Sudo: Difference between revisions

From Omnia
Jump to navigation Jump to search
 
 
(8 intermediate revisions by the same user not shown)
Line 4: Line 4:


  visudo
  visudo
== Sudo to Root ==
sudo -i
<pre>
    -i, --login
                Run the shell specified by the target user's password database entry as a login shell.  This means that login-
                specific resource files such as .profile, .bash_profile, or .login will be read by the shell.  If a command is
                specified, it is passed to the shell as a simple command using the -c option.  The command and any arguments are
                concatenated, separated by spaces, after escaping each character (including white space) with a backslash (‘\’)
                except for alphanumerics, underscores, hyphens, and dollar signs.  If no command is specified, an interactive
                shell is executed.  sudo attempts to change to that user's home directory before running the shell.  The command
                is run with an environment similar to the one a user would receive at log in.  Note that most shells behave dif‐
                ferently when a command is specified as compared to an interactive session; consult the shell's manual for de‐
                tails.  The Command environment section in the sudoers(5) manual documents how the -i option affects the environ‐
                ment in which a command is run when the sudoers policy is in use.
</pre>
--
sudo su -
== Sudo to Root with User Env ==
# Mnemonic memory aid - the halfway sexy
sudo -s -E
<pre>
    -E, --preserve-env
                Indicates to the security policy that the user wishes to preserve their existing environment variables.  The se‐
                curity policy may return an error if the user does not have permission to preserve the environment.
    -s, --shell
                Run the shell specified by the SHELL environment variable if it is set or the shell specified by the invoking
                user's password database entry.  If a command is specified, it is passed to the shell as a simple command using
                the -c option.  The command and any arguments are concatenated, separated by spaces, after escaping each charac‐
                ter (including white space) with a backslash (‘\’) except for alphanumerics, underscores, hyphens, and dollar
                signs.  If no command is specified, an interactive shell is executed.  Note that most shells behave differently
                when a command is specified as compared to an interactive session; consult the shell's manual for details.
</pre>


== Sudo Config ==
== Sudo Config ==
Line 34: Line 76:
  %sudo  ALL=(ALL:ALL) NOPASSWD:ALL
  %sudo  ALL=(ALL:ALL) NOPASSWD:ALL
  kenneth ALL=(ALL:ALL) NOPASSWD:ALL
  kenneth ALL=(ALL:ALL) NOPASSWD:ALL
Note: with or without space after nopassword works
== sudoers.d ==
/etc/sudoers.d/mrx
# mrx ALL=(ALL:ALL) NOPASSWD:ALL
mrx ALL=(ALL:ALL) ALL


== Other Examples ==
== Other Examples ==

Latest revision as of 16:07, 4 May 2026

sudo

Edit Sudo Config

visudo

Sudo to Root

sudo -i

     -i, --login
                 Run the shell specified by the target user's password database entry as a login shell.  This means that login-
                 specific resource files such as .profile, .bash_profile, or .login will be read by the shell.  If a command is
                 specified, it is passed to the shell as a simple command using the -c option.  The command and any arguments are
                 concatenated, separated by spaces, after escaping each character (including white space) with a backslash (‘\’)
                 except for alphanumerics, underscores, hyphens, and dollar signs.  If no command is specified, an interactive
                 shell is executed.  sudo attempts to change to that user's home directory before running the shell.  The command
                 is run with an environment similar to the one a user would receive at log in.  Note that most shells behave dif‐
                 ferently when a command is specified as compared to an interactive session; consult the shell's manual for de‐
                 tails.  The Command environment section in the sudoers(5) manual documents how the -i option affects the environ‐
                 ment in which a command is run when the sudoers policy is in use.

-- 

sudo su -

Sudo to Root with User Env

# Mnemonic memory aid - the halfway sexy 
sudo -s -E



     -E, --preserve-env
                 Indicates to the security policy that the user wishes to preserve their existing environment variables.  The se‐
                 curity policy may return an error if the user does not have permission to preserve the environment.

     -s, --shell
                 Run the shell specified by the SHELL environment variable if it is set or the shell specified by the invoking
                 user's password database entry.  If a command is specified, it is passed to the shell as a simple command using
                 the -c option.  The command and any arguments are concatenated, separated by spaces, after escaping each charac‐
                 ter (including white space) with a backslash (‘\’) except for alphanumerics, underscores, hyphens, and dollar
                 signs.  If no command is specified, an interactive shell is executed.  Note that most shells behave differently
                 when a command is specified as compared to an interactive session; consult the shell's manual for details.

Sudo Config

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Allow user to restart apache
# minecraft  ALL=/sbin/service httpd restart

## Allow users to reboot
%users	ALL=/sbin/reboot

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) NOPASSWD:ALL
kenneth ALL=(ALL:ALL) NOPASSWD:ALL

Note: with or without space after nopassword works

sudoers.d

/etc/sudoers.d/mrx 

# mrx ALL=(ALL:ALL) NOPASSWD:ALL
mrx ALL=(ALL:ALL) ALL

Other Examples

apache	ALL=NOPASSWD: /var/www/chpasswd

ilock	ALL=NOPASSWD: /opt/admin/lock, /opt/admin/unlock

Apache Script to Reboot Host

reboot.php: 

<?php
echo shell_exec("sudo /sbin/reboot");
?>

visudo: 

www-data ALL=NOPASSWD: /sbin/reboot

ref: [1]

Sudo Voodoo

Sudo Voodoo

Usage: 

sudo <command>
sudo -u <user> <command>

List commands and privileges available to the current user: 

sudo -l

Edit /etc/sudoers with visudo: 

Username    Hosts=(Usernames or UIDs)) Commands

Example: 

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
strike  ALL=(ALL) NOPASSWD:ALL

# Uncomment to allow people in group wheel to run all commands
%wheel        ALL=(ALL)       ALL

Forgot Sudo?

You can use '!!' to recall the last command (that failed) 

$ rm -rf /home/user1
  Permission Denied!
$ sudo !!

Source: Forgetting Sudo (we've all done it) | Linux Journal

Issues

sudo: sorry, you must have a tty to run sudo

If you try to run sudo in a batch program you may get this error. Simply comment out the following line in 'visudo': 

#Default requiretty

keywords

sudo visudo

Retrieved from "https://aznot.com/index.php?title=Sudo&oldid=9891"