why sudo is better than root

sudo make me a sandwich

make me a sandwich

why use sudo rather than root?

1. sudo prompts for the current user’s password (not the root password) to run commands which will otherwise require the user to be root.
2. the extra privilege is granted to the individual users temporarily only for the command that is being run as sudo; other than that, users work as unprivileged which reduces accidental damages that might arise out of privileged use.
3. when a sudo command is executed, the user who ran the command, the command & the time are logged.

When more than one person needs to work as root user, it is easy to see why configuring sudo is much better than sharing the root password with multiple persons. If, for example, two people know the root password, it is difficult to know who ran a sensitive command, because the system logs are going to tell you that a root user ran the command. With sudo, the exact user who ran the command can be known from the logs.

“sudo” logs system activity like this:

Feb 10 22:25:21 host1 sudo: user1 : TTY=pts/0 ; PWD=/home/user1/public ; USER=root ; COMMAND=/sbin/service httpd restart

The above command tells you that the sudo command "/sbin/service httpd restart" was executed by user1 on Feb 10, 22:25 on the host1 machine.

This sudo logging is typically done on /var/log/auth.log on the debian/ubuntu, on centos/rhel kind of systems, it is typically done at /var/log/secure However, the /etc/sudoers file can control where the sudo logging needs to occur.

The /etc/sudoers file controls who can do what from where (which host). The syntax is cryptic to understand in one go, not clearly explained.


Note that wheel is prefixed with a % to mean that the permission set is for the group named wheel (and not a individual user).

Typically, this is how I give a user a set of sudo permissions. When I think a new user has to have sudo permission set, I make the user to be part of the wheel group like this:

usermod -G wheel 

wheel is configured to have the sudo permission set in the /etc/sudoers file:


As can be seen, it is not clear from the comment ## user MACHINE=COMMANDS as to how it can be written and what the ALLs mean. The syntax turns out to be:

USER MACHINE=(run_as_user:run_as_group) NOPASSWD: COMMANDS

USER can be ALL (all users) or a valid user in the system or a list of users in the system specified through User_Alias

User_Alias ADMINS = thanix, asif

When USER is prefixed with % like %USER – it means that the users of the group %USER get that permission set

Similarly, MACHINE can be ALL (to mean all hosts) or a hostname or a list of hostnames (or IP addresses) specified through Host_Alias and
COMMANDS can be ALL (all commands) or a single command or a list of commands specified through a Cmnd_Alias like this

Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

Now, read a synopsis of the "sudo" command:

“sudo” is an innovative program in the unix systems that administrators can use to allow some users to execute some commands as root (or another user).
The basic philosophy is to give as few privileges as possible but still allow people to get their work done.

I think it makes sense.

Leave a Reply

©thanix.info 2012 | RSS | cc share-alike

thanix [at] gmail [dot] com