How to Configure “SUDO” access for users in Linux?

SUDO stands for (Super User Do) when a normal user needs a root user privileges he can attain that functionality by the SUDO mechanism.SUDO is the good way to get the root privileages,In another way we know to access the root privileages by using the su(switch user) command, here you need the root user password to get the access, sharing the root user password to others  is not safe always,after login you will get the prompt # which says you are logged in as a root user, if you enter any dangerous command then the server will have to face  the critical issues, you can erase the entire hardisk, you can change the default parition layout information and many more which leads to  so many problems.

But when we give the root privileges via sudo the user has to run the admin commands with sudo permission only, The user has to run the command with the sudo permission as follows #sudo <full path of the command to be run>, this works in a safe way.

Sudo configuration file:
file path=/etc/sudoers

Once you have decided to give the root privileges to non-root users, you will have to configure their names inside this file with the permission you allowed(full permission or partial access).So whenever the user runs any admin commands the sudo command will check the username inside this file, if the name exists then the user authentication is success he is allowed now to execute the commands.In this way, only the sudo mechanism works.

If you remove the user from this file then the user will not have the root privileges, he cant access the root privileges via sudo.Now let us configure the sudo access for a user.

Ex:1 How to Configure Sudo access(Full privileges) for a user:

Open the file with your preferred editor, I always use the vi to edit the files.we can also open this id configuration file by using the command “visudo”

#vi  /etc/sudoers

<add the username to whom you are going to give sudo access>

below the ROOT user add the non-root user privileges

vasanth ALL=(ALL) ALL means full privileges(user can execute all the admin commands)

Now we have successfully added a user john inside the sudo configuration file.Let us see how the user gains the root privileges.

Note: Vasanth should have the valid password before he executes the commands via sudo.

Now let us log in as a Vasanth and perform the admin command

#su  – Vasanth

$pwd

$reboot
Sample output:: Must be Superuser

Run the command  via sudo

$sudo  /sbin/fdisk -l

Note: Always mention the full path of the command else you will get error message command not found as users are accessing the commands via sudo temporary.(Bash will not read the full path of the command automatically from $PATH unless you are a root user)

after executing it will ask the john password for authentication, once you have submitted the password it will check the username inside the sudoers file and if the user matches then it allows running the command.

From the above output, the user Vasanth gain the root privileges via sudo successfully.

Ex:2 Give access to no-root user to run certain commands via sudo

In our previous example, we gave the full privileges to run the admin commands, in this example, the non-root user is allowed to run only the certain commands which are defined in the sudoers file, let us see how to do this.

#vi /etc/sudoers

<add the username and mention the command full path the user is allowed to sun>

So from now onwards the user Vasanth is allowed to run the only fdisk and partprobe command via sudo, if he tries to run some other command via sudo  it will not allow to run, let us see  this with practical  below,

#su – Vasanth
$sudo reboot

here you will get the permission denied or command not found messages

$sudo /sbin/fdisk -l

$sudo /sbin/partprobe

As you can see from the above output the user Vasanth  is only allowed to run two commands via sudo ,

if the user Vasanth  try to run any other commands with sudo he will get permission deny or command not found WARNING message

from the above output, the user Vasanth tried to run reboot command via sudo which is not added inside the sudoers file to Vasanth so he received a  warning message.

Ex:3 How to allow a user to run the command without providing his password.

In our last two examples every time the user runs the command via sudo it will prompt the user to enter his/her password to verify the user in sudoers and in /etc/shadow file.

If you want the user to run the command via sudo without supplying the password we need to put additional entries inside the sudoers file, let me show you how to configure this.

#visudo

vasanth ALL=(ALL) NOPASSWD: <FULL PATH  TO COMMAND>

save and exit

Now  ask the non-root user to check:

su –  nirmal
$sudo /sbin/fdisk  -l

As you can see from the above output it is not prompting the user to enter his password, without providing the password the command executed.

Note: Everytime you run the command via sudo permission you should give the full path of the command which is how it provided inside the sudoers file, without the full path you will get the command not found error message.

***************************************************************************************************************************************

I hope you have enjoyed this article.If you found this article useful, Please do subscribe  here Subscribe here

 

 

About Author:

Hello readers! Let me introduce my self first. My name is Vasanth Nirmal Singh J S having 9+ years of experience in IT on all flavours of Unix operating systems ,Storage's and many more .. I would like to share my technical experience i have come across - can be help to other people. So in this blog, I'll post my thoughts related to ITIS. I'll share experiences that I've had while working in different environments. You can expect content related to Unix,Solaris,Linux,EMC Storeages,HP-UX and many others. I hope this blog can be useful for you! Your comments will be appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *