Linux – sudo file

linux

Posted By: admin February 11, 2024

The sudo command allows you to run programs with the security privileges of another user. Usually this command is used to run command as a  superuser.

The configuration files are :

  • /etc/sudoers
  • /etc/sudoers.d/*

Instead of editing these files usually the command tool called visudo is used

[root@centos9vm ~]# visudo

In the editor that opens add the below like to provide user shiju.

shiju  ALL=(ALL)       ALL

By doing the above the user shiju can run any command which the user root can run by adding the command sudo in front of the command.

[shiju@centos9vm ~]$ useradd sam
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.

[shiju@centos9vm ~]$ sudo useradd sam
[sudo] password for shiju:
[shiju@centos9vm ~]$

Now let us remove the line “shiju  ALL=(ALL)       ALL” from using the editor visudo. Once done, the the user shiju will not be able to execute command that only root will be able to run.

[shiju@centos9vm ~]$ sudo useradd sam1
[sudo] password for shiju:
shiju is not in the sudoers file. This incident will be reported.
[shiju@centos9vm ~]$

Let us add the below line in sudoers using visudo and check the result

shiju   ALL=(ALL)       /usr/bin/cat /var/log/httpd/error_log

Now run the below command and verify the result

[shiju@centos9vm ~]$ sudo /usr/bin/cat /var/log/httpd/error_log
[sudo] password for shiju:
[Mon Feb 12 11:20:49.358785 2024] [core:notice] [pid 1858:tid 1858] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0

[shiju@centos9vm ~]$ sudo /usr/bin/cat /var/log/httpd/access_log
Sorry, user shiju is not allowed to execute ‘/usr/bin/cat /var/log/httpd/access_log’ as root on centos9vm.
[shiju@centos9vm ~]$

Adding the below line in sudoers file via the editor visudo will result in system not asking for password when using the sudo command

shiju   ALL=(ALL)       NOPASSWD:ALL

Let us try executing the command used above as see the difference

[root@centos9vm ~]# sudo cat /var/log/httpd/error_log
[Mon Feb 12 11:20:49.358785 2024] [core:notice] [pid 1858:tid 1858] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[root@centos9vm ~]#

All these changes will be edited to the file /etc/sudoers by the visudo editor. However, one could also add similar entries in /etc/sudoers/<any file>, and these entries too will be read when loading the sudo related entries.