Search Results for: sudoers

How to Use visudo

The visudo command is a safe and secure way of editing the /etc/sudoers file on UNIX and Linux systems. Since the sudoers file determines which users can run administrative tasks, those requiring superuser privileges, it is a good idea to take some precautions when editing it, and that's what visudo does.

It locks the sudoers file so it cannot be edited by anyone else simultaneously. It also checks the syntax of your edits and provides basic sanity checks. If someone else is editing the file you'll get a message to try later, and if there are errors in your edits it wont save them.

Preventing simultaneous editing by someone else is helpful to ensure your edits aren't lost, and saving a sudoers file without errors is important because you could otherwise end up locked out of your system. An unreadable sudoers file will prevent you from running administrative tasks by using the sudo command or becoming root, and editing the sudoers file itself requires those privileges. So you really don't want to screw that one up.

Visudo is basically a wrapper for a text editor such as vi or nano. Vi is traditionally the default unless your distribution or OS has something else set up. For basics on how to use vi for editing check out the vi survival guide.

Visudo has a built in list of supported editors that can be used, and you can change which it will use by setting the "EDITOR" environment variable on the command line like this: export EDITOR=nano. This will set nano as the default editor. To save this permanently add the same line to the .bashrc file in your home directory. On Ubuntu, where nano is actually set as the default, you can also change it by running sudo update-alternatives –config editor and then selecting your preference.

Editing Sudoers

To open up the /etc/sudoers file for editing with visudo simply run sudo visudo.

Before making any edits it's a good idea to check the existing configuration, and understand what everything means. One line you'll definitely encounter is this:

root    ALL=(ALL:ALL) ALL

This gives the root user all of the superuser privileges, as can be expected. The format of the rule set such as this is as follows:

user hosts=(users:groups) commands

What you're doing is specifying which commands can a given user run under which circumstances. In case where all of them are set to ALL, like for root, it means that the user can run all commands on all hosts, as all users and groups.

If all you want is enable another user with the same powers as root, obtainable by issuing the sudo command before the desired command, you can just copy the root line and change "root" with your username, in this example "daniel":

daniel    ALL=(ALL:ALL) ALL

But if you don't want to give all of the privileges you can adjust the rules. For example you can allow "daniel" to only run certain commands:

daniel ALL=(ALL:ALL) mytop,cat,tail

Besides users you can also give superuser permissions to groups using a % indicator:

%admin ALL=(ALL) ALL

This would allow all users in the admin group to run all commands as root.

Aliases

Finally, you can set up aliases to group multiple entries into a single one for use in these statements. There are four types of aliases: User_Alias for listing users, Runas_Alias for listing users a given user can run as, Host_Alias for listing hosts, and Cmnd_Alias for listing commands.

Aliases are useful if you have a more complex set up with multitude of users that should have varying degrees of privileges on the system. To set up an alias just state the alias type, its name, and then the list of users, hosts or commands you want to associate it with. For example to set up a User_Alias you can do this:

User_Alias MANAGERS = steve,bill,james

All the other aliases follow the same format only with the different specified type, and listing different types of things, like users, hosts or commands. If we wanted to put the three commands from the above example with the "daniel" user under an alias we could do this:

Cmnd_Alias READ = mytop,cat,tail

And then instead of listing these two commands in our configuration for daniel we can just specify the READ alias:

daniel ALL=(ALL:ALL) READ

It works the same way for other types of aliases. If we want to give the same privileges to users steve, bill, and james we can say:

MANAGERS ALL=(ALL:ALL) READ

You get the idea.

These are the basics of using visudo and editing the sudoers file with it. We recommend you check out the manual pages if you ever need more detailed reference, like man visudo and man sudoers. You can also see a sample sudoers file with many examples at its web site.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

sudo tutorial

sudo allows you to run a Unix command as a different user. Using /etc/sudoers file to confirm what privileges are available to you, this command effectively elevates your access rights, thus allowing you to run commands and access files which would otherwise be not available to you.

How sudo command works

The real and effective user id (uid) and group id (gid) are set to match those of the target user as specified in /etc/sudoers file (the safest way to change this file is to use the visudo command - check out the visudo tutorial). The way you use sudo is simple enough: you run this command and specify a command line you'd like to run with the privileges of a different user. Before the requested command is run, you are asked to confirm your identify by providing your user password.

[Read more…]

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Using visudo

Using visudo allows for updates to sudoers file on your system to be made in an easy and safe way.

Essentially, visudo is a wrapper script around vi editor (or any other editor of your preference), which  locks the sudoers file against multiple simultaneous edits, checks for the correct sudoers file syntax, and provides other sanity checks.

Please consult the visudo tutorial post for further information.

See also:

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

visudo tutorial

visudo is a tool for safely updating the /etc/sudoers file, found in most Linux systems (Ubuntu for example).

Here's what the Ubuntu man page says about it, I think it's a great summary:

visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

Attention: due to the sensitive content of the /etc/sudoers file, you can only run visudo as root.

[Read more…]

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Ubuntu: Using Sudo to Grant User Privileges

If you have used your fresh Ubuntu install for longer than half an hour, chances are that you've discovered the sudo command already.

sudo allows certain users to execute a command under another user's privileges. Most commonly, using sudo implies running a command as a superuser, but the approach works equally well for allowing you to inherit a user ID (uid) and group ID (gid) of any user on the system.

To gain access, a password is asked, and by default it is your password, and not the password of a user you're trying to run a command as. This allows for the system' s administrator to effectively manage user privileges without having any user share their password.

[Read more…]

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS