In an earlier post we have seen how you can add a regular user to your server. A Linux user does have a lot of permissions.
Basically, an ordinary Linux user is only allowed to work with the files in his own home directory. This may be sufficient on a desktop, but it is not very useful on a server.
The reason we want to add a normal user to the server, is because it is much safer to work on the server as a normal user, than as the root.
But a normal user does not have any administrative right. Now, that is a pickle…
A pickle that we can solve with
The sudo command allows a user to execute a command as another user. Usually that other user is the root, the superuser (su). And that is exactly what we are looking for.
This is done by prepending the command that a root would execute by ‘sudo’.
Let us look at an example. When the root wants to edit the sshd_config file, the root enters:
A user needs to prepend with ‘sudo’, which makes:
sudo nano /etc/ssh/sshd_config
You might think: “Hello, it’s not very secure when every user can execute commands as a root simply by adding sudo!” And you would be right of course.
That is why the root has to whitelist at least one user who is allowed to execute commands as a root with sudo.
That whitelist is the sudoers list. Once a user is on the sudoers list, he/she can add other users to the list when needed.
Adding a user to the sudoers list is done with the
Make sure you are logged in to the server as the root.
Enter at the prompt:
The /etc/sudoers.tmp file opens. You will see something like this:
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
We are especially interested in the section with these two lines:
# User privilege specification root ALL=(ALL:ALL) ALL
The first line is a comment, it starts with a hash (#). Comments are for humans like you and me, and ignored by the system.
The second line tells us that the root is allowed to execute all commands.
To add user jdoe to the list of sudoers, we need to append the following line:
jdoe ALL=(ALL:ALL) ALL
That is all.
So, after adding this one line, the privilege block looks like this:
# User privilege specification root ALL=(ALL:ALL) ALL jdoe ALL=(ALL:ALL) ALL
Save the file. Done.
The next time user jdoe logs in that user can do anything the root can do, as long as he/she prepends the command with ‘sudo’.