2 sudo
basics #
Running certain commands requires root privileges. However, for security
reasons and to avoid mistakes, it is not recommended to log in as
root
. A safer approach is to log in as a regular user, and
then use sudo
to run commands with elevated privileges.
On SUSE Linux Enterprise Server, sudo
is configured to work similarly to su
. However,
sudo
provides a flexible mechanism that allows users to run commands with
privileges of any other user. This can be used to assign roles with specific
privileges to certain users and groups. For example, it is possible to allow
members of the group users
to run a command with the privileges of
user wilber
. Access to the command can be further restricted by
disallowing any command options. While su always requires the root
password for authentication with PAM, sudo
can be configured to
authenticate with your own credentials. This means that the users do not need
to share the root
password, which improves security.
2.1 Basic sudo
usage #
The following chapter provides an introduction to basic usage of sudo
.
2.1.1 Running a single command #
As a regular user, you can run any command as root
by
adding sudo
before it. This prompts you to provide the root password. If
authenticated successfully, this runs the command as root
:
>
id -un
1 tux>
sudo
id -un
root's password:2 root>
id -un
tux3>
sudo
id -un
4 root
The | |
The password is not shown during input, neither as clear text nor as masking characters. | |
Only commands that start with | |
The elevated privileges persist for a certain period of time, so you
do not need to provide the |
When using sudo
, I/O redirection does not work:
>
sudo
echo s > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied>
sudo
cat < /proc/1/maps bash: /proc/1/maps: Permission denied
In the example above, only the echo
and
cat
commands run with elevated privileges. The
redirection is done by the user's shell with user privileges. To perform
redirection with elevated privileges, either start a shell as in Section 2.1.2, “Starting a shell” or use the dd
utility:
echo s | sudo dd of=/proc/sysrq-trigger sudo dd if=/proc/1/maps | cat
2.1.2 Starting a shell #
Using sudo
every time to run a command with elevated privileges is not
always practical. While you can use the sudo bash
command, it is recommended to use one of the built-in mechanisms to start a
shell:
sudo -s (<command>)
Starts a shell specified by the
SHELL
environment variable or the target user's default shell. If a command is specified, it is passed to the shell (with the-c
option). Otherwise the shell runs in interactive mode.tux:~ >
sudo -s root's password:root:/home/tux #
exittux:~ >
sudo -i (<command>)
Similar to
-s
, but starts the shell as a login shell. This means that the shell's start-up files (.profile
etc.) are processed, and the current working directory is set to the target user's home directory.tux:~ >
sudo -i root's password:root:~ #
exittux:~ >
By default, sudo
does not propagate environment variables. This behavior
can be changed using the env_reset
option (see Useful flags and options).
2.2 Configuring sudo
#
sudo
provides a wide range on configurable options.
If you accidentally locked yourself out of sudo
, use su
-
and the root
password to start a root shell.
To fix the error, run visudo
.
2.2.1 Editing the configuration files #
The main policy configuration file for sudo
is
/etc/sudoers
. As it is possible to lock yourself out
of the system if the file is malformed, it is strongly recommended to use
visudo
for editing. It prevents editing conflicts and
checks for syntax errors before saving the modifications.
You can use another editor instead of vi by setting the
EDITOR
environment variable, for example:
sudo EDITOR=/usr/bin/nano visudo
Keep in mind that the /etc/sudoers
file is supplied by
the system packages, and modifications done directly in the file may break
updates. Therefore, it is recommended to put custom configuration into
files in the /etc/sudoers.d/
directory. Use the
following command to create or edit a file:
sudo visudo -f /etc/sudoers.d/NAME
The command bellow opens the file using a different editor (in this case,
nano
):
sudo EDITOR=/usr/bin/nano visudo -f /etc/sudoers.d/NAME
/etc/sudoers.d
The #includedir
directive in
/etc/sudoers
ignores files that end with the
~
(tilde) character or contain the .
(dot) character.
For more information on the visudo
command, run
man 8 visudo
.
2.2.2 Basic sudoers configuration syntax #
The sudoers configuration files contain two types of options: strings and flags. While strings can contain any value, flags can be turned either ON or OFF. The most important syntax constructs for sudoers configuration files are as follows:
# Everything on a line after # is ignored 1 Defaults !insults # Disable the insults flag 2 Defaults env_keep += "DISPLAY HOME" # Add DISPLAY and HOME to env_keep tux ALL = NOPASSWD: /usr/bin/frobnicate, PASSWD: /usr/bin/journalctl 3
There are two exceptions: | |
Remove the | |
-
targetpw
This flag controls whether the invoking user is required to enter the password of the target user (ON) (for example
root
) or the invoking user (OFF).Defaults targetpw # Turn targetpw flag ON
-
rootpw
If set,
sudo
prompts for theroot
password. The default is OFF.Defaults !rootpw # Turn rootpw flag OFF
-
env_reset
If set,
sudo
constructs a minimal environment withTERM
,PATH
,HOME
,MAIL
,SHELL
,LOGNAME
,USER
,USERNAME
, andSUDO_*
. Additionally, variables listed inenv_keep
are imported from the calling environment. The default is ON.Defaults env_reset # Turn env_reset flag ON
-
env_keep
List of environment variables to keep when the
env_reset
flag is ON.# Set env_keep to contain EDITOR and PROMPT Defaults env_keep = "EDITOR PROMPT" Defaults env_keep += "JRE_HOME" # Add JRE_HOME Defaults env_keep -= "JRE_HOME" # Remove JRE_HOME
-
env_delete
List of environment variables to remove when the
env_reset
flag is OFF.# Set env_delete to contain EDITOR and PROMPT Defaults env_delete = "EDITOR PROMPT" Defaults env_delete += "JRE_HOME" # Add JRE_HOME Defaults env_delete -= "JRE_HOME" # Remove JRE_HOME
The Defaults
token can also be used to create aliases
for a collection of users, hosts, and commands. Furthermore, it is possible
to apply an option only to a specific set of users.
For detailed information about the /etc/sudoers
configuration file, consult man 5 sudoers
.
2.2.3 Basic sudoers rules #
Each rule follows the following scheme
([]
marks optional parts):
#Who Where As whom Tag What User_List Host_List = [(User_List)] [NOPASSWD:|PASSWD:] Cmnd_List
User_List
One or several (separated by comma) identifiers: either a user name, a group in the format
%GROUPNAME
, or a user ID in the format#UID
. Negation can be specified with the!
prefix.Host_List
One or several (separated by comma) identifiers: either a (fully qualified) host name or an IP address. Negation can be specified with the
!
prefix.ALL
is a common choice forHost_List
.NOPASSWD:|PASSWD:
The user is not prompted for a password when running commands matching
Cmd_List
afterNOPASSWD:
.PASSWD
is the default. It only needs to be specified when bothPASSWD
andNOPASSWD
are on the same line:tux ALL = PASSWD: /usr/bin/foo, NOPASSWD: /usr/bin/bar
Cmnd_List
One or several (separated by comma) specifiers: A path to an executable, followed by an optional allowed argument.
/usr/bin/foo # Anything allowed /usr/bin/foo bar # Only "/usr/bin/foo bar" allowed /usr/bin/foo "" # No arguments allowed
ALL
can be used as User_List
,
Host_List
, and Cmnd_List
.
A rule that allows tux
to run all commands as root without
entering a password:
tux ALL = NOPASSWD: ALL
A rule that allows tux
to run systemctl restart
apache2
:
tux ALL = /usr/bin/systemctl restart apache2
A rule that allows tux
to run wall
as
admin
with no arguments:
tux ALL = (admin) /usr/bin/wall ""
Do not use rules like ALL ALL =
ALL
without Defaults targetpw
. Otherwise
anyone can run commands as root
.
When specifying the group name in the sudoers
file, make sure that you use the NetBIOS domain name instead of the realm, for example:
%DOMAIN\\GROUP_NAME ALL = (ALL) ALL
Keep in mind that when using winbindd, the format also depends on the winbind separator
option in the smb.conf
file. By default, it is \
. If it is changed, for example, to +
, then the account format in the sudoers
file must be DOMAIN+GROUP_NAME
.
2.3 sudo
use cases #
While the default configuration works for standard usage scenarios, you can customize the default configuration to meet your specific needs.
2.3.1 Using sudo
without root
password #
By design, members of the group
wheel
can run all commands
with sudo
as root. The following procedure explains how to add a user
account to the wheel
group.
Verify that the
wheel
group exists:>
getent group wheel
If the previous command returned no result, install the system-group-wheel package that creates the
wheel
group:>
sudo
zypper install system-group-wheel
Add your user account to the group
wheel
.If your user account is not already a member of the
wheel
group, add it using thesudo usermod -a -G wheel USERNAME
command. Log out and log in again to enable the change. Verify that the change was successful by running thegroups USERNAME
command.Authenticate with the user account's normal password.
Create the file
/etc/sudoers.d/userpw
using thevisudo
command (see Section 2.2.1, “Editing the configuration files”) and add the following:Defaults !targetpw
Select a new default rule.
Depending on whether you want users to re-enter their passwords, uncomment the appropriate line in
/etc/sudoers
and comment out the default rule.## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
Make the default rule more restrictive.
Comment out or remove the allow-everything rule in
/etc/sudoers
:ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
Warning: Dangerous rule in sudoersDo not skip this step. Otherwise any user can execute any command as
root
!Test the configuration.
Run
sudo
as member and non-member ofwheel
.tux:~ >
groups users wheeltux:~ >
sudo id -un tux's password: rootwilber:~ >
groups userswilber:~ >
sudo id -un wilber is not in the sudoers file. This incident will be reported.
2.3.2 Using sudo
with X.Org applications #
Starting graphical applications with sudo
usually results in the following
error:
>
sudo
xterm xterm: Xt error: Can't open display: %s xterm: DISPLAY is not set
A simple workaround is to use xhost to temporarily allow the root user to access the local user's X session. This is done using the following command:
xhost si:localuser:root
The command below removes the granted access:
xhost -si:localuser:root
Running graphical applications with root privileges has security implications. It is recommended to enable root access for a graphical application only as an exception. It is also recommended to revoke the granted root access as soon as the graphical application is closed.
2.4 More information #
The sudo --help
command offers a brief overview of the
available command line options, while the man sudoers
command provides detailed information about sudoers
and its configuration.