Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.
Debian’s sudo package has the password timeout set to 15 minutes. This means that when you first enter your password, as long as you don’t wait more than 15 minutes between sudo commands, you won’t have to enter it again. The password timeout can be immediately expired with sudo -k.
Debian’s sudo is compiled with
As a consequence, the PATH of the user is ignored except if the user is in group sudo.
Installing SUDO in Debian
# apt-get install sudo
This will complete the installation of sudo.
SUDO Configuration file is /etc/sudoers
Default sudoers file looks like below
# This file MUST be edited with the ‘visudo’ command as root.
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
Only last line is valid now this means that the root user can run any command.
If you want to give perticular user to run any command use the following line in /etc/sudoers file
add the following line
user ALL=(ALL) ALL
here user means username
To run one command as root
For more commands, run your shell with sudo.
sudo sh (if sh is your shell.)
Be careful when you are root. When you are done, type exit
SUDO Configuration examples
# User alias specification
User_Alias ADMINS = user1, user2, user3
User_Alias WEBMASTERS = user4, user5, user6
# command alias specification
Cmnd_Alias APACHE = /usr/local/sbin/kickapache
Cmnd_Alias TAIL = /usr/bin/tail
Cmnd_Alias SHUTDOWN = /sbin/shutdown
Cmnd_Alias APT = /usr/bin/apt-get, /usr/bin/dpkg
ROOT ALL = (ALL) ALL
WEBMASTERS ALL = PASSWD : APACHE, TAIL
admin ALL = NOPASSWD : /etc/init.d/apache
Running Commands Using SUDO
To get a file listing of an unreadable directory
$sudo ls /usr/local/protected
To list the home directory of user test on a machine where the file system holding ~test is not exported as root
$sudo -u test ls ~test
To edit the index.html file as user www:data
$sudo -u www:data vi ~www/htdocs/index.html
To shutdown a machine:
$sudo shutdown -r +15 “quick reboot”
To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub-shell to
make the cd and file redi-rection work.
$sudo sh -c “cd /home ; du -s * | sort -rn > USAGE”
If you want more options about sudo check sudo man page
Using Rootsh with SUDO
One more nice tool to use with sudo is rootsh
Download and install rootsh
Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It’s main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism.
Start a shell with logging of input/output. Rootsh must be started via sudo if you want to become root. It does not raise your privileges on it’s own. You can run rootsh as a standalone application if you only want to log your own user’s session. If you call rootsh with additional commands, these will be passed to the shell.
You can create an entry in /etc/sudoers file
trusted_user host_or_ALL = /bin/rootsh
rootsh [OPTION]… [–] [COMMANDS]
User should see himself in a root shell, as if he typed “su -” or “sudo -s”.
Main advantage of this is, everything user types will be sent to syslog. So if he tries to access some secure files from the server you can catch him using the logfiles from your syslog server.
Rootsh Usage Examples
Start a logged root shell
$sudo rootsh -u oracle
Start a logged shell in the context of user oracle.
$rootsh -f mysession.log –no-syslog
Start a new shell for your user id, write protocol into mysession.log, do not send anything to syslog. This is
identical to “script -f mysession.log”
$sudo rootsh -i -u oracle lsnrctl stop
Run command “lsnrctl stop” as user oracle. (this will call sh -c “lsnrctl stop”)
$sudo rootsh -i -u oracle — ls -l
Run command “ls -l” as user oracle. (this will call sh -c “ls -l”)