Visudo – Sharing Root Power with a Regular Linux User

In an earlier post we have seen how you can add a regular user to your server. A Linux user does have a lot of permissions.

Basically, an ordinary Linux user is only allowed to work with the files in his own home directory. This may be sufficient on a desktop, but it is not very useful on a server.

The reason we want to add a normal user to the server, is because it is much safer to work on the server as a normal user, than as the root.

But a normal user does not have any administrative right. Now, that is a pickle…

A pickle that we can solve with sudo.

The sudo command allows a user to execute a command as another user. Usually that other user is the root, the superuser (su). And that is exactly what we are looking for.

This is done by prepending the command that a root would execute by ‘sudo’.

Let us look at an example. When the root wants to edit the sshd_config file, the root enters:

A user needs to prepend with ‘sudo’, which makes:

Visudo

You might think: “Hello, it’s not very secure when every user can execute commands as a root simply by adding sudo!” And you would be right of course.

That is why the root has to whitelist at least one user who is allowed to execute commands as a root with sudo.

That whitelist is the sudoers list. Once a user is on the sudoers list, he/she can add other users to the list when needed.

Adding a user to the sudoers list is done with the visudo command.

Make sure you are logged in to the server as the root.

Enter at the prompt:

The /etc/sudoers.tmp file opens. You will see something like this:

We are especially interested in the section with these two lines:

The first line is a comment, it starts with a hash (#). Comments are for humans like you and me, and ignored by the system.

The second line tells us that the root is allowed to execute all commands.

To add user jdoe to the list of sudoers, we need to append the following line:

That is all.

So, after adding this one line, the privilege block looks like this:

Save the file. Done.

The next time user jdoe logs in that user can do anything the root can do, as long as he/she prepends the command with ‘sudo’.

More details