January 10, 2025

SUDO allow normal user to run command as root

sudo enables users to execute root commands on a Linux dedicated server as a normal user. Unlike the su command, sudo offers greater flexibility and enhanced security.

A key benefit of sudo is its ability to log usage, with log entries typically stored in the /var/log/secure file. The sudo program relies on the /etc/sudoers configuration file to define the rules that determine whether a command can be executed.

It is advisable to use the visudo utility, included with the sudo package, for editing the /etc/sudoers file. For instance, if we want a user named user to execute commands as root, we can start by using sudo to run a command that requires elevated permission.

$ sudo /sbin/service sendmail restart
Password:
normaluser is not in the sudoers file.  This incident will be reported.

The sudo command has logged the attempt to the log file /var/log/secure as shown below.

# tail /var/log/secure
...
Aug  2 14:37:49 somehost sudo:  user : user NOT in sudoers ;
TTY=pts/2 ; PWD=/home/user ; USER=root ;
COMMAND=/sbin/service sendmail restart

On all Linux servers, there is a specific group called 'wheel' that is commonly associated with privileged operations. To include a user in the supplementary 'wheel' group, run the following command as the root user.

# usermod -aG wheel user

Verify that the user is now a member of the 'wheel' group.

# groups user
user : user wheel

Edit the file /etc/sudoers using the visudo command as follows.

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

Take note that the /etc/sudoers file features examples and comments. To grant members of the 'wheel' group the ability to execute commands as root with sudo, you should uncomment the specified line.

...
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL)       ALL
...

The visudo utility utilizes key bindings and commands derived from the vi editor. To edit the visudo file, press 'i' to enter Insert mode. Use the cursor keys to position the cursor correctly, and press 'Delete' to remove the '#' character. To save your modifications, hit the escape key, then type ':write', and finally ':quit' to exit.

...
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL)       ALL

#Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

# ALL     ALL = NOPASSWD: /usr/bin/mindspring

Now run the privileged commands again as normal user.

$ sudo /sbin/service sendmail restart
Password:
Shutting down sendmail:                                    [  OK  ]
Shutting down sm-client:                                   [  OK  ]
Starting sendmail:                                         [  OK  ]
Starting sm-client:                                        [  OK  ]

The successful execution of sudo will also be logged in the /var/log/secure file.

# tail /var/log/secure
...
Aug  2 15:05:49 somehost sudo:  user : TTY=pts/2 ;
PWD=/home/user ; USER=root ;
COMMAND=/sbin/service sendmail restart

ARE YOU READY?

Dedicated Server Hosting

Start now