Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]

Working with sudo

Publication Date: 11/25/2021

1 Environment

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-environment

This document applies to the following products and product versions:

  • SUSE Linux Enterprise Server 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise Server for SAP Applications 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise High Availability Extension 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise High Performance Computing 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise Desktop 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise Real Time 15 SP3, 15 SP2, 15 SP1, 15 GA

2 Introduction

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-intro

The following article explains the basic usage of the command sudo.

3 Requirements

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-requirements

To use sudo, you need to have the sudo package installed which is usually available by default on PRODUCT.

4 Running a single command

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-single-command

As a regular user, you can run any command as root by adding sudo before it. This prompts you to provide the root password. If authenticated successfully, this runs the command as root:

tux > id -un1
tux
tux > sudo id -un
root's password:2
root
tux > id -un
tux3
tux > sudo id -un
4
root

1

The id -un command prints the login name of the current user.

2

The password is not shown during input, neither as clear text nor as masking characters.

3

Only commands that start with sudo run with elevated privileges.

4

The elevated privileges persist for a certain period of time, so you do not have to provide the root again.

Tip
Tip: I/O redirection

When using sudo, I/O redirection does not work:

tux > sudo echo s > /proc/sysrq-trigger
bash: /proc/sysrq-trigger: Permission denied
tux > sudo cat < /proc/1/maps
bash: /proc/1/maps: Permission denied

In the example above, only the echo and cat commands run with elevated privileges. The redirection is done by the user's shell with user privileges. To perform redirection with elevated privileges, either start a shell as in Section 5, “Starting a shell” or use the dd utility:

echo s | sudo dd of=/proc/sysrq-trigger
sudo dd if=/proc/1/maps | cat

5 Starting a shell

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-start-shell

Using sudo every time to run a command with elevated privileges is not always practical. While you can use the sudo bash command, it is recommended to use one of the built-in mechanisms to start a shell:

sudo -s (COMMAND)

Starts a shell specified by the SHELL environment variable or the target user's default shell. If a command is specified, it is passed to the shell (with the -c option). Otherwise the shell runs in interactive mode.

tux:~ > sudo -s
root's password:
root:/home/tux # exit
tux:~ > 
sudo -i (COMMAND)

Similar to -s, but starts the shell as a login shell. This means that the shell's start-up files (.profile etc.) are processed, and the current working directory is set to the target user's home directory.

tux:~ > sudo -i
root's password:
root:~ # exit
tux:~ > 
Tip
Tip: Environment variables

By default, sudo does not propagate environment variables. This behavior can be changed using the env_reset option

6 sudo use cases

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-usecases

While the default configuration works for standard usage scenarios, you can customize the default configuration to meet your specific needs.

6.1 Using sudo without root password

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-usecases-userpw

Modern Unix systems generally use user groups as a security protocol to control access privileges. The group wheel is a special user group to control access to the su or sudo command. By design, members of the group wheel can run all commands with sudo as root. The following procedure explains how to add a user account to the wheel group.

  1. Add your user account to the group wheel.

    If your user account is not already a member of the wheel group, add it:

    sudo usermod -a -G wheel USERNAME

    Log out and log in again to enable the change. Verify that the change was successful by running the groups USERNAME command.

  2. Authenticate with the user account's normal password.

    Create the file /etc/sudoers.d/userpw using the following command:

    visudo -f /etc/sudoers.d/userpw
  3. Add the following line:

    Defaults !targetpw
  4. Select a new default rule.

    Depending on whether you want users to re-enter their passwords, uncomment the appropriate line in /etc/sudoers and comment out the default rule.

    ## Uncomment to allow members of group wheel to execute any command
    # %wheel ALL=(ALL) ALL
    
    ## Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL
  5. Make the default rule more restrictive.

    Comment out or remove the allow-everything rule in /etc/sudoers:

    ALL     ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'
    Warning
    Warning: Dangerous rule in sudoers

    Do not skip this step. Otherwise any user can execute any command as root!

  6. Test the configuration.

    Run sudo as member and non-member of wheel.

    tux:~ > groups
    users wheel
    tux:~ > sudo id -un
    tux's password:
    root
    wilber:~ > groups
    users
    wilber:~ > sudo id -un
    wilber is not in the sudoers file.  This incident will be reported.

6.2 Using sudo with X.Org applications

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-usecases-xorg

Starting graphical applications with sudo usually results in the following error:

tux > sudo xterm
xterm: Xt error: Can't open display: %s
xterm: DISPLAY is not set

A simple workaround is to use xhost to temporarily allow the root to access the local user's X session. This is done using the following command:

xhost si:localuser:root

The command below removes the granted access:

xhost -si:localuser:root
Warning
Warning: Potential security issue

Running graphical applications with root privileges has security implications. It is recommended to enable root access for a graphical application only as an exception. It is also recommended to revoke the granted root access as soon as the graphical application is closed.

7 Troubleshooting

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-troubleshooting

The following instructions help you to fix any issues.

7.1 Unlocking yourself

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-troubleshooting-unlock

If you accidentally locked yourself out of sudo, do the following:

  1. Start a root shell with su -.

  2. Enter the root password.

  3. Run visudo.

    A file is opened.

  4. Fix all the syntax errors mentioned in the file.

Your user is unlocked again.

8 Next steps

  • File Name: task-working-sudo.xml
  • ID: task-working-sudo-next-steps
  • Configuring sudo

Print this page