sudo

SuperUser DO

What is sodu

he sudo command in Unix-like operating systems is a powerful tool that allows a permitted user to execute commands with the security privileges of another user, by default the superuser (root). This command is essential for performing administrative tasks without needing to log in as the root user, which enhances system security by limiting the exposure of the root account. By using sudo, users can run specific commands that require higher privileges while maintaining their standard user environment.

One of the key features of sudo is its ability to enforce a robust security policy, which is configured through the /etc/sudoers file. This file specifies which users have permission to use sudo and what commands they can run. The sudoers file can be edited using the visudo command, which checks for syntax errors to prevent misconfiguration. This granular control ensures that users only have access to the commands necessary for their role, reducing the risk of unauthorized access or accidental system changes.

Using sudo also improves traceability and accountability in system administration. Each use of sudo is logged, recording the user who executed the command, the time it was executed, and the command that was run. This logging feature is crucial for auditing and tracking changes made to the system, helping administrators monitor activity and identify potential security issues. Overall, sudo is an indispensable tool for maintaining the balance between user convenience and system security in Unix-like operating systems.

P.S the command su allows a user to switch to another user account within the shell session. It stands for substitute user. By default, su switches to the root user when no username is specified
Switch to root(some linux distrobution has disabled the root account)
su -
Switch to user hero
su - hero

git-main-01
git-install-01

How to install sudo

Usually its installed by default but if it not then

Install the package (me be logged in as root usually)
apt install sudo
Verify sudo is installed
sudo -V

Lets say you want to add the user hero to the sudo group. Two ways of achieving this
Caution, the sudo group name might not be sudo(most common anyway), determine this with procedure in the Commands section on this page. Check the file /etc/sudoers
1. The easiest
usermod -aG sudo hero
OR
2. Advanced, edit the /etc/sudoers file
a) Open the file
sudo visudo
b) Add the line in file
hero ALL=(ALL:ALL) ALL
3. Group membership does NOT always take affect, until logout and login. A reboot could also solve this problem…

Termomonlogy and Concept

  1. Superuser (Root)
    • The superuser, often referred to as root, is the user account in Unix-like operating systems with the highest level of access privileges. The root user can perform any administrative task on the system.
  2. Privileges
    • Refers to the rights granted to users to perform certain actions on the system. sudo allows regular users to execute commands with elevated privileges.
  3. Authentication
    • The process by which a user proves their identity. When using sudo, users authenticate by providing their own password, not the root password.
  4. Authorization
    • The process of determining whether a user has permission to execute a certain command. sudo checks the /etc/sudoers file to determine if a user is authorized to use sudo for a specific command.
  5. /etc/sudoers
    • The configuration file that defines which users have sudo privileges and what commands they can run. This file should be edited using the visudo command to prevent syntax errors.
  6. visudo
    • A command used to safely edit the /etc/sudoers file. It locks the file and checks for syntax errors before saving changes, helping to prevent misconfigurations.
  7. Command Logging
    • sudo logs each command executed with it, recording details like the user who ran the command, the command itself, and the timestamp. This logging is crucial for auditing and tracking administrative actions.
  8. NOPASSWD
    • An option in the /etc/sudoers file that allows specified commands to be run without prompting the user for a password. This can be used for specific commands where password prompting is not practical.
  9. Defaults
    • A keyword in the /etc/sudoers file that sets default options for sudo behavior. For example, Defaults logfile=/var/log/sudo.log specifies a custom log file for sudo actions.
  10. Alias
    • Allows the creation of shortcuts for groups of commands or users in the /etc/sudoers file, making it easier to manage permissions. For example, Cmnd_Alias defines a group of commands.
  11. Host-Based Access Control
    • sudo can be configured to allow or deny access based on the host from which the command is run. This is useful in environments with multiple servers.
  12. Timestamp
    • When a user runs a command with sudo, a timestamp is recorded. For a certain period (usually 5 minutes by default), the user will not be prompted for a password again, making it more convenient to run multiple commands in succession.
  13. Lecture
    • A brief message displayed to users when they first use sudo. It can be customized in the /etc/sudoers file and is used to remind users of their responsibilities when using sudo.
  14. Sudo Group
    • A user group, often named sudo or wheel, whose members are granted sudo privileges. Adding a user to this group allows them to run sudo commands.
  15. Command Restriction
    • Specific commands can be allowed or denied for users or groups in the /etc/sudoers file. This fine-grained control helps improve security by limiting the scope of what users can do with sudo.

Commands

Some commonly used crontab commands
DESCRIPTION COMMAND
Find out which sudo group are
Some distros have different group names ie
from most common to least common sudo, wheel, admin, root 		su -
cat /etc/sudoers
The row will be something like
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
and after the percentage is the sudo group name
Display what group(s) the user
hero is member of
(as root) 		groups hero
Adds the user
peter
to the sudo group 		usermod -aG sudo peter
List the privileges granted to the invoking user, sudo -l

Configuration

Some commonly used crontab commands

The main configuration file for sudo is
/etc/sudoers

Usually you want a user to have access like a root account and in the file
/etc/sudoers
You will find a line like
root ALL=(ALL:ALL) ALL
and
%sudo ALL=(ALL:ALL) ALL

Will add the user hero execute all commands

Each column is explained as
USER HOST=(RUN_AS_USER:RUN_AS_GROUP) COMMANDS