SUDO / SUDOERS / VISUDO
- In this exercise a Linux Debian server is used:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWT60nCYjP7gvIZB9yB26tzJN49KFT-sBwFCcP2ey98bpQd8_jq4DVBnn6awD4ZjlzjqE80xmX4N681k7qPbuome_qv6nyG04mgZbMkqJST0F-BO0goJekNwjL588vd0uCFkkNgeJK-pQe/s320/debian.jpg)
1 - Introduction
- sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.
- It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser.
- However, the later versions added support for running commands not only as the superuser but also as other (restricted) users, and thus it is also commonly expanded as "substitute user do".
- Unlike the similar command su, users must, by default, supply their own password for authentication, rather than the password of the target user.
- After authentication, and if the configuration file, which is typically located at /etc/sudoers, permits the user access, the system invokes the requested command.
- The configuration file sudoers offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.
https://en.wikipedia.org/wiki/sudo
- Installing sudo (in case it is not already installed by default):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYDAJGLZSpkxJ4NAM79GW2GQRcI0Laxva_QIVIc_djx1xNE1omDpeoJaoS0mJ9E3ZH_OBS6rus9tSPwWguhkulw21LDjX6VZiz2ta4AKplhPbyfUMQQZTKAHfnXpCzFFEy-OC_-ykZwLog/s1600/screenshot.3.jpg)
- Properties of sudo:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZmWnSKMGUeP5cyCvIRVIfNV50jFFGNph4bi0l-N_n7RrZbbAy0Us6o8TeeMYq6m9L1k2pFSWSHXjVHCas_4HTFkct4cke3ufMD0z6Y1gmyvewtGNkTc1MymArC-2VhYXYY1iOIZcUvDhh/s1600/screenshot.39.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9M0vK1LHmLtO7Nhd0jjxMcnu8aGFIiKu0GSkYhyphenhyphen7zT9YKzo3QX4INK48sSIsDiHP0A_M-xXmVd2l8SmPE_4P7yhmacL-HHQX15po0Oyfurp8ju6Ai_R12qG2QJuMrYSf5XIswBB8lqtzU/s1600/screenshot.1.jpg)
- visudo is a command-line utility that allows editing the configuration file sudoers in a fail-safe manner.
- It prevents multiple simultaneous edits with locks and performs sanity and syntax checks.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZPYJFGiyLBiwnNUczlCRB-wczMDnIvlqQWo1e_J7DpBHg0Pqe9I8hRmCHJZViuNs6VVtITp1WR4pK-049KO7tNzls9mv54hhXFHdtrINpBQKmgZmO-Q3QUP0gHpmbG3DokRwTSMTDmigl/s1600/screenshot.2.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpQ6u3fEUGFbhRFP-LYhaDCsmkvBpgnCGJKbqPGukibL90iHqwK74lmMk9pa-CQf3k5pI4ks_YzAZwuVw8Ldh1bXlEi-qEinaka9JD0RD1swf572EdDQqgdjH2S46NoxSpepOkwPTZmGZy/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO_4nnX0KgMV5BOUBfUkXo5U39ogdxkIVx5Xq9l9OWdbtOrpJsdLZpZGPHDVMOI3Ov3NlRgVPNH2io_Q_KgRJQLxhY4tld19pqgSiPn-L3eMcIk3Uu0cIcxrjKzJtIldVh5Dw-75b1zdDN/s400/screenshot.6.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2548JGiP2ktSw0PZ2hP5iThuyK6NLfin5XGyxG62LuIuW96V3op14IzsvvFZ0J1R_ZcS337VCxDv7xefl1dJlD940MChviNuCSUZ_DjFUhuDgD3hj-pI9rWD8v1krIQ6I1kk0ySOdEzVM/s1600/screenshot.7.jpg)
- In my Debian system visudo opens nano editor by default, but it could be changed to another preferred editor:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiytmN_KyfpPoY7aavxbVFJkP6R5bu_A4rGieSIkNLdvHo4-IPjMSxvbBPhHdH7nYLR7m_Ed2U0fD8Qg9GfDi8o12E-KJ6zB6kdGh-JRYmU8r4_szZTCmX-AEKOcPIVxQ92Rod2sqrchkf/s1600/screenshot.8.jpg)
2 - Editing "sudoers" for users
- Editing sudoers and adding a configuration line for the user roch:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxSUbFuWDx8SKhCY4iQ05IzXcNVSEKn9DibhLnAK4R75zmQTZGybr7nJjcN1HoRPH7ZL2uUY-xLljf2uQqY5KUo8s32AKJsJQiiBAfKnLFhrtPcGlaE_0wVL_hnf9q-MZ_H3vxT-mFDudm/s400/screenshot.6.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiql8ldLrMks8sqeECR74zW1rFplrCu2L6YPdvx0FB9Rm-cxK7C8rjHVv_d3qRGH3CthruF4wv-1CzkZEMVV5F9yqPqSoota8YGnCGMPOkXrM4e5Ko29uV6ilFVoKth0Y07_9MobF-5d14O/s320/screenshot.9.jpg)
- If sudo is not used roch cannot perform the apt-get update command:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVGTKl-GliS7LzwSjD6Sr_SH2MaSc2rc2Bf3s_wJpPtIRUD1K0BBYG1mWHsFXevFHnxnIum5_3ZUpBRgaYqMm_TrZBy-vgky0nS2fbmMgq7sCrV-hXJpXiQgiSP-BKQTpErwk88VEObOD8/s1600/screenshot.11.jpg)
- However, now with the new line added to the file sudoers, the command sudo allows roch to update the system:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSkasgDgCZg-SMyoAdZlqLLMkFNaRY2JS4AyuT5deWKGpBFw42f1ezQATAzE8qS09n3wYGinGxCz_SxWir6waE96YHC8zHj67Pt3fcoD2T5jvWIVZCajEpbdfWJk-i0hI6krXi1N2VbrNZ/s1600/screenshot.12.jpg)
- Adding another line for the user johndoe. For instance in this example johndoe will be allowed to reload the Apache server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic7Jagy_AzX-6XQc1bqJUir89DqEQw54YLpZXfiwlQPEjj9UPRrg76ri36D9wuKxuSATE8pVHE2R-NKj1Wcsq7e-gK1-l8mzC9vBetV7DaXBLX103b8vDH8Q5g5aHN-7R5x2BSAXiDbpMt/s1600/screenshot.15.jpg)
- Going to the johndoe user account:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZhvpoN4nruETFhDdq5mUKAIyepxOy1LVxIZsJ89GTBu_6870AmwLwCVRsPX008mhew-4K5dNASnedMHmOD9fZfqr7fCvod-lozt1b4rBbdazQHCb8jJPyZFDkVO1EbAPIJJ3NKSIfh2zb/s400/screenshot.13.jpg)
- When trying to reload Apache without sudo it fails:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9OhSCJ3_OmwyzAG-B2yU3W4jhcDiUVXcDtVxUlkcN8wtm0heB4SGoHvEyt_4e1kQOljdvS5TDqzzoFQ2TSyX2CEhr66jo88vYpV1iX14VR90CXrEV5VUer-LJcxcOSFBgkVxpRlHQnSET/s1600/screenshot.14.jpg)
- Using sudo it works:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3LeLlSGaFqehXdYS3KKby5FEgzcPifZ0XqfCaJxhmGffKweIa4e5ZRAE6D2ZLWOANuSWtBK0rpubLGjCx9YsKaOw3PDEuKCOLlsqoo9D8-LQ2FLokE6Wuu8esmLjgAWHPS8hiTMXkzV57/s1600/screenshot.16.jpg)
3 - Editing "sudoers" for groups
- Creating the group team:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR3n8LmSX_l_tcrLaPOk-w47rZ2WihLKOPDmVDTVS7T326G5UKTUjwLdUsOVc0QItgvgyWxjbxo6b9a3J_2R4RC9MacdLthCRnm3MjHuqDeoHnvGUpujZ4z70a2iSmYjCLYeSXF2ruMULi/s400/screenshot.17.jpg)
- Adding the user johndoe to the group team:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtDY5LVPeCEtNk_Z9ZZdQ1ZDO1JVAg6OaXB2ysKGcZHbkrfIIM2dVSJHziPFxweq_caj34tUYLRC7fe_yJ8zhiOh8akAAaa-0K-aQLV8XbDxCOpuBtyWWjMX6wqKdT-F3TGM-7mDl-tW5P/s1600/screenshot.18.jpg)
- Checking that the group team has been correctly created:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQEQhheBB9cqNPQYNFkl7BwuNTdIDVsPTWLW4LqSTx6peEH8ceocZJHD17tglGznvrdk-SkrJvSyfwHeMM90eJ-msWr2AsnotyTgeDMdewCmS6EucS8lFhly4ZqjvD6GQ1Yl6d0a2AGt1A/s320/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixksT-ABZX0EYhtUNUHEWYnAOlhs0I2gz0gc08wHbdWFm6vHTN4_sFBBkBwBwnHr-TIiJMB0nOpHNXvpEOjgj14UE2fZ6_cocBkPFc_LONNgSCtrRqoG3bN_OCBI2Mq__4hyphenhyphenBZOT3iCm8M/s400/screenshot.20.jpg)
- Editing sudoers, let's add a line for the group team, allowing its members to update the system without using any password (NOPASSWD option):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixxLm6tS7WwizTXbpZXbSpRJHdc1uATfayZ4W-KaNFU_CfdJ-UeDFtBDVnvXxqL3kYaUJiU4VNYUoI2FcvaZlveuTYjrJy4TLPGp8ncXvliecrq8AV6xWMEV_BnHczuzk7YPfL3njtJIwm/s400/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Mcg2pSub_vIGLpRm-qhtKXcbERbX2apsMaN5P-S7i4zmXTHwQ3FAhBfSfOael8BKI5RSIPDOOylD2jh2YFXjfu7qN1CnoEQ9FWqmyBCHdbKMbG9Oy3JOmKtohTzBrp4C4A_Rb3cPpZVb/s1600/screenshot.22.jpg)
- Going back to jonhdoe (member of the group team):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ9cBcbhNUJGS_EYDq2KRxKI1Di7YYpJXutHJ2PAbFvQcJmvCneeyT2BpKGsP5ZQuL148_zIHomqiIDLh48jOguWiI4GDobcbcxnsHjDdTfF5oIpkDIjiLuVbN-pGI9XXyBoS6Y5oGOZd_/s400/screenshot.23.jpg)
- Not allowed updating without sudo:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX1NnG75htdoOf8oG2CJCsvXVFUqMtpRUj_d2Cpl9q6vGoziU25L7wxhxJXQvHb2Fg1cGFuttbsUpynMAoBClyrNC87gFY0fwPDxzUNLdCcdfsJWZPjKBdnXEsJPbCPFa7oykVb2o8CjlT/s1600/screenshot.24.jpg)
- However updating is successful for johndoe with sudo:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivHxdmRpaBa22Q1hk0Cdy-Co5KXrX7MdWQQ5RZuRI3qBR_7133a4XKe1QA19ZxTV9Zmvd1Aist1ul-Fl6wlpzbgUA8O7ePO5YpMvyx9YpKN6hjNocHjDSC0-IJuWYHSA0AkUqeAqIZve8f/s1600/screenshot.25.jpg)
4 - Editing "sudoers" for alias
- Editing sudoers and i) creating the group alias TEAMER , ii) adding johndoe:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig0zm6-7jlu5djbrRr8LY_0iWumOcFNcvgEDlwza7Fn-ngNJjA3KakjYsE0d7-CftUWpKCtVyONeHrdXD6-s2C1eqbBnZ_wUYmPQLOqFo7J1iuATucWOXm53mDCrCmcrhUmtkVUvfZ5uOj/s400/screenshot.26.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1C9OTvfv-_-bCMmwLKkXvXmbRBWHKFlNSW_3IxkHpXkIH-tWVBvmSxPrFxdfIFWZyg84u0j96tUdN0CPH6Ab5Yg5zoKfUiXQDEIxIEgS_eVBhteYu6vKbT25CDOMq04ki0feW0IN-QATw/s400/screenshot.30.jpg)
- Adding the command alias ON_OFF for both reboot and shutdown commands:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_0ppTB9KQIhZ0sTbiWDJSJ-hSYzNV-HoZT0eMbFwMjHhs2g55tkh7cv6ovz0yM4gZ9d0cnx_YGTAWSNkSgScKotPxkNnt3eaL3hJk_HbExBFFEescBRVQaqfi-kQOANCxTz2LJ0FwPZM8/s1600/screenshot.31.jpg)
- Assigning ON_OFF to TEAMER:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0rrJ5BMDB2EGXLEa398PJtYiJOZCK4vDyj2YfPecHKEF53bcyyeQMtFQAP97SgVuIIg02NNDwwtIoD3AquA-Eoh6nCkM0Wk5bQd8Dw94mTcItjCty0mESw6cSisBFRn52doQKe72TuHwf/s1600/screenshot.32.jpg)
- Going back to johndoe:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw2C-a7IixkMVSRq4Fv2mWM5DRVd8dimpW82rwenPdRxZlheMMbIGMmhqlJ5gc-Wy2-hvngFbrZ9hCdnOPK_Z1H6JEm05r1-Y_87ucqmMyUSDg7yzG8dVb3UfyjAo6FDFubwQ6CpyJ0OXt/s400/screenshot.33.jpg)
- Now johndoe can reboot the system successfully:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn-Qh7cWE-L90imPGCpMrlNqw1G_rnNP2ZMbR06IpjQCVrID9l4dM-rVbIbi3_JA42fXnaDsbfGVqrPUNcatgc7qZfB6HumbUYwCX780t5fVfgnV7eUlES_zGildt3GO-Y135uEDAE0k36/s400/screenshot.34.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtlmM2CJBLyFnqAbb_NgTYD36xOwLE5yf0xIJjEIIx71hCKrsl-ukK5cqM1Qr-T408mWlWA_D_s2svo4m1P_ZHhSO2zXxmmIDFxzLUdPteRScQ3PUgxsRu5ys1mhO4Togy-jyYScRqNE2l/s1600/screenshot.37.jpg)
5 - Checking sudo configurations for users
- The sudo command with options (-l = list, -U = users) allows to consult the list of allowed/forbidden command for each user:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmUEcUY70pXxEzm8JMWICrPpQMewrfAfT4UiWFQ3DKNFYhZDFzkQ1mUcG2r3q9WksMuQbb3t1UDtXqaLuxGJWvU6jgfuI2fOppeym9WBEvwX6cPLCUn6IWOZ8BTGFnBge830NR_dUA1r4I/s1600/screenshot.31.jpg)
- Let's see some examples, like users root and johndoe who are part of the sudoers file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6ZxqcRuaZibDp9nZrKQNvs-GBcNib0ztXeUUxHmewKCdDfjmIcmtBESfwHVi-rkxzpvF13V67pc6ll6B_ZFkkXpLRwbsc9GGTRD98wyAIQSc-EgsLX7ZsUPIzViW2vP6-0O9qJn8dhax2/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHb7q_eUcdv0KN8AcglL6BOcJ9TSNGM90RM7vgbFz2NhVKpA64WPRS7nw3BMX4zyq-9eiZ-1Vw_r32i5uECHg2exT5oqGGeMJVHHu4N4l_0DpLuzV98vt6tXO5MoZRIEscXoRGYDKki00X/s1600/screenshot.27.jpg)
- If the user is not part of the sudoers file, like marie:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNzTapVf37_AFTIpyESJe-uxBZD1A0I9yNKDqYakMs9TA64WXSJXGffnbPwDmmJJnpaSud13YPmSVSqm0f9uF5OEcEJ-yx4kgFjo_XxaOLbjzttCxOQhXG8w8joohR1FLobfvqUdA18YnS/s1600/screenshot.28.jpg)