Working with sudo
1 Environment #
This document applies to the following products and product versions:
SUSE Linux Enterprise Server 15 SP3, 15 SP2, 15 SP1, 15 GA
SUSE Linux Enterprise Server for SAP Applications 15 SP3, 15 SP2, 15 SP1, 15 GA
SUSE Linux Enterprise High Availability Extension 15 SP3, 15 SP2, 15 SP1, 15 GA
SUSE Linux Enterprise High Performance Computing 15 SP3, 15 SP2, 15 SP1, 15 GA
SUSE Linux Enterprise Desktop 15 SP3, 15 SP2, 15 SP1, 15 GA
SUSE Linux Enterprise Real Time 15 SP3, 15 SP2, 15 SP1, 15 GA
2 Introduction #
The following article explains the basic usage of the command sudo
.
3 Requirements #
To use sudo
, you need to have the sudo package
installed which is usually available by default on PRODUCT.
4 Running a single command #
As a regular user, you can run any command as root
by
adding sudo
before it. This prompts you to provide the root
password. If authenticated successfully, this runs the command as
root
:
>
id -un
1 tux>
sudo
id -un
root's password:2 root>
id -un
tux3>
sudo
id -un
4 root
The | |
The password is not shown during input, neither as clear text nor as masking characters. | |
Only commands that start with | |
The elevated privileges persist for a certain period of time, so you
do not have to provide the |
When using sudo
, I/O redirection does not work:
>
sudo
echo s > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied>
sudo
cat < /proc/1/maps bash: /proc/1/maps: Permission denied
In the example above, only the echo
and
cat
commands run with elevated privileges. The
redirection is done by the user's shell with user privileges. To perform
redirection with elevated privileges, either start a shell as in Section 5, “Starting a shell” or use the dd
utility:
echo s | sudo dd of=/proc/sysrq-trigger sudo dd if=/proc/1/maps | cat
5 Starting a shell #
Using sudo
every time to run a command with elevated privileges is not
always practical. While you can use the sudo bash
command, it is recommended to use one of the built-in mechanisms to start a
shell:
sudo -s (COMMAND)
Starts a shell specified by the
SHELL
environment variable or the target user's default shell. If a command is specified, it is passed to the shell (with the-c
option). Otherwise the shell runs in interactive mode.tux:~ >
sudo -s root's password:root:/home/tux #
exittux:~ >
sudo -i (COMMAND)
Similar to
-s
, but starts the shell as a login shell. This means that the shell's start-up files (.profile
etc.) are processed, and the current working directory is set to the target user's home directory.tux:~ >
sudo -i root's password:root:~ #
exittux:~ >
By default, sudo
does not propagate environment variables. This behavior
can be changed using the env_reset
option
6 sudo
use cases #
While the default configuration works for standard usage scenarios, you can customize the default configuration to meet your specific needs.
6.1 Using sudo
without root
password #
Modern Unix systems generally use user groups as
a security protocol to control access privileges. The group
wheel
is a special user group
to control access to the su
or sudo
command.
By design, members of the group wheel
can run all commands with sudo
as
root
. The following procedure explains how to add a user account to
the wheel
group.
Add your user account to the group
wheel
.If your user account is not already a member of the
wheel
group, add it:sudo usermod -a -G wheel USERNAME
Log out and log in again to enable the change. Verify that the change was successful by running the
groups USERNAME
command.Authenticate with the user account's normal password.
Create the file
/etc/sudoers.d/userpw
using the following command:visudo -f /etc/sudoers.d/userpw
Add the following line:
Defaults !targetpw
Select a new default rule.
Depending on whether you want users to re-enter their passwords, uncomment the appropriate line in
/etc/sudoers
and comment out the default rule.## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
Make the default rule more restrictive.
Comment out or remove the allow-everything rule in
/etc/sudoers
:ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'
Warning: Dangerous rule in sudoersDo not skip this step. Otherwise any user can execute any command as
root
!Test the configuration.
Run
sudo
as member and non-member ofwheel
.tux:~ >
groups users wheeltux:~ >
sudo id -un tux's password: rootwilber:~ >
groups userswilber:~ >
sudo id -un wilber is not in the sudoers file. This incident will be reported.
6.2 Using sudo
with X.Org applications #
Starting graphical applications with sudo
usually results in the following
error:
>
sudo
xterm xterm: Xt error: Can't open display: %s xterm: DISPLAY is not set
A simple workaround is to use xhost
to temporarily allow
the root
to access the local user's X session. This is done using the
following command:
xhost si:localuser:root
The command below removes the granted access:
xhost -si:localuser:root
Running graphical applications with root privileges has security implications. It is recommended to enable root access for a graphical application only as an exception. It is also recommended to revoke the granted root access as soon as the graphical application is closed.
7 Troubleshooting #
The following instructions help you to fix any issues.
7.1 Unlocking yourself #
If you accidentally locked yourself out of sudo
, do the following:
Start a root shell with
su -
.Enter the
root
password.Run
visudo
.A file is opened.
Fix all the syntax errors mentioned in the file.
Your user is unlocked again.
8 Next steps #
Configuring
sudo