Sudo allows users to run commands as root while logging the command and its arguments.
In short, sudo first authenticates a user using their own password, then checks /etc/sudoers to see what sudo permissions (if any) the user has, then executes and logs the command if the user is allowed.
This is the preferred way to run commands as root for a few reasons:
- You do not need to give out the root password to users.
- You can limit which commands a user can run as root.
- All sudo commands are logged.
To use sudo on Fedora 15, first make sure the package is installed:
bash$ rpm -q sudo sudo-1.7.4p5-4.fc15.x86_64
If it is not installed, su to root and install the package.
bash$ su - root# yum install sudo
Next, edit the sudo configuration file by using the visudo command. Visudo locks the /etc/sudoers file against simultaneous edits, provides sanity checks, and checks for configuration errors. Avoid directly editing the /etc/sudoers file.
You will see that there are a variety of options, but let’s look at this line which is enabled on Fedora 15 by default:
%wheel ALL=(ALL) ALL
This means that all users in the wheel group can run all commands as root on all systems that this sudoers file lives on. The sudoers file is designed so that you can have a single configuration live on various hosts and allow or disallow users by hostname.
Since this line is enabled in sudoers, quit visudo by exiting the editor and check what groups your username belongs to. In this example, my username is victor.
root# groups victor victor : victor
In order to give the user full access to root using sudo, add the user to the wheel group.
root# usermod -a -G wheel victor root# groups victor victor : victor wheel
Next, logout of the root shell.
Now, as your user, you can use sudo to run commands as root. The first time you run sudo, some warnings and advice will be printed to the screen.
bash$ sudo /usr/bin/test
Type in your password (not the root password), and you will successfully run /usr/bin/test as root. If the default configuration is kept, sudo will not prompt a user for their password until after 5 minutes from their last sudo command.
By default (on Fedora 15), sudo logs its usage into /var/log/secure by configuration of /etc/sudoers and /etc/rsyslog.conf. Normally, you need root permissions to read /var/log/secure, but now that you have sudo access, you can read the file. Read the sudo logs with something like this:
bash$ sudo grep sudo /var/log/secure
Finally, see /etc/sudoers and the SUDOERS(5) man page for syntax on how to configure access rights for users based on group, command and hostname.
bash$ less /etc/sudoers bash$ man sudoers