Understanding SU – Installing and Configuring SUDO

By
Don Jajo

Who is the Superuser (SU)?

The SuperUser (SU) – usually known as root in my Unix-like systems is the first user created at the installation of the Linux system. Users in Linux systems usually have their User ID, known as UID in Linux – this is the ID of each user in the system. Linux recognize user by their ID, so root is the first user which makes it bear the ID 0.

The Superuser has all the privileges in the Linux systems – can create, modify, execute and delete ANY file in the system

How to Use Superuser

It is not safe to root your system, don’t always login as root. Seen couple of friends that rooted their system, making them login as root on system boot with their Desktop Environment. This is not safe, granting all applications root access is not advisable as applications can edit some files without permission and this may damage some system files making it unable to run Linux properly.

SU Command: This command is use to log into the Superuser account in the CommandLine Interface (CLI) and then perform any actions as a Superuser.

But being in the account for a long time, you might sometimes forget to log out leaving the Superuser account logged in and someone somehow seats on your system; he has all access he needs! This is why

sudo

command was introduced.

SUDO

This is a Linux package that runs a command as another user per command and returns back to the currently logged in account. This package mainly is for running commands as root at a time but also supports running it as another user if any provided.

Installing SUDO

In most Linux Distributions, SUDO comes pre-installed, checking if SUDO is already installed:

Debian/Ubuntu:

$ dpkg -s sudo

Red Hat/CentOS:

$ rpm -qa | grep sudo

Returns the package file name or nothing as not installed

If SUDO is not installed in your system, you can install it using this:

Debian/Ubuntu

# apt-get install sudo

Red Hat/CentOS

# yum install sudo

When installation is done, you have SUDO installed successfully!

Configuring SUDO

SUDO configuration files are located at

/etc/sudoers

and

/etc/sudoers.d

. Please do not edit this files with normal text editors like

nano

or

vim

; rather use

visudo

which is a package for editing

sudoers

file so when you have a syntax error, it will tell you other than just ignoring the configuration and you face a permission problem in your system.

Before we continue, lets look at what the configuration syntax means.

orji ALL=(ALL:ALL) ALL

The configuration is a rule set for the user

orji

.
First ALL applies to all hosts
Second ALL – Can run command as all user
Third ALL – Can run command as all group
Fourth ALL – Can run all commands

This summarizes that the user

orji

can run any command as root as long as he provides his password. Pasting this in the

/etc/sudoers

gives

orji

the privilege.

Adding a Group

Similar to giving a user a permission, you can also give same permission to a group. The only thing you will do is adding

%

at the beginning of the rule.

%sshusers ALL=(ALL:ALL) ALL

Giving a User Privilege

I have a user who is

ikenna

by username and want to give root privilege, it is easy! Just add the user

ikenna

to the

sudo

group by typing:

Debian/Ubuntu:

# gpasswd -a ikenna sudo

Red Hat/CentOS

# gpasswd -a ikenna wheel

The user

ikenna

will now be able to use full root permission with

sudo

because he has been added to the

sudo

group. In CentOS, the group name for sudo users is

wheel

Giving more Complex Privileges

SUDO package comes with more advance way of privileging users, a complex way of restricting to commands, users and groups.

You create an array of users, groups or commands into a variable and they are being reference with the variable, below I will show example of giving 2 users privilege of shutting down the system only.

  • User_Alias: Use to define variable to hold users
  • Cmnd_Alias: Use to define variables to hold commands
  • Runas_Alias: Use to define variable to hold list of alias users can run
  • Host_Alias: Use to define variable of hosts users can run sudo

Before that, SUDO has  a default place permission files can be kept, which is

/etc/sudoers.d

. I will be creating a file

group1

and the content is:

User_Alias  GROUPONE = ikenna, orji

GROUPONE    ALL = /sbin/shutdown

From the above configuration, save it and you find out

ikenna

and

orji

can not run any other command with

sudo

except

shutdown

only.

You can specify file system groups too:

User_Alias  GROUPONE = %ftpgroup, orji, %sshgroup

If I want to allow multiple command, I can create a command alias too:

Cmnd_Alias  GONECOMMAND = /sbin/shutdown, /bin/ls, /sbin/reboot
GROUPONE    ALL = GONECOMMAND

Limiting Run as users

Runas_Alias GONERUNAS = www-data, apache
GROUPONE    ALL = (GONERUNAS) GONECOMMAND

Some Tricks with SUDO

  • Switching to Root: If you are given the whole permission in
    sudo

    , you could switch to root itself or any user by typing:

    $ sudo su

    Switch to the user

    donjajo
    $ sudo su donjajo
  • Run command as a user or group: 
    $ sudo -u donjajo ls /

$ sudo -g root ls /

Summary

With this post, you can understand how Superuser works and its permissions. How to use and setup SUDO package. Good luck!