How do I allow a normal user to run commands as root and how to use the sudo command?
The sudo command allows users to do tasks on a Red Hat Enterprise Linux system as another user.
sudo is different from the su command and is more flexible and more secure. One significant advantage is that it can log usage. By default the program saves log data in the file /var/log/secure.
The sudo program uses a configuration file /etc/sudoers to store rules that are used to decide whether a command is allowed or not. It is recommended that a program visudo provided with the sudo package be used to edit the /etc/sudoers file.
Assume that we want to be able to run programs as root from a user called normaluser. First lets attempt to use sudo to run a privileged command:
$ sudo /sbin/service sendmail restart Password: normaluser is not in the sudoers file. This incident will be reported.
The sudo command has logged the attempt to the log file /var/log/secure:
# tail /var/log/secure ... Aug 2 14:37:49 somehost sudo: normaluser : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/normaluser ; USER=root ; COMMAND=/sbin/service sendmail restart
A special group ‘wheel’ exists on a Red Hat Enterprise Linux system that is traditionally used for privileged activity.
Add to the user the supplementary group ‘wheel’ (this command must be done as root):
# usermod -G normaluser,wheel normaluser
Verify that the user is now a member of the group wheel:
# groups normaluser normaluser : normaluser wheel
Edit the file /etc/sudoers using the visudo command:
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
Notice that the /etc/sudoers file has examples and comments. To allow members of the group ‘wheel’ to run commands through sudo as root, uncomment the line:
... # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL ...
The visudo program uses key bindings and commands within the editor from the vi editor. To make changes in the visudo program, hit the ‘i’ key (Insert mode). Use the cursor keys on your keyboard to move the cursor to the correct position, and hit ‘Delete’ key to remove the ‘#’ character.
To ‘write out’ or save the changes, hit the escape key, and then ‘:write’ and then ‘:quit’ to exit:
... # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL #Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now # ALL ALL = NOPASSWD: /usr/bin/mindspring
Now run the privileged commands again as normaluser:
$ sudo /sbin/service sendmail restart Password: Shutting down sendmail: [ OK ] Shutting down sm-client: [ OK ] Starting sendmail: [ OK ] Starting sm-client: [ OK ]
The /var/log/secure file will also record the successfull use of sudo:
# tail /var/log/secure ... Aug 2 15:05:49 somehost sudo: normaluser : TTY=pts/2 ; PWD=/home/normaluser ; USER=root ; COMMAND=/sbin/service sendmail restart