Using sudo, a regular user can execute root command, provided they are allowed to execute the command by a sysadmin.
Apart from executing the command as root, an user can also execute a command as any other user, if they have the permission to do it.
This article explains how to use the sudo command from end-user point of view.
1. Basic Usage
In the following example, sysadmin has allowed user john to restart apache server.
Now, john can restart the apache from his account itself by using “sudo” followed by the command to restart the apache as shown below. Before executing the apache restart command, sudo will prompt for john’s password and execute the root’s command as shown below.
$ sudo /sbin/service httpd restart [sudo] password for john: Stopping httpd: [ OK ] Starting httpd: [ OK ]
Note: Sysadmin has allowed john to do this by adding the following entry to /etc/sudoers file.
john ALL=/sbin/service httpd restart
2. Clear sudo Credential Cache
When john tries to execute the command immediately, sudo will not ask for his password again, as it is cached, and will be used for few minutes until it expires.
$ sudo /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
However, john can invalidate the sudo credential cache using -k option as shown below.
$ sudo -k
Once the sudo credential cache is cleared, when john tries to execute the sudo command again, it will ask for his password.
$ sudo /sbin/service httpd restart [sudo] password for john:
Note: John can also use -K (which is sure kill). -K option is similar to -k, but this will totally remove the cached credential (instead of invalidting it).
$ sudo -K
3. View Allowed Commands
Instead of reaching out to sysadmin to find-out all the root commands that john is allowed to execute, john can find it out himself using the “sudo -l” option as shown below.
$ sudo -l Matching Defaults entries for john on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User john may run the following commands on this host: (root) /sbin/service httpd restart, (oracle) /home/oracle/bin/backup prod-db, (root) /home/oracle/bin/backup dev-db
If there are lot of entries, it is better to do a long listing using “sudo -ll” as show below.
$ sudo -ll Sudoers entry: RunAsUsers: root Commands: /sbin/service httpd restart RunAsUsers: oracle Commands: /home/oracle/bin/backup prod-db RunAsUsers: oracle Commands: NOPASSWD: /home/oracle/bin/backup dev-db
Also, as root, you can find out all the commands allowed by various users using “-U” and “-l” option. The following command will display all the root commands that user ramesh can execute.
# sudo -U ramesh -l
Note: If john tries to do the same thing, he’ll get error message as shown below, as he cannot view other’s sudo commands.
$ sudo -U ramesh -l Sorry, user john is not allowed to execute 'list' as ramesh on dev-db.
4. Don’t Prompt for Sudo Password
Use -n option as shown below, which will execute the command without prompting for password. This is very helpful when john wants to run some of the sudo commands as background jobs (or in a shell script), where he doesn’t want sudo to ask for password. -n option stands for non-interactive.
$ sudo -n /sbin/service httpd restart
5. Validate sudo Credential
John can update his sudo cached credential using -v option. -v stands for validate. This is helpful when the password is changed, or if we cant to extend the sudo timeout. The default timeout is 5 minutes.
$ sudo -v [sudo] password for john:
6. Your Own Sudo Prompt
You can also display your own sudo prompt using -p and format optionas as shown below.
$ sudo -p [%p@%H:%U] /sbin/service httpd restart [john@dev-db:root]
The following are allowed format options for -p:
- %H Host name (if FQDN is set, it will use that)
- %h Local host name without domain name
- %p Username for which the current password is asked
- %U The command will run as this user (mostly root)
- %u Invoking user’s login name
- %% escape the % and display it literally
7. Execute as Another User or Group
Apart from executing root’s command, john can execute command as a different user.
The following will execute the oracle backup script as ‘oracle’ user
$ sudo -u oracle /home/oracle/bin/backup prod-db [sudo] password for john:
The following will execute the given command by setting the primary group to the given group (i.e dba)
$ sudo -g dba /home/oracle/bin/startup prod-db