If you’ve used your Ubuntu machine for more than a week you’ve probably run into the sudo command. Particularly if you’ve followed any of my previous tutorials you’ve used it. Sudo allows you to run superuser commands on your machine, without needing a complete superuser account.
Now what happens when you have another user on that machine that needs certain superuser privileges but you don’t want to give them FULL access? Well sudo can be configured to give users sudo access, but limited to only certain commands. Here is a breakdown:
If you use the command:
sudo visudo
you’ll be taken into the self checking sudoers editing file. What you’ll want to look for is near the bottom and appears similar to this:
# User privilege specification
root ALL=(ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
What this is defining is who has what sudo or superuser privileges on that machine. By default, and in this case root has all power and anyone in the admin group (generally just the initial user) has this control.
Now consider you have a buddy, wife or partner that also uses that machine and needs occasional sudo access but you’d prefer not to give them complete permissions to avoid destroying the world as we know it. Well, you can list them in this file and create a limited list of sudo permissions that they will be granted. An example would be below:
# User privilege specification
root ALL=(ALL) ALL
mike ALL=(root) /usr/bin/aptitude, /usr/bin/apt-get
Let me break this down for you. By adding this new line to the file you’ve done the following:
The first listing, mike, is the user that is being assigned the privilege. For this to apply to a group of users on the machine you would prefix the name with a % as seen in the example above (%admin).
The second listing defines the hosts that these permissions apply to. For your use this will almost always apply to your local machine only so ALL is safe. If this does not apply to you (you will know who you are) you will want to define only the hosts to grant access).
Thirdly, the (root) entry defines what user the first user is applying the command as. In this example we want to run the command as root and not any other user. You can define this to another user (or user daemon) to allow access to their specific privileges.
Lastly we’ve got a comma separated list of commands that the user will have access to. In this case I’m allowing the user mike to add and remove programs from the machine using the apt-get and aptitude programs. Allowing users to add / remove programs from your machine as in this example can be dangerous. This is for example use and may not match your usage.
Sudo is our superhero friend while using Ubuntu. It allows us to temporarily take on a different persona, make changes to the critical parts of the machine and quietly change back again. Allowing other users this privilege can be helpful but it can also be harmful so be sure you understand who you are applying privileges to and to what commands. Security is #1, or should be, so use this knowlege wisely.
One recommendation I have is to make sure you prevent others from having sudo rights to:
* editors
* shells
* anything that can open or act as an editor or shell
Why? Very simple. If they can “sudo bash”, they now have full root access. If they can “sudo vim /etc/sudoers”, they’ve got full root access.
Just some interesting holes that I think a lot of us forget about. I know I don’t always think of this type of little detail.
~TuxGirl
Pingback: chrisolsen.org » Blog Archive » Rails setup on Linode
My sudo command does not work. It says my user
Name is not in the sudoers file, but, visudo
won’t let me edit sudoers. Like above I can’t sudo visudo. I’m stuck in this loop. Is there a way out?
TIA,
cliff
@Cliff – by default the first user created is is given sudo privileges. If you are not that user you’ll need to login as that user or reboot into recovery mode and add yourself to the file manually.
guyz, I have some problems. After i edit the configuration files using sudo visudo (I changed the root user so it dont have password), i cant login anymore. btw, im using putty to login. Can someone help ? thanks
Now, I have a question, what if I want the OPPOSITE?
For example, if I have another user in my Ubuntu. They can type: VirtualBox in the command line and they can run the VirtualBox program.
What will I do so that they can’t run it?
Thanks.
it’s simple
it’s ok to give user permission using vim, for example you simply add like this
mike ALL=(root) /usr/bin/aptitude, /usr/bin/apt-get, /bin/vim, !/bin/vim /etc/sudoers
and now user mike can use vim to edit all of file, except /etc/sudoers
i hope that can help you..
@Adiseno – I’ll repeat TuxGirl’s remark that it is *never* a good idea to give access to an editor, and not just for the sake of being able to access or edit the sudoers file.
Give yourself sudo access to vim, and within vim run: ‘:!bash’. You’ve just rooted the box.