Loading ...Allow a normal user to run commands as root under Linux / UNIX operating systems
From my mail bag:
I would like to run few commands such as stop or start web server as a root user. How do I allow a normal user to run these commands as root?
You need to use sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config that defines or list of who can run what) file. i.e. the sudo command allows users to do tasks on a Linux system as another user.
sudo is more more secure then su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).
If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default (NOTE: in the default configuration this is the user's password, not the root password). Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).
/etc/sudoers Syntax
Following is general syntax used by /etc/sudoers file:
USER HOSTNAME=COMMAND
Where,
- USER: Name of normal user
- HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
- COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command line arguments.
How do I use sudo?
For example, you want to give user rokcy access to halt/shutdown command and restart apache web server.
1) Login as root user
2) Use visudo command edit to edit the config file:
# visudo
3) Append the following lines to file:
rokcy localhost=/sbin/halt
rokcy dbserver=/etc/init.d/apache-perl restart
4) Save the file and exit to shell prompt.
5) Now rokcy user can restart apache server by typing the following command:
$ sudo /etc/init.d/apache-perl restart
Output:
Password: Restarting apache-perl 1.3 web server....
The sudo command has logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/auth.log
Output:
May 13 08:37:43 debian sudo: rokcy : TTY=pts/4 ; PWD=/home/rokcy ; USER=root ; COMMAND=/etc/init.d/apache-perl restart
If rokcy want to shutdown computer he needs to type command:
$ sudo /sbin/halt
Output:
Password:
Before running a command with sudo, users usually supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run. sudo logs each command run and in some cases has completely supplanted the superuser login for administrative tasks.
More examples
a) Specify multiple commands for user jadmin:
jadmin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b) Allow user jadmin to run /sbin/halt without any password i.e. as root without authenticating himself:
jadmin ALL= NOPASSWD: /sbin/halt
c) Allow user charvi to run any command from /usr/bin directory on the system devl02:
charvi devl02 = /usr/bin/*
See also:
- FreeBSD > Becoming super user (su) or enabling su access to user
- Read man pages of sudo and sudoers
- sudo project home page
UPDATED for accuracy.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Allow normal user to dialout Internet
- Weird DNS problem
- FreeBSD > Becoming super user (su) or enabling su access to user
- How to: Mount an ISO image under Linux
- Unix or Linux commands for changing user rights
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: /etc/sudoers, apache web server, command line arguments, default configuration, linux system, red hat fedora, root user, shutdown command, sudo configuration, sudo how to, sudoers file, superuser
I’m probably missing something, but i don’t actually understand the HOSTNAME values. In point 3) the line “rokcy dbserver=/etc/init.d/apache-perl restart” indicates that user rocky can restart the apache server running on “dbserver” box, but how does the “dbserver” knows that? Is the sudoers file shared between servers someway?
I mean, if “rocky” telnets/SSHs to dbserver will he be able to restart apache-server?
Thanks a lot for helping a linux n00b.
>3) the line “rokcy dbserver=/etc/init.d/apache-perl restart†indicates that user rocky can restart the apache server running on “dbserver†box, but how does the “dbserver†knows that?
It means allow user rocky to run /etc/init.d/apache-perl on the system dbserver. You need to use /etc/hosts file to define all hosts in network or use DNS/NIS to resolve hostname. From any one of these files it can find out dbserver name. Use hostname command to get actual hostname.
>Is the sudoers file shared between servers someway.
sudoers files can be shared if you want using Cfengine. If you are on large network it can be done. But remember it is complex operation and needs careful planning.
>I mean, if “rocky†telnets/SSHs to dbserver will he be able to restart apache-server?
Yup that is how it works. You can telnet (do not use it as it is insecure) / ssh into dbserver and restart the apache server.
i am very much impressed with this site,through this site there is chance for self development in techninical knowledge .
thanku very much
i hoppe u will continue this forever
God Bless you
Convey my regards to u and all ur supportes involved in this project
urs
Anand—-machilipatnam—INDIA