8.5. Using sudo to Delegate Privilege
Sometimes it's useful to delegate superuser privilege to a Fedora user; however, giving him the superuser password gives him total control of the system. The sudo system enables superuser privilege to be delegated on a program-by-program basis.
8.5.1. How Do I Do That?
There are two parts to sudo: the /etc/sudoers file, which controls who can do what, and the sudo command, which enables authorized users to run commands with superuser privilege.
To configure /etc/sudoers, use the visudo utility, which will start vi so that you can edit the file. When you are done, it checks the syntax before installing it. If there is a syntax error, visudo will prompt you for a course of action; to see the available options, enter a question mark:
# visudo >>> sudoers file: syntax error, line 17 <<< What now? ? Options are: (e)dit sudoers file again e(x)it without saving changes to sudoers file (Q)uit and save changes to sudoers file (DANGER!) What now? x
This entry contains the username, the computers (in this case, ALL) on which this user can execute this command (useful if the sudoers file is shared among several machines, either through a file-sharing protocol or by copying the file), and a list of commands that may be executed as root.
chris@bluesky$ sudo netstat -ap Password: bigsecret Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:sunrpc *:* LISTEN 1488/portmap tcp 0 0 laptop3:smtp *:* LISTEN 1724/sendmail tcp 0 0 laptop3:x11-ssh-offset *:* LISTEN 20494/2 tcp 0 0 *:42365 *:* LISTEN 507/rpc.statd tcp 0 0 *:http *:* LISTEN 21393/httpd ...(Lines snipped)...
$ sudo /sbin/ifconfig eth2 down
The full pathname of the command (/sbin/ifconfig) is required because /sbin is not in the user's normal search path.
This time, no password is requested because it's been less than five minutes since the last time sudo asked for the user's password. To disable the password request entirely, add the keyword NOPASSWD: after the equal sign in the sudoers entry:
By default, sudo enables the execution of the listed commands as root; to enable execution as another user, place that user's name in parentheses after the equal sign in the configuration entry. For example, to permit chris to run the script /usr/local/bin/checkstatus as the user scott:
chris ALL=(scott) NOPASSWD:/usr/local/bin/checkstatus
chris can then use sudo with the -u option to specify the desired user ID:
$ sudo -u scott checkstatus
User_Alias ADMINS=sally,harry,jason Host_Alias ADMINDESKTOPS=yellow.fedorabook.com,orange.fedorabook.com Cmnd_Alias NETCONFIG=ifconfig,route ADMINS ADMINDESKTOPS=NETCONFIG
8.5.2. How Does It Work?
$ ls -l /usr/bin/sudo ---s--x--x 2 root root 106832 Feb 12 04:41 /usr/bin/sudo
Since this bit is set and the file is owned by root, it executes with root's privilege.
sudo checks the /sbin/sudoers file to determine if and how it should run the requested command. It requests a password if necessary, and then either denies execution or changes the effective user ID to the specified value (or leaves it as root) and executes the requested command.
When the user is prompted forand successfully entersher password, sudo updates a timestamp file in /var/run/sudo. The next time sudo is executed, the timestamp is checked, and if it is less than five minutes old, the user is not prompted for her password again. The timestamp is then updated.
The value of sudo lies in the ability to permit a user to execute specific commands with privilege. However, it's easy to accidentally misconfigure sudo to permit more access than intended.
For example, if you wish to permit frank to view text files owned by jenny, you could create the sudoers entry:
frank ALL=(jenny) NOPASSWD:/usr/bin/less
frank$ sudo -u jenny less /home/jenny/.bash_profile ...(Normal output of less)... ! $ id uid=508(jenny) gid=508(jenny) groups=508(jenny) $ mail -s firstname.lastname@example.org Subject: I Quit I quit because you are a hateful, mean boss. -Jenny . Cc: Enter $ rm -rf /home/jenny/* $ exit ...(Normal output of less)...
It can be useful to configure sudo for ALL commands for users that already have the root password because it encourages good practice, especially when used without the NOPASSWD option. The benefits of this configuration are:
8.5.3. What About...
220.127.116.11. ...changing the password timeout?
By default, sudo won't prompt the user for their password as long as they have entered it successfully in the last five minutes. To change this value, add this entry to the top of the /etc/sudoers file:
The value for this timeout is expressed in minutes.
18.104.22.168. ...voluntarily giving up the password timestamp?
$ sudo -k
This is useful if the terminal will be unattended for a while.
22.214.171.124. ...disabling the root password entirely (like a Debian or Ubuntu system)?
The Fedora community has discussed this idea and ultimately opted to keep a root password. Fedora's consolehelper PAM configuration relies on a root password, and using a root password can in some cases provide one additional obstacle to gaining superuser access.
8.5.4. Where Can I Learn More?