Allow A Normal User To Run Commands As root Under Linux / UNIX Operating Systems

by on May 13, 2006 · 20 comments· LAST UPDATED October 27, 2009

in , ,

From my mail bag:

I would like to run few commands such as stop or start web server as a root user. How do I allow a normal user to run these commands as root?


You need to use the sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config file that defines or list of who can run what) file. The sudo command allows users to do tasks on a Linux system as another user.

sudo command

sudo is more more secure than su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).

If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).

/etc/sudoers Syntax

Following is general syntax used by /etc/sudoers file:
USER HOSTNAME=COMMAND
Where,

  • USER: Name of normal user
  • HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
  • COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command line arguments.

How do I use sudo?

Give user rokcy access to halt/shutdown command and restart Apache web server. First, Login as root user. Use visudo command edit the config file:
# visudo
Append the following lines to file:
rokcy localhost=/sbin/halt
rokcy dbserver=/etc/init.d/apache-perl restart

Save and close file . Now rokcy user can restart Apache web server by typing the following command:
$ sudo /etc/init.d/apache-perl restart
Output:

Password:
Restarting apache-perl 1.3 web server....

The sudo command has logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/auth.log
Sample outputs:

May 13 08:37:43 debian sudo:       rokcy : TTY=pts/4 ; PWD=/home/rokcy ; USER=root ; COMMAND=/etc/init.d/apache-perl restart

If rokcy want to shutdown computer he needs to type command:
$ sudo /sbin/halt
Output:

Password:

Before running a command with sudo, users usually supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run. sudo logs each command run.

Examples

a) Allow jadmin to run various commands:
jadmin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b) Allow user jadmin to run /sbin/halt without any password i.e. as root without authenticating himself:
jadmin ALL= NOPASSWD: /sbin/halt
c) Allow user charvi to run any command from /usr/bin directory on the system dev02:
charvi dev02 = /usr/bin/*

See also:

UPDATED for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 20 comments… read them below or add one }

1 danger May 13, 2006 at 4:13 pm

I’m probably missing something, but i don’t actually understand the HOSTNAME values. In point 3) the line “rokcy dbserver=/etc/init.d/apache-perl restart” indicates that user rocky can restart the apache server running on “dbserver” box, but how does the “dbserver” knows that? Is the sudoers file shared between servers someway?

I mean, if “rocky” telnets/SSHs to dbserver will he be able to restart apache-server?

Thanks a lot for helping a linux n00b.

Reply

2 nixCraft May 13, 2006 at 7:06 pm

>3) the line “rokcy dbserver=/etc/init.d/apache-perl restart” indicates that user rocky can restart the apache server running on “dbserver” box, but how does the “dbserver” knows that?

It means allow user rocky to run /etc/init.d/apache-perl on the system dbserver. You need to use /etc/hosts file to define all hosts in network or use DNS/NIS to resolve hostname. From any one of these files it can find out dbserver name. Use hostname command to get actual hostname.

>Is the sudoers file shared between servers someway.
sudoers files can be shared if you want using Cfengine. If you are on large network it can be done. But remember it is complex operation and needs careful planning.

>I mean, if “rocky” telnets/SSHs to dbserver will he be able to restart apache-server?

Yup that is how it works. You can telnet (do not use it as it is insecure) / ssh into dbserver and restart the apache server.

Reply

3 dsp September 7, 2011 at 4:11 am

init 6

Reply

4 anand March 10, 2008 at 11:17 am

i am very much impressed with this site,through this site there is chance for self development in techninical knowledge .
thanku very much
i hoppe u will continue this forever
God Bless you
Convey my regards to u and all ur supportes involved in this project

urs
Anand—-machilipatnam—INDIA

Reply

5 Ted October 11, 2008 at 9:16 pm

Youre exampes have been very helpful.
Tnhanks!

Reply

6 varun Goswami December 10, 2008 at 9:19 am

I want to run a shell script by apache user, but that script is owned by root .
i made the required changes in sudoers file but still it is not working, actually when this script runs it write some log file this is also owned by some other user,….can u help me how i can run this script..

Reply

7 dravien April 3, 2009 at 12:02 am

im tottally froze out of my ubuntu and im new to this how do i format the hard drive and start over or else what should i do

Reply

8 Prince May 25, 2009 at 12:29 pm

Hi Vivek,
I have configured sudo & its working fine. I need your small help on this. I dont want to type “sudo” evrytime when I run any command. Also wants to keep sepearate log for all sudo activitses. How do I do that? Please help.

Prince

Reply

9 PRADEEP KUMAR PATHAK May 28, 2009 at 7:53 am

How can we allow the normal user as root & how can we recover the root password if the sudoer file has been changed as 06660 permission

Reply

10 mailmado June 3, 2009 at 6:08 am

hi
i am unable to run iptables command and root related commands from html page in apache server
but iptables -h is working
pl help

Reply

11 Rakesh James May 4, 2010 at 7:41 am

Hi all,
i just add user name is “rakesh” into /etc/sudoers
Where under on the line
# root (ALL)=(ALL) ALL
# rakesh (ALL)=(ALL) ALL

am i right?
Still i cant run the commands as “rakesh”

When i type
#sudo fdisk -l
Then i got the answer command not found.

I really want to know , how can change “rakesh” to superuser like “root” which can run all command.
Please help , I desperately need your help

Warm regards
RAKESH JAMES

Reply

12 C.Raja November 5, 2010 at 8:48 am

i just add user name is “rakesh” into /etc/sudoers
Where under on the line
# root (ALL)=(ALL) ALL
# rakesh (ALL)=(ALL) ALL

hai rakesh, I hope you are newbie to linux.

If the “/etc/sudoers” file lines are exactly as above. Remove the “#” symbol from the “# rakesh (ALL)=(ALL) ALL” line and save it.

“fdisk” command by default available in “/sbin/fdisk” the path variable will not point to “/sbin” directory for normal user. so use the command as follows “$sudo /sbinfdisk -l” or set your “PATH” environment variable to point to “/sbin” directory also.

I hope this will resolve your issue.

Reply

13 Bella May 13, 2011 at 11:54 am

can someone please tell me step by step what to do to unblock:
Message: mysql_connect() [function.mysql-connect]: Host ‘s15449709.onlinehome-server.info’ is blocked because of many connection errors; unblock with ‘mysqladmin flush-hosts’

Filename: mysql/mysql_driver.php

Line Number: 66

I know absolutely nothing so start from once the power is on please. I use both Linux and MAC and both are blocked for this site.

Best regards,
Bella

Reply

14 kaushick August 6, 2011 at 4:31 pm

i want to permit a normal user to create user using sudo…………… how would i so that
..

Reply

15 Akash Sali June 1, 2012 at 1:07 pm

Thanks … :)

Reply

16 balumahendranvt September 5, 2012 at 12:05 pm

i have created a system user with root privilege..now i don’t want that user not to change root password. ? any possibilities

Reply

17 bob September 12, 2012 at 12:34 pm

I test this…
my_user dbserver=/etc/init.d/networking restart

… and of course it didn’t work. Not permission to file 1 and file 2 and file 3 ets

How to do that?

Reply

18 George August 2, 2013 at 7:24 am

HI,

I add the following code in my /etc/sudoers:
g_tsvetanov ALL= NOPASSWD: /usr/bin/stunnel

When I open new terminal and execute “sudo stunnel” or “sudo /usr/bin/stunnel” everything works but when I add the command on start up applications I get the following error in the log file (/var/log/secure/) and the procces is not started:
Aug 2 10:18:53 andromeda su: pam_unix(su:auth): authentication failure; logname=g_tsvetanov uid=500 euid=0 tty=pts/0 ruser=g_tsvetanov rhost= user=root
Aug 2 10:18:57 andromeda su: pam_unix(su:session): session opened for user root by g_tsvetanov(uid=500)

Any ideas?

Best regards,
George!

Reply

19 sroot August 28, 2013 at 5:51 pm

In my case
I run a Debian Squeeze distribution

I have edited the /etc/sudoers like this
# User privilege specification
root ALL=(ALL) ALL
user ALL=(ALL) NOPASSWD: ALL

Then the commands:
chmod u+s /usr/bin/sudo
chmod 400 /etc/sudoers

Done.

Reply

20 swapan November 20, 2014 at 10:43 am

kindly help to get the useradd command executed through perl command using web browser.

It says permission denied.
I tried the all the above trics …but no luck

Reply

Leave a Comment

Tagged as: , , , , , , , , , , ,

Previous post:

Next post: