Sudo: Difference between revisions
Jump to navigation
Jump to search
| (2 intermediate revisions by the same user not shown) | |||
| Line 22: | Line 22: | ||
ment in which a command is run when the sudoers policy is in use. | ment in which a command is run when the sudoers policy is in use. | ||
</pre> | </pre> | ||
-- | |||
sudo su - | |||
== Sudo to Root with User Env == | == Sudo to Root with User Env == | ||
# Mnemonic memory aid - the halfway sexy | # Mnemonic memory aid - the halfway sexy | ||
sudo -s -E | sudo -s -E | ||
| Line 78: | Line 82: | ||
/etc/sudoers.d/mrx | /etc/sudoers.d/mrx | ||
mrx ALL=(ALL:ALL) NOPASSWD:ALL | # mrx ALL=(ALL:ALL) NOPASSWD:ALL | ||
mrx ALL=(ALL:ALL) ALL | |||
== Other Examples == | == Other Examples == | ||
Latest revision as of 16:07, 4 May 2026
sudo
Edit Sudo Config
visudo
Sudo to Root
sudo -i
-i, --login
Run the shell specified by the target user's password database entry as a login shell. This means that login-
specific resource files such as .profile, .bash_profile, or .login will be read by the shell. If a command is
specified, it is passed to the shell as a simple command using the -c option. The command and any arguments are
concatenated, separated by spaces, after escaping each character (including white space) with a backslash (‘\’)
except for alphanumerics, underscores, hyphens, and dollar signs. If no command is specified, an interactive
shell is executed. sudo attempts to change to that user's home directory before running the shell. The command
is run with an environment similar to the one a user would receive at log in. Note that most shells behave dif‐
ferently when a command is specified as compared to an interactive session; consult the shell's manual for de‐
tails. The Command environment section in the sudoers(5) manual documents how the -i option affects the environ‐
ment in which a command is run when the sudoers policy is in use.
--
sudo su -
Sudo to Root with User Env
# Mnemonic memory aid - the halfway sexy sudo -s -E
-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their existing environment variables. The se‐
curity policy may return an error if the user does not have permission to preserve the environment.
-s, --shell
Run the shell specified by the SHELL environment variable if it is set or the shell specified by the invoking
user's password database entry. If a command is specified, it is passed to the shell as a simple command using
the -c option. The command and any arguments are concatenated, separated by spaces, after escaping each charac‐
ter (including white space) with a backslash (‘\’) except for alphanumerics, underscores, hyphens, and dollar
signs. If no command is specified, an interactive shell is executed. Note that most shells behave differently
when a command is specified as compared to an interactive session; consult the shell's manual for details.
Sudo Config
## Allow root to run any commands anywhere root ALL=(ALL) ALL
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now
## Allow user to restart apache # minecraft ALL=/sbin/service httpd restart
## Allow users to reboot %users ALL=/sbin/reboot
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) NOPASSWD:ALL kenneth ALL=(ALL:ALL) NOPASSWD:ALL
Note: with or without space after nopassword works
sudoers.d
/etc/sudoers.d/mrx
# mrx ALL=(ALL:ALL) NOPASSWD:ALL mrx ALL=(ALL:ALL) ALL
Other Examples
apache ALL=NOPASSWD: /var/www/chpasswd ilock ALL=NOPASSWD: /opt/admin/lock, /opt/admin/unlock
Apache Script to Reboot Host
reboot.php:
<?php
echo shell_exec("sudo /sbin/reboot");
?>
visudo:
www-data ALL=NOPASSWD: /sbin/reboot
ref: [1]
Sudo Voodoo
Usage:
sudo <command> sudo -u <user> <command>
List commands and privileges available to the current user:
sudo -l
Edit /etc/sudoers with visudo:
Username Hosts=(Usernames or UIDs)) Commands
Example:
# User privilege specification root ALL=(ALL) ALL %admin ALL=(ALL) ALL strike ALL=(ALL) NOPASSWD:ALL # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
Forgot Sudo?
You can use '!!' to recall the last command (that failed)
$ rm -rf /home/user1 Permission Denied! $ sudo !!
Source: Forgetting Sudo (we've all done it) | Linux Journal
Issues
sudo: sorry, you must have a tty to run sudo
If you try to run sudo in a batch program you may get this error. Simply comment out the following line in 'visudo':
#Default requiretty
keywords
sudo visudo