why use sudo rather than root?
1. sudo prompts for the current user’s password (not the root password) to run commands which will otherwise require the user to be root.
2. the extra privilege is granted to the individual users temporarily only for the command that is being run as sudo; other than that, users work as unprivileged which reduces accidental damages that might arise out of privileged use.
3. when a sudo command is executed, the user who ran the command, the command & the time are logged.
When more than one person needs to work as root user, it is easy to see why configuring sudo is much better than sharing the root password with multiple persons. If, for example, two people know the root password, it is difficult to know who ran a sensitive command, because the system logs are going to tell you that a root user ran the command. With sudo, the exact user who ran the command can be known from the logs.
“sudo” logs system activity like this:
Feb 10 22:25:21 host1 sudo: user1 : TTY=pts/0 ; PWD=/home/user1/public ; USER=root ; COMMAND=/sbin/service httpd restart
The above command tells you that the sudo command
"/sbin/service httpd restart" was executed by user1 on Feb 10, 22:25 on the host1 machine.
This sudo logging is typically done on
/var/log/auth.log on the debian/ubuntu, on centos/rhel kind of systems, it is typically done at
/var/log/secure However, the
/etc/sudoers file can control where the sudo logging needs to occur.
/etc/sudoers file controls who can do what from where (which host). The syntax is cryptic to understand in one go, not clearly explained.
## user MACHINE=COMMANDS %wheel ALL=(ALL) NOPASSWD: ALL
wheel is prefixed with a % to mean that the permission set is for the group named
wheel (and not a individual user).
Typically, this is how I give a user a set of sudo permissions. When I think a new user has to have sudo permission set, I make the user to be part of the
wheel group like this:
usermod -G wheel
wheel is configured to have the sudo permission set in the
%wheel ALL=(ALL) NOPASSWD:ALL
As can be seen, it is not clear from the comment
## user MACHINE=COMMANDS as to how it can be written and what the
ALLs mean. The syntax turns out to be:
USER MACHINE=(run_as_user:run_as_group) NOPASSWD: COMMANDS
USER can be ALL (all users) or a valid user in the system or a list of users in the system specified through
User_Alias ADMINS = thanix, asif
When USER is prefixed with % like
%USER – it means that the users of the group %USER get that permission set
Similarly, MACHINE can be ALL (to mean all hosts) or a hostname or a list of hostnames (or IP addresses) specified through
COMMANDS can be ALL (all commands) or a single command or a list of commands specified through a
Cmnd_Alias like this
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
Now, read a synopsis of the
“sudo” is an innovative program in the unix systems that administrators can use to allow some users to execute some commands as root (or another user).
The basic philosophy is to give as few privileges as possible but still allow people to get their work done.
I think it makes sense.