Give users specific access with sudo

Jack Wallen
Jun 24, 2009
Updated • Dec 28, 2012
Linux
|
5

If you're new to Linux chances are you know about Ubuntu. Ubuntu has done a great job making a distribution of Linux new-user friendly. One of the ways they have done this is by making the root user (the super user) somewhat transparent. The user can not log in as the root user in a Ubuntu system (unless they have made it so) and the user has to use the sudo utility in order to run administrative tasks.

Now as an administrator of a Linux system, the sudo utility is a great way to manage user permissions with regards to access (especially with regard to applications). Say, for example, you have a specific executable file placed in /usr/sbin that you want your standard users to be able to use along with the ability to use the tools in the whole /usr/bin. Or say you have one specific user on your system that you want to give full administrative access to. This can all be done with the help of sudo. Let's see how.

A quick intro

If you're not familiar with sudo, let me give you a quick synopsis. The sudo tool allows you to effectively execute a command as a user with the security pirvileges of another user. Most often, as in Ubuntu, this allows a standard user to issue commands with administrative privileges. The basic command is issued like this:

sudo COMMAND

Where COMMAND is the command you want to run. You will then be prompted for your user password. Of course you don't need to use sudo if you are running standard commands that do not require administrative privileges.

Sudo configuration

Sudo is configured with the help of a single file: /etc/sudoers. When you look at this file you will most likely be a bit tentative to make any changes. Fortunately the changes we are going to make are fairly basic. You do have to use sudo to make changes to the sudoers file. So to open this file with the nano editor you would issue the command:

sudo nano /etc/sudoers

and then give your user password.

Add a user for all administrative privileges

To add an already existing user to this file you would add a line in the main section. This "main" section can be found by searching for the root entry which looks like:

root ALL=(ALL)     ALL

Not only is that the line you are looking for, it is also the structure of the line you will add. Let's say you want to add the user onichan to give her administrative rights with sudo. To do this the line would look like:

onichan     ALL=(ALL)     ALL

Now, there is one problem with adding a user like this. What a user can do is, effectively, gain access to the real, permanent root user and avoid all logging handle by sudo. So instead of the above, let's give onichan permission to execute commands in specific directories. We'll give her pemission to run commands in the following:

  • /usr/sbin/
  • /sbin

This entry will look like:

onichan ALL=/usr/sbin, /sbin

Now user onichan can execute commands in both /usr/sbin and /sbin using sudo and giving her user password.

Final thoughts

This only skims the surface of the power of sudo. We'll cover many more aspects of this outstanding administrative tool in later articles. But at least now you can see how sudo works and how to add users. There are other aspects of sudo that I do not recommend employing (such as the NOPASSWD feature), but every system has unique needs.



Advertisement

Previous Post: «
Next Post: «

Comments

  1. thebillywayne said on June 25, 2009 at 2:16 pm
    Reply

    Me? Hate on nano? Never.

    It’s just that every sudoers file I’ve ever read has the following line:
    # This file MUST be edited with the ‘visudo’ command as root.

    But it turns out that I’m wrong. `visudo` has the ability invoke whatever editor you have stored in your $EDITOR variable.

    from the man page,

    env_editor
    If set, visudo will use the value of the EDITOR or VISUAL environment vari-
    ables before falling back on the default editor list. Note that this may
    create a security hole as it allows the user to run any arbitrary command as
    root without logging. A safer alternative is to place a colon-separated list
    of editors in the editor variable. visudo will then only use the EDITOR or
    VISUAL if they match a value specified in editor. This flag is on by
    default.

    So you can use any editor you like. But you still *have* to use the `visudo` command.

    So …

    export EDITOR=nano
    sudo visudo

    nano works fine. However, I have it on good authority that every time someone uses emacs, a puppy somewhere gets shot. Harsh. But true.

  2. Jack Wallen said on June 24, 2009 at 11:35 pm
    Reply

    Billy: Are you hating on nano? ;-) I bet if I said to edit it with emacs a war would start.

  3. Billy Wayne said on June 24, 2009 at 11:23 pm
    Reply

    Oh no! You *have* to edit sudoers with `visudo` and nothing else!! sudo visudo

    you have to learn some basic vi keystrokes but that’s better than fubar’ing sudoers!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.