Understanding Sudo access in Linux with hands-on examples

Learn How to Master Root Privileges!

Image source: Ana Teixeira Pinto @ https://dutchartinstitute.eu/

What is sudo?

If you’re new to Linux or need to manage user permissions on a Linux system, understanding sudo access is essential. The command-line tool in Linux called sudo (short for “superuser do”) enables users to run tasks with elevated capabilities. In other words, it gives users the ability to carry out tasks that otherwise call for root or administrative access. System administration, installing or updating software, and other administrative duties are frequently carried out via sudo.

Setting up sudo

The root user has full access to the machine by default. But you shouldn’t use the root account for everyday jobs because it can be dangerous. You can instead set up other users to be able to use sudo. To set up sudo, you’ll need to add people to the sudoers file, which is a list of users who are allowed to use sudo.

Linux has a file called sudoers that controls how the sudo tool works. It tells you which users or groups can run commands with higher rights and what commands they can run.

On most Linux systems, the sudoers file is found at /etc/sudoers. It is recommended to edit it with the visudo command, which is a safe way to make changes to the file and avoid syntax errors. The sudoers file has a certain syntax that lets you set rules for who can run certain commands with higher rights.

To give the user ‘attriab’ full sudo access, you can add the following line:

attriab ALL=(ALL) ALL

This line says that the user ‘attriab’ can use the sudo command to run any task as any other user.

Using sudo

Once sudo access is set up, you can use it to run tasks with more rights. To do this, just put “sudo” before the command. For example, to update a package using the apt package manager, you can type the command:

sudo apt-get install {packagename}

You will be asked for your password when you run this script. This is a very important security measure because it makes sure that only people who are allowed to can use sudo.

Best practices for using sudo

Image source: https://gifer.com/

1. Use sudo only when you have to. Running commands with higher privileges can be dangerous, so only use sudo when you need to do administrative work.
2. You should always verify the command before executing it with sudo. When using sudo, double-check that you are entering the correct command to avoid potentially disastrous results from a typo or error.
3. Restrict sudo privileges to only those who truly require them! The risk of security breaches and accidental system damage rises when too many users have sudo access.

Useful examples involving Linux sudo access

These hands-on exercises should help you understand sudo access better by allowing you to practice using it in different scenarios. Have fun! Please note that I used a Debian machine for the commands used below.

A. Create a new user with sudo privileges

Let’s create a new user account with sudo access and then test that user’s ability to do administrative tasks. Follow these steps to do this:

# Create as a new user, say 'attriab':
$ sudo adduser attriab

  Adding user `attriab' ...
  Adding new group `attriab' (1001) ...
  Adding new user `attriab' (1001) with group `attriab' ...
  Creating home directory `/home/attriab' ...
  Copying files from `/etc/skel' ...
  New password:
  Retype new password:
  passwd: password updated successfully
  Changing the user information for attriab
  Enter the new value, or press ENTER for the default
   Full Name []: Abhishek Attri
   Room Number []:
   Work Phone []:
   Home Phone []:
   Other []:
  Is the information correct? [Y/n] y

# Add the new user to the sudo group
$ sudo usermod -aG sudo attriab

# Switch to the new user (you will need to enter the password)
$ su attriab

# Run a command that requires elevated privileges to see 
# if the user can do administrative tasks 
$ apt-get update

  Reading package lists... Done
  E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
  E: Unable to lock directory /var/lib/apt/lists/
  W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
  W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)

# Note that this command needs sudo previliges to run. 
# Re-ruun the command as sudo
$ sudo apt-get update
  
  We trust you have received the usual lecture from the local System
  Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

  [sudo] password for attriab:
  Hit:1 http://cdn-aws.deb.debian.org/debian bullseye InRelease
  Hit:2 http://cdn-aws.deb.debian.org/debian bullseye-updates InRelease
  Hit:3 http://cdn-aws.deb.debian.org/debian bullseye-backports InRelease
  Hit:4 http://security.debian.org/debian-security bullseye-security InRelease
  Reading package lists... Done

# Works like a charm! 😊

B. Limit sudo access with sudoers file

We can modify the sudoers file to restrict a user’s sudo access to particular commands or directories.

# Open the sudoers file for editing using the command
$ sudo visudo

# Locate the 'touch' binary in your system. This will be used ahead.
$ whereis touch
  touch: /usr/bin/touch /usr/share/man/man1/touch.1.gz

# Add a new line that limits the user's sudo access to the file. For example, 
# to make sure the user 'attriab' cannot run touch command, add this line:
$ attriab ALL=(ALL) !/usr/bin/touch !/usr/share/man/man1/touch.1.gz

# Save and close the sudoers file.

# Switch to the new user (you will need to enter the password)
$ su attriab

# Test the user's limited sudo access by running a command that isn't allowed
$ touch helloworld.txt
  touch: cannot touch 'helloworld.txt': Permission denied

Image source: Zoe Roth

C. Schedule a task with sudo access

Let’s schedule a task that requires sudo access to run automatically at a specific time or interval.

# Create new shell script with the tasks you want to run with sudo.
touch +x scheduled_script.sh

# Make the script executable
chmod +x scheduled_script.sh

# Edit the root user's crontab file 
sudo crontab -e

# Add a new entry to the root user's crontab file that specifies the 
# time or interval when the script should be run. For example, to 
# run the script every hour, add the following line:
0 * * * * /path/to/scheduled_script.sh

# Wait for the time or interval you set, and then check the script's results!

crontab - Unix, Linux Command

D. Managing system services and modifying system files

Sudo access is required to manage system services, such as starting, stopping, or restarting services like Apache or Nginx. This is particularly useful for web developers who need to manage web servers.

Also, sudo users can change system files like Apache or Nginx configuration files, which are usually stored in protected folders. This is especially helpful for system managers who have to change the way the system is set up.

E. Use sudo access to troubleshoot system issues

This exercise involves using sudo access to troubleshoot system issues by examining system logs and running diagnostic commands more efficiently. Some of such useful commands are mentioned below:

-> Use ‘sudo journalctl’ command to look at the system log and find out about any problems.

Using journalctl - The Ultimate Guide To Logging

-> Use ‘sudo netstat -tulnp’ command to see which network ports are open and which services are waiting on them.

Linux networking: 13 uses for netstat

-> Use the ‘sudo lsof’ tool to see what files are open and what programs are using them.

lsof(8) - Linux manual page

Thank you for taking the time to read my article! I hope you found it informative and valuable. If you have any feedback, comments, or questions, please feel free to reach out 😄
I look forward to sharing more content with you in the future! 🤘