Using the sudo command
Reviewed 5/8/14 by Bil Hays
The sudo command allows a user to execute commands with superuser privileges on a UNIX system. This article describes the responsibilities of anyone using the sudo command on UNC Computer Science systems, followed by a description of how to use sudo.
By receiving and using sudo privileges on Computer Science systems, you agree to abide by the following rules:
- Before using sudo the first time, read the manual page on sudo (“man sudo”) and read this web page.
- The sudo privilege and the powers it provides are to be used only for completing your department-related work.
- You are not to use it to gain access to materials and information that other persons in this department have attempted to prevent you from seeing.
- Never leave a root shell or a window in which you have just used sudo unattended. (After you use sudo once, a password is not required to run it again within five minutes.)
- Never provide your password to anyone.
- Take all precautions to insure that no one else discovers your password. If at any time you believe your password has been compromised, immediately bring this to the attention of a full-time Computer Services employee or send email to help.
- Do not provide local root privileges for other users by letting them use a shell you have already started or a login in which you have already run sudo. Instead, determine what they believe should be done. Then, using your good judgment, take the appropriate action yourself.
- Do not use your sudo rights to create a local account. Instead, contact email@example.com to have a department account created that will be subject to the department’s password aging and complexity policies.
- It is possible to easily damage the software systems when using root (administrative) privileges. Therefore, it is important that you very carefully consider every action taken as root before you do it. If you make changes that make the system unusable, Computer Services will fix it, generally by wiping the disk and reinstalling the operating system.
- The IT Director can revoke this privilege at any time.
sudo allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers file. By default, sudo requires that you authenticate yourself with your own password. Once you are authenticated, you may use sudo without a password for five minutes. After that, you’ll need to give your password again to execute a sudo command.
Some examples are the best way to show sudo’s usage:
To cat a file that is owned by root that you normally cannot read:
sudo cat /etc/shadow
You will be prompted for YOUR passwd the first time you execute sudo. After that, you will not have to give your passwd for five minutes.
To get a root shell you can execute:
This will give you a shell as a root user that is not subject to the five minute sudo timeout.
Some programs launched via the GUI interface prompt for a password. Since you do not have the root passwd, you will need to execute the command from the command line after you sudo and get a root shell. For example, if you want to change your display settings, from the GUI bring up “Applications|System Settings|Display”. Then, instead of left clicking on “Display”, right click and then left click on “Properties”; this will show you the command to execute. Also note that if you do launch a GUI tool that requires root, the popup tells you the command it is trying to run. First determine what command the GUI is trying to run, and then execute “sudo command-name” to run the command as root.
On Red Hat Linux, by default certain commands get logged in /var/log/secure, including any commands prefixed by “sudo”. This may be useful if you clobber something and want to see what commands you ran. If you “sudo -i”, (or to a shell), subsequent commands do not get logged.