing a "re-login on the spot" with su - $USER

The include directive

The standard /etc/sudoers in Wheezy as of 1.8.2-1 ends with a line:

  •  #includedir /etc/sudoers.d

This makes it possible for other packages to provide snippets in /etc/sudoers.d/<packagename> which modify the configuration of sudo. It may look as if it needs to be edited to take out the leading numbersign (a.k.a. "hash" or "pound"), but no, the '#' is part of the directive!

sudoers is read-only

Yes, the file /etc/sudoers is intentionally set read-only, even for root!

The explanation usually offered is that it was set up this way to ensure that admins only ever edit it via the command visudo. However, this theory doesn't quite hold water. Being mode 0440 does nothing to impede sudo nano /etc/sudoers - most text editors will let you edit the file without complaining about the read-only bit. Besides, any time you do mangle /etc/sudoers, the fix may be as simple as su -c visudo, which is nothing compared to the kind of recovery procedure you'd have to go through if you broke something like /etc/inittab (mode 0644). So if there's a good reason for the unorthodox permissions, it's a mystery - contributions welcome.

Wrong HOME (and profile settings) behavior

If you are having problems when you sudo to your shell and your $HOME (and profile settings) doesn't work as expected because your new HOME is /root, you need to know that the default sudo configuration in Squeeze resets all environmental variables. To restore the old behavior of preserving the user's $HOME environment variable you can add this to your /etc/sudoers configuration file:

Defaults env_keep += HOME

Require root password

If you want to require the root password for use of sudo, rather than the user password, add the line:

Defaults   rootpw

No password prompt for sudo user

If you want sudo group members to execute commands without password, add the line:

%sudo ALL=(ALL) NOPASSWD: ALL

For more information read the upstream changelog for version 1.7.4.

Customize credentials cache timeout

As default, after asking a password, your credentials are cached by sudo and last for 15 minutes. You can change this behavior using the command visudo and customizing the timeout for a specific user:

Defaults:foobar timestamp_timeout=30

bash: useradd: command not found

Use

$ su -l

to start the root shell with an environment similar to a normal 'login' shell. This includes initializing the environment variable $PATH for user root instead of simply inheriting it from the normal (non-sudo) user who does not have /sbin on her/his $PATH. See

$ man su

This is how to enable sudo after a fresh install of Debian 10:

$ su -l
# adduser USERNAME sudo
# exit

Then, log out of the desktop environment and log in again. You can check the success of the above by entering

$ groups


See also


CategoryRoot | CategorySystemSecurity | CategorySystemAdministration