The sudo Command
The su command provides a powerful tool to allow users to be able to perform system administrative tasks. However, this method gives more power to users than is really required. A user operating in root's shell has the capability of accidently breaking things. There is a better way to allow users to perform certain functions: this is done through the sudo command. With the sudo command we can allow users to run commands with administrative privileges, without giving them root's password. We can also allow certain users to run only certain commands with root permissions. We will use sudo in many of the labs, and we will continue to see it used as we go through this course.
To allow a user permission to use the sudo command, they must be a member of the sudo group as specified in the /etc/group file. Some distros allow for any user in the admin group to have sudo permission. It is best though, to keep your configuration file, /etc/sudoers, file as simple as possible. It is also possible for individual users or groups to have an entry in the /etc/sudoers file that allows them access to the sudo command.
To run the sudo command you simply provide any options, if any, and the command you desire to run as root: sudo options command
The sudoedit Command
There are some files in the Linux world that have permissions set in such a manner that you need root privileges to edit them. This can be accomplished by using the sudo command with any of the editors; however, the preferred solution is to use the sudoedit command. Using sudo with an editor can have the unwanted side effect of changed ownership and permissions on some of your own configuration files.
To use the sudoedit command a user must have an entry in the /etc/sudoers file. For instance if you are a member of the group www - that is, your username is listed in the /etc/group file in the group www, then the following line would allow you to access the specified file with administrative privileges:
%www ALL = sudoedit /path/to/file
To run the sudedit command: sudoedit options filename
The more a Linux administrator makes use of these techniques and tools, the more secure the system will be.
The visudo Command
While we use the sudoedit command to make changes to many system files, we have the visudo command specifically to edit the /etc/sudoers file. This file is necessary for a user to gain root access on a Linux system. If it contains any errors, it would be impossible for any user
pbmac@pbmac-server $ sudo visudo >>> /etc/sudoers: syntax error near line 28 <<< What now? ? Options are: (e)dit sudoers file again e(x)it without saving changes to sudoers file (Q)uit and save changes to sudoers file (DANGER!) what now? x pbmac@pbmac-server $
to be able to use the sudo command to gain administrative privileges. Therefore, there is a special command that not only allows the editing of the file but checks for errors before writing any changes back to the file. If there are errors, the user will get a notice, and will be asked what they want to do. They can return to edit mode, they can exit the edit session losing their changes, or they can save the changes (NOT recommended).
The Wheel Group
The wheel group is a special user group used on some Unix systems (mostly BSD systems) to control access to the su or sudo command, which allows a user to masquerade as another user (usually the super user). Debian-like operating systems creates a group called sudo with similar purpose to wheel group.
In some distros of Linux the wheel group is necessary to use the sudo command. On these systems you run the visudo command to edit the privileges of the wheel group. New users can also be added to the wheel group as necessary to enable them to operate with elevated privileges.