Developer Hacks with Sudo command
Have you ever tried to run a command in terminal only to be given “Access Denied?” Well, Sudo is the answer.
But, with great power comes great responsibility! Read on to see what sudo
can do for you!
Basics First
The Unix commands sudo
and su
allow access to other commands as a different user.
sudo
, the one command to rule them all. It stands for “super user do!” Pronounced like “sue dough” As a Linux system administrator or power user, it’s one of the most important commands in your arsenal.
To use the sudo
command, at the command prompt, enter:
sudo [command]
Replace[command]
with the commands for which you want to use withsudo
.
The sudo
command also makes it easier to practice the principle of least privilege (PoLP), which is a computer security concept that helps control system access and potential system exploits and compromises.
A common misconception about sudo
is that it is used solely to provide root permissions to an ordinary user. In fact, the sudo
command allows you to run a command as any user, with the default generally being the root.
Sudo Session
Frequent sudo
command users would have observed that after one password validation, you can run multiple sudo
commands without being prompted again for the password. But after sometime, the sudo
command asks for your password again.
This behavior has nothing to do with the number of sudo-powered commands you run, but instead depends on time. Yes, by default, sudo
won’t ask for password for 15 minutes after the user has entered it once. Post these 15 minutes, you’ll be prompted for password again.
However, if you want, you can change this behavior. For this, open the /etc/sudoers file using the following command:
sudo visudo
And then go to the line that reads:
Defaults env_reset
And add the following variable (highlighted in bold below) at the end of the line
Defaults env_reset,timestamp_timeout=[new-value]
The [new-value] field should be replaced by the number of minutes you want your sudo
session to last. For example, I used the value 30.
In case you want to get prompted for password every time you use the sudo
command, then in that case you can assign the value ‘0’ to this variable. And for those of you who want that their sudo
session should never time out, you can assign the value ‘-1’.
Please note that using timestamp_timeout with value ‘-1’ is strongly discouraged.
Changing default password blank to “*” in Sudo
By defaultsudo
prompts for a password and you start entering it, nothing shows up — not even asterisks that’s usually the normal. While that’s not a big deal in general, some users may want to have the asterisks displayed for whatever reason.
All you have to do is to change the following line in /etc/sudoers file:
sudo visudo
And then go to the line that reads:
Defaults env_reset
And add the following variable (highlighted in bold below) at the end of the line
Defaults env_reset,pwfeedback
And save the /etc/sudoers file.
Now, whenever you’ll type the sudo
password, asterisk will show up.
Sudo
Configurations
When you run command with sudo
, It prompts you for your personal password and confirms your request to execute a command by checking a file, called sudoers
, which is the system administrator configures.
The configuration of sudo is by the /etc/sudoers file. I’m sure that there are more poorly written man pages, but “man sudoers” is among my all time favorites for obfuscation and poor explanation. The creation of the file and the actual use of sudo
isn’t all that bad though.
Using the sudoers
file, system administrators can give certain users or groups access to some or all commands without those users having to know the root password. It also logs all commands and arguments so there is a record of who used it for what, and when.
First a little background. The sudo
program itself is a setuid binary. If you examine its permissions, you will see:
---s--x--x 1 root root 81644 Aug 18 12:31 /usr/bin/sudo
That “s” means that this is a “setuid” program. You and everyone else have execute permission on this, so you can run it. When you do that, because it is setuid and owned by root, your effective user id becomes root- if you could get to a shell from sudo
, you effectively WOULD be root- you could remove any file on the system, etc. That’s why setuid programs have to be carefully written, and something like sudo (which is going to allow access to other programs) has to be especially careful.
visudo edits the sudoers file in a safe fashion. visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
Switch to Root User Using Sudo
The su
command is used to switch from one user account to another. Running the su
command on its own switches to the superuser account. Therefore, to switch to the superuser account using sudo
, simply run the following command:
sudo su
Note that, If you are in user ‘joe’ will use the password of joe to get access to root user instead of entering the root password.
Some important Sudo command line options
Aside from the -u command line option (which we’ve already discussed above), there are some other important sudo
command line options that deserve a mention. In this section, we will discuss some of those.
The -u option — Running commands as other users — not just root
As previously mentioned, the sudo
command can be used to run a command as any other user. For instance, if you are logged in as user “Joe” and you want to run the command as “robert,” then you’d run the sudo
command in the following way:
sudo -u robert
If you want to try it out, create a new user called “sudotest” and run the following Whoami command:
sudo -u sudotest whoami
The -v option — Validate Sudo Credentials
When you run a command using sudo
, you’ll be prompted for your password. For a period afterward, you can run other commands using sudo
without entering your password. If you wish to extend that period, run the following command:
sudo -v
The -k option — Reset timestamp
Consider a case where-in you’ve just run a sudo-powered command after entering your password. Now, as you already know, the sudo
session remains active for 15-mins by default. Suppose during this session, you have to give someone access to your terminal, but you don’t want them to be able to use sudo. What will you do?
Thankfully, there exists a command line option -k that allows user to revoke sudo permission. Here’s what the sudo
man page has to say about this option:
-k, --reset-timestampWhen used without a command, invalidates the user's cached credentials. In other words, the next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file.When used in conjunction with a command or an option that may require a password, this option will cause sudo to ignore the user's cached credentials. As a result, sudo will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials.
The -s option — Shell specified
There might be times when you work requires you to run a bucket load of commands that need root privileges, and you don’t want to enter the sudo
password every now and then. Also, you don’t want to tweak the sudo
session timeout limit by making changes to the /etc/sudoers file.
In that case, you may want to use the -s command line option of the sudo
command. Here’s how the sudo
man page explains it:
-s, --shellRun the shell specified by the SHELL environment variable if it is set or the shell specified by the invoking user's password database entry. If a command is specified, it is passed to the shell for execution via the shell's -c option. If no command is specified, an interactive shell is executed.
So basically, what this command line option does is:
- Launches a new shell — as for which shell, the SHELL env variable is referred. In case $SHELL is empty, the shell defined in the /etc/passwd file is picked up.
- If you’re also passing a command name along with the -s option (for example: sudo -s whoami), then the actual command that gets executed is:
sudo /bin/bash -c whoami
- If you aren’t trying to execute any other command (meaning, you’re just trying to run sudo -s) then you get an interactive shell with root privileges.
What’s worth keeping in mind here is that the -s command line option gives you a shell with root privileges, but you don’t get the root environment — it’s your .bashrc that gets sourced. This means that, for example, in the new shell that sudo -s runs, executing the whoami command will still return your username, and not ‘root’.
How to reduce the danger of running with Sudo?
- Don’t ever copy paste commands from sites/social networks that you don’t know or what could remove/install
- Learn what each command could do.
PS : Don’t try this in Production. This may break something special(or everything).