Knowledgebase

How to use Sudo on a RCS Cloud Server Print

  • 0

Introduction

In this guide, you will learn about root access, the sudo command, how to run commands using sudo, and the differences between sudo access and root. You'll also find instructions below that explain how to create a sudo user for popular operating systems.

What is Root?

root refers to the superuser account in Unix-like systems such as Linux. It is a privileged account with the highest access rights on the system used for system administration. This root/superuser account has a user identifier (UID) of zero, regardless of the name of the account.

The root user has full permissions (root privileges) to the entire system. It can do things like modifying core parts of the system, upgrading the system, changing system configuration, and starting, stopping, and restarting all running system services.

When logged in as root, the terminal command prompt symbol changes from $ to #. For example:

$ echo 'This is a normal user shell'

# echo 'This is a root shell'

What is Sudo?

The sudo (superuser do) command is a command-line utility that allows a user to execute commands as the root or a different user. It provides an efficient way to grant certain users the appropriate permissions to use specific system commands or run scripts as the root user.

Although a bit similar to the su command, sudo requires the logged-in user's password for authentication, rather than the target user's password that su requires. Sudo also doesn't spawn a root shell like su; rather it runs the program or command with elevated privileges.

With sudo, a system administrator can carry out the following actions:

  • Grant users or groups of users the ability to run certain commands with elevated or root privileges.
  • View a log of the user ID of each user that uses sudo.
  • Control what command a user can use on a host system.

Sudo keeps a log of all commands and arguments executed in the /var/log/auth.log file, which can be analyzed in the event something breaks.

Run Commands as Sudo

To run commands as sudo, prepend the command with sudo:

$ sudo command

It will prompt you for a password, enter your account password, and click ENTER:

$ sudo command
[sudo]  password for user:

Now, command is going to run with elevated privileges.

Sudo Vs. Root

The principle of least privilege is an information and computer security concept that holds the idea of granting programs and users the least or bare minimum privileges required to perform a task.

When logged in as root, every command entered into the terminal runs with the highest privileges on the system, which violates the principle of least privilege. A simple command like rm could be used to delete core root directories or files without prompting the user when unintended. For instance, if you tried to delete a root directory like /etc using:

$ rm -rf /etc

You will be denied permission as you are logged in as a normal user. When logged in as root, no prompts will be shown, and the entire folder will be deleted - which may most likely break your system as special configuration files needed for running the system are stored in the /etc directory. You could also end up formatting a disk wrongly, and the system won't prompt you.

This flaw also extends to running code or applications as root; a small bug in the application could erase some system files because the application is running under the highest privileges.

Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges). Sudo can also be configured to run commands as another user, specify which users and groups are allowed to run commands using sudo, or set timeouts for running programs with root privileges by editing your sudoers file.

Consequently, running commands with the root shell is not advised as the chances of you breaking your system are much higher. If you require higher or root privileges to run a command, use sudo to be sure only that command is running with root privileges. For more information, check out the sudo man page.

Create a Sudo User on AlmaLinux, CentOS, Fedora, Rocky Linux, and VzLinux

This section applies to:

  • AlmaLinux
  • CentOS 7 and later
  • Fedora 31 and later
  • Rocky Linux
  • VzLinux

Procedure:

  1. Create a new user account with the adduser command.

    # adduser example_user
    
  2. Set a strong password for the new user with passwd.

    # passwd example_user
    Changing password for user example_user.
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    
  3. Add the new user to the wheel group with usermod.

    # usermod -aG wheel example_user
    
  4. Check the sudoers file with visudo.

    # visudo
    
  5. Look for the wheel group. Remove the comment if the line is disabled. It should look like this when you are ready to save the file.

    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL
    
  6. Save and exit vi. Type ESC, then :WQ, then ENTER.

    Note: Never edit /etc/sudoers directly, always use visudo. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.

    visudo: >>> /etc/sudoers: syntax error near line 64 <<<
    What now?
    Options are:
    (e)dit sudoers file again
    e(x)it without saving changes to sudoers file
    (Q)uit and save changes to sudoers file (DANGER!)
    
  7. Switch to the new user.

    # su - example_user
    
  8. Verify you are the new user with whoami, then test sudo access with sudo whoami, which should return root.

    $ whoami
    example_user
    
    $ sudo whoami
    [sudo] password for example_user:
    root
    

Create a Sudo User on Arch Linux

This section applies to any recent version of Arch Linux.

Procedure:

  1. Install sudo, because it's not included as part of the base installation. If you haven't done an update for a while, remember to update your local repository databases first.

    # pacman --sync sudo
    
  2. Create a new user account with useradd.

    # useradd --create-home example_user
    
  3. Set a strong password for the new user with passwd.

    # passwd example_user
    
  4. Add the new user to the wheel group with usermod.

    # usermod --append --groups wheel example_user
    
  5. Edit the sudoers file with visudo.

    # visudo
    
  6. Look for the wheel group in the 'User privilege specification' section at the bottom of the file. Remove the comment from the beginning of the line, so this it looks like this:

    ## Uncomment to allow members of group wheel to execute any command
    %wheel ALL=(ALL) ALL
    
  7. Save and exit visudo. Type ESC, then :WQ (lowercase), then ENTER.

    Note: Never edit /etc/sudoers directly, always use visudo. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.

    visudo: >>> /etc/sudoers: syntax error near line 64 <<<
    What now?
    Options are:
    (e)dit sudoers file again
    e(x)it without saving changes to sudoers file
    (Q)uit and save changes to sudoers file (DANGER!)
    
  8. Switch to the new user.

    # su - example_user
    
  9. Verify you are the new user with whoami, then test access with sudo whoami, which should return root.

    $ whoami
    example_user
    
    $ sudo whoami
    
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    
    [sudo] password for example_user:
    root
    

Create a Sudo User on Debian & Ubuntu

This section applies to:

  • Debian 9 "Stretch" and later
  • Ubuntu 16.04 and later

Procedure:

  1. Install sudo. Some installations do not come with sudo installed. If your does not, install sudo with apt.

    # apt install sudo
    
  2. Create a new user account with the adduser command. Use a strong password for the new user. You can enter values for the user information, or press ENTER to leave those fields blank.

    # adduser example_user
    Adding user `example_user' ...
    Adding new group `example_user' (1001) ...
    Adding new user `example_user' (1001) with group `example_user' ...
    Creating home directory `/home/example_user' ...
    Copying files from `/etc/skel' ...
    New password:
    Retype new password:
    passwd: password updated successfully
    Changing the user information for example_user
    Enter the new value, or press ENTER for the default
            Full Name []: Example User
            Room Number []:
            Work Phone []:
            Home Phone []:
            Other []:
    Is the information correct? [Y/n] y
    
  3. Add the new user to the sudo group.

    # adduser example_user sudo
    
  4. Test by switching to the new user.

    # su - example_user
    

    Verify you are the new user with whoami, then test sudo access with sudo whoami, which should return root.

    $ whoami
    example_user
    $ sudo whoami
    [sudo] password for example_user:
    root
    

Create a Sudo User on FreeBSD

This section applies to FreeBSD 11 and later.

Procedure:

  1. Install sudo from the ports collection if it's installed on your system. To install sudo from ports:

    # cd /usr/ports/security/sudo/
    # make install clean
    

    You can also install the binary sudo package using pkg:

    # pkg install sudo
    
  2. Create a new user account for use with sudo:

    # adduser
    

    Answer the questions in the dialog to create the user. We'll use example_user in this guide.

  3. Add the user to the wheel group, which limits who can use su to become root.

    # pw group mod wheel -m example_user
    
  4. Edit the sudoers file with visudo.

    # visudo
    
  5. Look for the wheel group. Remove the comment if the line is disabled. It should look like this when you are ready to save the file.

    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL
    
  6. Save and exit vi. Type ESC, then :WQ, then ENTER.

    Note: Never edit /etc/sudoers directly, always use visudo. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.

    visudo: >>> /etc/sudoers: syntax error near line 64 <<<
    What now?
    Options are:
    (e)dit sudoers file again
    e(x)it without saving changes to sudoers file
    (Q)uit and save changes to sudoers file (DANGER!)
    
  7. Switch to the new user.

    # su - example_user
    
  8. Verify you are the new user with whoami, then test sudo access with sudo whoami, which should return root.

    $ whoami
    example_user
    
    $ sudo whoami
    [sudo] password for example_user:
    root
    

Create a Sudo User on OpenBSD

This section applies to OpenBSD 6.6 and later.

Please see Introduction to doas on OpenBSD if you prefer to use doas instead of sudo.

  1. Install the binary sudo package. Choose option 1 unless you know why you need another package.

    # pkg_add sudo
    
    quirks-3.187 signed on 2020-05-19T14:41:48Z
    Ambiguous: choose package for sudo
    a       0: <None>
            1: sudo-1.8.31
            2: sudo-1.8.31-gettext
            3: sudo-1.8.31-gettext-ldap
    Your choice: 1
    sudo-1.8.31: ok
    
  2. Create a new user account for use with sudo, and set the password.

    # useradd -m example_user
    # passwd example_user
    Changing password for example_user.
    New password:
    Retype new password:
    
  3. Add the user to the wheel group, which limits who can use su to become root.

    # user mod -G wheel example_user
    
  4. Check the sudoers file with visudo.

    # visudo
    
  5. Look for the wheel group. Remove the comment if the line is disabled. It should look like this when you are ready to save the file.

    # Uncomment to allow people in group wheel to run all commands
    # and set environment variables.
    %wheel  ALL=(ALL) SETENV: ALL
    
  6. Save and exit vi. Type ESC, then :WQ, then ENTER.

    Note: Never edit /etc/sudoers directly, always use visudo. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.

    visudo: >>> /etc/sudoers: syntax error near line 64 <<<
    What now?
    Options are:
    (e)dit sudoers file again
    e(x)it without saving changes to sudoers file
    (Q)uit and save changes to sudoers file (DANGER!)
    
  7. Switch to the new user.

    # su - example_user
    
  8. Verify you are the new user with whoami, then test sudo access with sudo whoami, which should return root.

    $ whoami example_user

    $ sudo whoami [sudo] password for example_user: root

More about the sudoers File

Sudo uses the default sudoers security policy and keeps a special configuration file /etc/sudoers. This file can be used to control access rights and password prompt timeouts.

Note: You must have elevated privileges to view the sudoers file

Open the /etc/sudoers file; it should look like this:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/
sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

The line:

root         ALL=(ALL:ALL)ALL

means that the root user has unlimited privileges and is capable of running any command on the system.

%sudo ALL=(ALL:ALL)ALL

Allows all members of group sudo to execute any command.

Note: '%' in the sudoers file represents a group

As you can see from the first line in the /etc/sudoers file:

# This file MUST be edited with the 'visudo' command as root

Do not attempt to edit the sudoers file directly. Use the visudo command with root privileges.


Was this answer helpful?
Back

Powered by WHMCompleteSolution