Differences between revisions 29 and 30
Revision 29 as of 2011-11-25 03:27:31
Size: 6163
Editor: ?estebanmonge
Comment:
Revision 30 as of 2011-11-25 03:29:01
Size: 6165
Editor: ?estebanmonge
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
||<tablestyle="width: 100%;" style="border: 0px hidden">~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[it/sudo|Italiano]] - [[ar/sudo|العربية]] - [[ru/sudo|Русский]] [[es/sudo|Español]] -~||<style="text-align: right;border: 0px hidden"> (!) [[/Discussion|Discussion]]|| ||<tablestyle="width: 100%;" style="border: 0px hidden">~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[it/sudo|Italiano]] - [[ar/sudo|العربية]] - [[ru/sudo|Русский]] - [[es/sudo|Español]] -~||<style="text-align: right;border: 0px hidden"> (!) [[/Discussion|Discussion]]||

Translation(s): English - Italiano - العربية - Русский - Español

(!) ?Discussion


Root > sudo


Sudo is a program designed to let system administrators allow some users to execute some commands as root (or another user). The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log who ran which command and when.

As of DebianSqueeze, if you ask for the Desktop task during the installation, that pulls in sudo with a default configuration that automatically grants sudo-ing rights to any member of the sudo group. Depending on what user accounts you set up during the install, it's still possible that you may not have been added to that group - you can check by running groups.

Why sudo?

Using sudo is better (safer) than opening a session as root for a number of reasons, including:

  • Nobody needs to know the root password (sudo prompts for the current user's password). Extra privileges can be granted to individual users temporarily, and then taken away without the need for a password change.

  • It's easy to run only the commands that require special privileges via sudo; the rest of the time, you work as an unprivileged user, which reduces the damage that mistakes can cause.

  • Auditing/logging: when a sudo command is executed, the original username and the command are logged.

For the reasons above, switching to root using sudo -i (or sudo su) is usually deprecated because it cancels the above features.

Configuration overview

Now, if you want to allow certain users to execute certain programs, here's a quick example (for more information, read the fine manual).

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification
User_Alias      MYADMINS = jdoe

# User alias specification

# Cmnd alias specification
Cmnd_Alias      SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt
Cmnd_Alias      PKGMGMT = /usr/bin/dpkg, /usr/bin/apt-get, /usr/bin/aptitude

# User privilege specification

# Users listed above (MYADMINS) can run package managers and reboot the system.
MYADMINS ALL = PKGMGMT, SHUTDOWN

# Users in the group wheel can execute any command impersonating any user.
#%wheel ALL= ALL

#Default rule for root.
root    ALL=(ALL) ALL

Problems and tips

Sorry, user jdoe is not allowed to execute ...

A typical session goes like this:

  • $sudo test
    
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    
    [sudo] password for jdoe: 
    Sorry, user jdoe is not allowed to execute '/usr/bin/test' as root on localhost.

This message means what it says: the user you're running as isn't allowed to execute the given command on the given machine. One confusing possible reason for this is that the administrator has just added user jdoe to a privileged group - but you're still using the old login, which doesn't have that new group information, and therefore has no new sudo-ing rights. People in this situation are usually advised to log out completely and back in again, though you can sometimes get away with just performing a "re-login on the spot" with su - $USER

The include directive

The standard /etc/sudoers in Squeeze ends with a line:

  •  #includedir /etc/sudoers.d

This makes it possible for other packages to provide snippets in /etc/sudoers.d/<packagename> which modify the configuration of sudo. It may look as if it needs to be edited to take out the leading numbersign (a.k.a. "hash" or "pound"), but no, the '#' is part of the directive!

sudoers is read-only

Yes, the file /etc/sudoers is intentionally set read-only, even for root!

The explanation usually offered is that it was set up this way to ensure that admins only ever edit it via the command visudo. However, this theory doesn't quite hold water. Being mode 0440 does nothing to impede sudo nano /etc/sudoers - most text editors will let you edit the file without complaining about the read-only bit. Besides, any time you do mangle /etc/sudoers, the fix may be as simple as su -c visudo, which is nothing compared to the kind of recovery procedure you'd have to go through if you broke something like /etc/inittab (mode 0644). So if there's a good reason for the unorthodox permissions, it's a mystery - contributions welcome.

Wrong HOME (and profile settings) behavior

If you are having problems when you sudo to your shell and your $HOME (and profile settings) doesn't work as expected because your new HOME is /root, you need to know that the default sudo configuration in Squeeze resets all environmental variables. To restore the old behavior of preserving the user's $HOME environment variable you can add this to your /etc/sudoers configuration file:

Defaults env_keep += HOME

Require root password

If you want to require the root password for use of sudo, rather than the user password, add the line:

Defaults   rootpw

For more information read the upstream changelog for version 1.7.4.

See also