Developer Hacks with Sudo command

Have you ever tried to run a command in terminal only to be given “Access Denied?” Well, Sudo is the answer.

But, with great power comes great responsibility! Read on to see what sudo can do for you!

Sudo man page

Basics First

The Unix commands sudo and su allow access to other commands as a different user.

sudo, the one command to rule them all. It stands for “super user do!” Pronounced like “sue dough” As a Linux system administrator or power user, it’s one of the most important commands in your arsenal.

To use the sudo command, at the command prompt, enter:

sudo [command]

Replace[command] with the commands for which you want to use withsudo.

The sudo command also makes it easier to practice the principle of least privilege (PoLP), which is a computer security concept that helps control system access and potential system exploits and compromises.

A common misconception about sudo is that it is used solely to provide root permissions to an ordinary user. In fact, the sudo command allows you to run a command as any user, with the default generally being the root.

Sudo Session

Frequent sudo command users would have observed that after one password validation, you can run multiple sudo commands without being prompted again for the password. But after sometime, the sudo command asks for your password again.

This behavior has nothing to do with the number of sudo-powered commands you run, but instead depends on time. Yes, by default, sudo won’t ask for password for 15 minutes after the user has entered it once. Post these 15 minutes, you’ll be prompted for password again.

However, if you want, you can change this behavior. For this, open the /etc/sudoers file using the following command:

sudo visudo

And then go to the line that reads:

Defaults    env_reset

And add the following variable (highlighted in bold below) at the end of the line

Defaults    env_reset,timestamp_timeout=[new-value]

The [new-value] field should be replaced by the number of minutes you want your sudo session to last. For example, I used the value 30.

In case you want to get prompted for password every time you use the sudo command, then in that case you can assign the value ‘0’ to this variable. And for those of you who want that their sudo session should never time out, you can assign the value ‘-1’.

Please note that using timestamp_timeout with value ‘-1’ is strongly discouraged.

Changing default password blank to “*” in Sudo

By defaultsudo prompts for a password and you start entering it, nothing shows up — not even asterisks that’s usually the normal. While that’s not a big deal in general, some users may want to have the asterisks displayed for whatever reason.

All you have to do is to change the following line in /etc/sudoers file:

sudo visudo

And then go to the line that reads:

Defaults    env_reset

And add the following variable (highlighted in bold below) at the end of the line

Defaults    env_reset,pwfeedback

And save the /etc/sudoers file.

Now, whenever you’ll type the sudo password, asterisk will show up.

Sudo Configurations

When you run command with sudo, It prompts you for your personal password and confirms your request to execute a command by checking a file, called sudoers, which is the system administrator configures.

The configuration of sudo is by the /etc/sudoers file. I’m sure that there are more poorly written man pages, but “man sudoers” is among my all time favorites for obfuscation and poor explanation. The creation of the file and the actual use of sudo isn’t all that bad though.

Using the sudoers file, system administrators can give certain users or groups access to some or all commands without those users having to know the root password. It also logs all commands and arguments so there is a record of who used it for what, and when.

First a little background. The sudo program itself is a setuid binary. If you examine its permissions, you will see:

  ---s--x--x    1 root    root    81644 Aug 18 12:31  /usr/bin/sudo

That “s” means that this is a “setuid” program. You and everyone else have execute permission on this, so you can run it. When you do that, because it is setuid and owned by root, your effective user id becomes root- if you could get to a shell from sudo, you effectively WOULD be root- you could remove any file on the system, etc. That’s why setuid programs have to be carefully written, and something like sudo (which is going to allow access to other programs) has to be especially careful.

visudo edits the sudoers file in a safe fashion. visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

Switch to Root User Using Sudo

The su command is used to switch from one user account to another. Running the su command on its own switches to the superuser account. Therefore, to switch to the superuser account using sudo, simply run the following command:


sudo su

Note that, If you are in user ‘joe’ will use the password of joe to get access to root user instead of entering the root password.

Some important Sudo command line options

Aside from the -u command line option (which we’ve already discussed above), there are some other important sudo command line options that deserve a mention. In this section, we will discuss some of those.

The -u option — Running commands as other users — not just root

As previously mentioned, the sudo command can be used to run a command as any other user. For instance, if you are logged in as user “Joe” and you want to run the command as “robert,” then you’d run the sudo command in the following way:

sudo -u robert

If you want to try it out, create a new user called “sudotest” and run the following Whoami command:

sudo -u sudotest whoami

The -v option — Validate Sudo Credentials

When you run a command using sudo, you’ll be prompted for your password. For a period afterward, you can run other commands using sudo without entering your password. If you wish to extend that period, run the following command:

sudo -v

The -k option — Reset timestamp

Consider a case where-in you’ve just run a sudo-powered command after entering your password. Now, as you already know, the sudo session remains active for 15-mins by default. Suppose during this session, you have to give someone access to your terminal, but you don’t want them to be able to use sudo. What will you do?

Thankfully, there exists a command line option -k that allows user to revoke sudo permission. Here’s what the sudo man page has to say about this option:

-k, --reset-timestampWhen used without a command, invalidates the user's cached credentials. In other words, the next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file.When used in conjunction with a command or an option that may require a password, this option will cause sudo to ignore the user's cached credentials. As a result, sudo will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials.

The -s option — Shell specified

There might be times when you work requires you to run a bucket load of commands that need root privileges, and you don’t want to enter the sudo password every now and then. Also, you don’t want to tweak the sudo session timeout limit by making changes to the /etc/sudoers file.

In that case, you may want to use the -s command line option of the sudo command. Here’s how the sudo man page explains it:

-s, --shellRun the shell specified by the SHELL environment variable if it is set or the shell specified by the invoking user's password database entry. If a command is specified, it is passed to the shell for execution via the shell's -c option. If no command is specified, an interactive shell is executed.

So basically, what this command line option does is:

  • Launches a new shell — as for which shell, the SHELL env variable is referred. In case $SHELL is empty, the shell defined in the /etc/passwd file is picked up.
  • If you’re also passing a command name along with the -s option (for example: sudo -s whoami), then the actual command that gets executed is:
sudo /bin/bash -c whoami
  • If you aren’t trying to execute any other command (meaning, you’re just trying to run sudo -s) then you get an interactive shell with root privileges.

What’s worth keeping in mind here is that the -s command line option gives you a shell with root privileges, but you don’t get the root environment — it’s your .bashrc that gets sourced. This means that, for example, in the new shell that sudo -s runs, executing the whoami command will still return your username, and not ‘root’.

tajawal

tajawal tech blog

Mirza Dabeer Hussain

Written by

Software Engineer @tajawal

tajawal

tajawal

tajawal tech blog