sudo Command Example

/ Category: Tips and Tricks / Comments: None

sudo command example
Spread the love

In this post, we will discuss ‘sudo’ command and we will show you sudo command examples. The sudo command is one of the most important and commonly used command in Linux. It is very important that the Linux user understand sudo command to increase security and prevent unexpected things, that the user have to go through. In the most of the Linux operating system, sudo (“superuser do”, “switch user do”) permits a user with proper permissions to execute a command as another user, like the superuser. Basically, the sudo command allows a permitted user to execute a command as the superuser or another user such as modify important system configuration files, remove packages, create users and groups, install and update.
On the other hand, the system administrator can share the root password (which is not the recommended method), so that normal users of the system can access the root account via the sudo command. The behavior of the sudo command is controlled by the /etc/sudoers file on your system.

Short description about sudo command

The real and effective uid and gid of the supplying user are then set to match those of the target user account as laid out in the passwd file.
By default, sudo needs that users authenticate themselves with a password. By default, this can be the user’s password, not the root password itself.
Once a user has been authenticated, a timestamp is recorded and also the user could use sudo without a password for a brief period of time (5 minutes, unless configured differently in sudoers). This timestamp is often renewed if the user issues sudo with the -v flag.
If a user unlisted in sudoers tries to run a command using sudo, it’s considered an unsuccessful attempt to breach system security and mail is distributed to the correct authorities, as defined at a setup time or within the sudoers file. The default authority to be notified of unsuccessful sudo makes an attempt is root. Note that the mail won’t be sent if an unauthorized user tries to run sudo with the -l or -v flags; this permits users to determine for themselves whether or not they’re allowed to use sudo.
sudo can log each successful and unsuccessful tries (as well as errors) to syslog, a unique log file, or both. By default, sudo can log to syslog, however, this will be modified at configure time or in the sudoers file.

sudo allows a permitted user to execute a command as root (or another user), as specified by the security policy:

-It reads and parses /etc/sudoers, appearance up to the invoking user and its permissions,
-Then prompts the invoking user for a password (normally the user’s password, however it will also be the target user’s password. Or it may be skipped with NOPASSWD tag),
-Then, sudo creates a child process within which it calls setuid() to modify to the target user
-After that, it executes a shell or the command given as arguments within the child process above.

Once you enter visudo command, you will see something like this:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Basic Usage of sudo

To provide sudo access to a personal user, add the subsequent line to the /etc/sudoers file.

test ALL=(ALL) ALL

In the above example:

test: name of the user to be allowed to use sudo
ALL: permit sudo access from any terminal ( any machine ).
(ALL) : permit sudo command to be executed as any user.
ALL: permit all commands to be executed.

To provide sudo access to a group, add the subsequent line to the /etc/sudoers file.

%developers ALL=(ALL) ALL

In the above example:

developers: name of the group to be allowed to use sudo. Group name should be preceded with percentage symbol.
ALL: permit sudo access from any terminal ( any machine ).
(ALL) : permit sudo command to be executed as any user.
ALL: permit all commands to be executed.

sudo Command Examples

In this part, we can show you a few examples of how you can use the sudo command.

1. This example is showing how to give execute specific command permission.

Below example, System admin has allowed user test to restart apache server.

$ sudo /etc/init.d/apache2 restart
[sudo] password for test:
[ ok ] Restarting apache2 (via systemctl): apache2.service.

System admin has allowed test to do this by adding the following entry to /etc/sudoers file.

test ALL= /etc/init.d/apache2

In this example, we can see how to give execute specific command permission without a password.

You can also specify specific commands that will never require a password when run with sudo. Instead of using “ALL” after NOPASSWD above, specify the location of the commands.

test ALL=(ALL) NOPASSWD: /etc/init.d/apache2

After this, the ‘test’ user can execute this command: sudo /etc/init.d/apache2 start (or stop, restart,etc).

2. This useful example you can use to learn how to clear your sudo cache.

When a user runs a command with sudo a file with the same name as the user’s name is created in the /var/run/sudo directory or if the file already exist the last modification time of the file is updated to the current time. If the timestamp is set to a non-zero value, sudo checks the last modification time of the file to determine if the user is allowed to run the command without a password.
By default, sudo remembers your password for 15 minutes after you type it. You can invalidate the sudo credential cache using -k option as shown below.

sudo -k

3. You can change the Password Timeout.

You can set your password timeout. The number corresponds to the number of minutes sudo will remember your password for.
Run the visudo command in a terminal. Scroll down to the line that likks like this:

Defaults env_reset

and change it to this:

Defaults env_reset,timestamp_timeout=30

Change 30 to the time, in minutes, that you want it to wait before it times out. You can also change it to 0 if you want a password prompt every time you run sudo, or -1 if you never want a password prompt (though we don’t recommend this).

4. If you want to change the default visudo editor just follow this example.

You can change your visudo editor easily just by entering this commands:

Using vim with visudo
export VISUAL=vim; visudo
Using nano with visudo
export VISUAL=nano; visudo

The other way to change the editor for visudo you can run the following command:

sudo update-alternatives --config editor

And you should get a text like below.

Selection Path Priority Status
------------------------------------------------------------
* 0 /bin/nano 40 auto mode
1 /bin/ed -100 manual mode
2 /bin/nano 40 manual mode
3 /usr/bin/mcedit 25 manual mode
4 /usr/bin/vim.basic 30 manual mode

Press <enter> to keep the current choice[*], or type selection number:

You can choose the editor you want to use by entering the number from the Selection column.

5. This example is showing how to View Allowed Commands.

The following command will tell us what commands the user can run with sudo:

sudo -lU test

and if that user is in the sudo group you should get output like this:

Matching Defaults entries for test on example.com:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User test may run the following commands on example.com:
(ALL : ALL) ALL

6. This useful example you can use to learn how to Validate sudo Credential.

You can update his sudo cached credential using -v option. This is helpful when the password is changed, or if we cant to extend the sudo timeout.

$ sudo -v
[sudo] password for test:

Hopefully, by following these guide you successfully learn about sudo command. Of course, you don’t have to do any of this, if you use one of our Optimized VPS Cloud Hosting Solutions, in which case you can simply ask our expert Linux admins to help you with this. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on sudo command examples, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Be the first to write a comment.

Your feedback