Give users specific access with sudo
If you're new to Linux chances are you know about Ubuntu. Ubuntu has done a great job making a distribution of Linux new-user friendly. One of the ways they have done this is by making the root user (the super user) somewhat transparent. The user can not log in as the root user in a Ubuntu system (unless they have made it so) and the user has to use the sudo utility in order to run administrative tasks.
Now as an administrator of a Linux system, the sudo utility is a great way to manage user permissions with regards to access (especially with regard to applications). Say, for example, you have a specific executable file placed in /usr/sbin that you want your standard users to be able to use along with the ability to use the tools in the whole /usr/bin. Or say you have one specific user on your system that you want to give full administrative access to. This can all be done with the help of sudo. Let's see how.
A quick intro
If you're not familiar with sudo, let me give you a quick synopsis. The sudo tool allows you to effectively execute a command as a user with the security pirvileges of another user. Most often, as in Ubuntu, this allows a standard user to issue commands with administrative privileges. The basic command is issued like this:
sudo COMMAND
Where COMMAND is the command you want to run. You will then be prompted for your user password. Of course you don't need to use sudo if you are running standard commands that do not require administrative privileges.
Sudo configuration
Sudo is configured with the help of a single file: /etc/sudoers. When you look at this file you will most likely be a bit tentative to make any changes. Fortunately the changes we are going to make are fairly basic. You do have to use sudo to make changes to the sudoers file. So to open this file with the nano editor you would issue the command:
sudo nano /etc/sudoers
and then give your user password.
Add a user for all administrative privileges
To add an already existing user to this file you would add a line in the main section. This "main" section can be found by searching for the root entry which looks like:
root ALL=(ALL)Â Â Â Â ALL
Not only is that the line you are looking for, it is also the structure of the line you will add. Let's say you want to add the user onichan to give her administrative rights with sudo. To do this the line would look like:
onichan    ALL=(ALL)    ALL
Now, there is one problem with adding a user like this. What a user can do is, effectively, gain access to the real, permanent root user and avoid all logging handle by sudo. So instead of the above, let's give onichan permission to execute commands in specific directories. We'll give her pemission to run commands in the following:
- /usr/sbin/
- /sbin
This entry will look like:
onichan ALL=/usr/sbin, /sbin
Now user onichan can execute commands in both /usr/sbin and /sbin using sudo and giving her user password.
Final thoughts
This only skims the surface of the power of sudo. We'll cover many more aspects of this outstanding administrative tool in later articles. But at least now you can see how sudo works and how to add users. There are other aspects of sudo that I do not recommend employing (such as the NOPASSWD feature), but every system has unique needs.
Me? Hate on nano? Never.
It’s just that every sudoers file I’ve ever read has the following line:
# This file MUST be edited with the ‘visudo’ command as root.
But it turns out that I’m wrong. `visudo` has the ability invoke whatever editor you have stored in your $EDITOR variable.
from the man page,
env_editor
If set, visudo will use the value of the EDITOR or VISUAL environment vari-
ables before falling back on the default editor list. Note that this may
create a security hole as it allows the user to run any arbitrary command as
root without logging. A safer alternative is to place a colon-separated list
of editors in the editor variable. visudo will then only use the EDITOR or
VISUAL if they match a value specified in editor. This flag is on by
default.
So you can use any editor you like. But you still *have* to use the `visudo` command.
So …
export EDITOR=nano
sudo visudo
nano works fine. However, I have it on good authority that every time someone uses emacs, a puppy somewhere gets shot. Harsh. But true.
Billy: Are you hating on nano? ;-) I bet if I said to edit it with emacs a war would start.
Oh no! You *have* to edit sudoers with `visudo` and nothing else!! sudo visudo
you have to learn some basic vi keystrokes but that’s better than fubar’ing sudoers!