≡ Menu

Allow A Normal User To Run Commands As root Under Linux / UNIX Operating Systems

From my mail bag:

I would like to run few commands such as stop or start web server as a root user. How do I allow a normal user to run these commands as root?

You need to use the sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config file that defines or list of who can run what) file. The sudo command allows users to do tasks on a Linux system as another user.

sudo command

sudo is more more secure than su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).

If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).

/etc/sudoers Syntax

Following is general syntax used by /etc/sudoers file:

  • USER: Name of normal user
  • HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
  • COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command line arguments.

How do I use sudo?

Give user rokcy access to halt/shutdown command and restart Apache web server. First, Login as root user. Use visudo command edit the config file:
# visudo
Append the following lines to file:
rokcy localhost=/sbin/halt
rokcy dbserver=/etc/init.d/apache-perl restart

Save and close file . Now rokcy user can restart Apache web server by typing the following command:
$ sudo /etc/init.d/apache-perl restart

Restarting apache-perl 1.3 web server....

The sudo command has logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/auth.log
Sample outputs:

May 13 08:37:43 debian sudo:       rokcy : TTY=pts/4 ; PWD=/home/rokcy ; USER=root ; COMMAND=/etc/init.d/apache-perl restart

If rokcy want to shutdown computer he needs to type command:
$ sudo /sbin/halt


Before running a command with sudo, users usually supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run. sudo logs each command run.


a) Allow jadmin to run various commands:
jadmin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b) Allow user jadmin to run /sbin/halt without any password i.e. as root without authenticating himself:
jadmin ALL= NOPASSWD: /sbin/halt
c) Allow user charvi to run any command from /usr/bin directory on the system dev02:
charvi dev02 = /usr/bin/*

See also:

UPDATED for accuracy.

Share this on:

{ 21 comments… add one }

  • danger May 13, 2006, 4:13 pm

    I’m probably missing something, but i don’t actually understand the HOSTNAME values. In point 3) the line “rokcy dbserver=/etc/init.d/apache-perl restart” indicates that user rocky can restart the apache server running on “dbserver” box, but how does the “dbserver” knows that? Is the sudoers file shared between servers someway?

    I mean, if “rocky” telnets/SSHs to dbserver will he be able to restart apache-server?

    Thanks a lot for helping a linux n00b.

  • nixCraft May 13, 2006, 7:06 pm

    >3) the line “rokcy dbserver=/etc/init.d/apache-perl restart” indicates that user rocky can restart the apache server running on “dbserver” box, but how does the “dbserver” knows that?

    It means allow user rocky to run /etc/init.d/apache-perl on the system dbserver. You need to use /etc/hosts file to define all hosts in network or use DNS/NIS to resolve hostname. From any one of these files it can find out dbserver name. Use hostname command to get actual hostname.

    >Is the sudoers file shared between servers someway.
    sudoers files can be shared if you want using Cfengine. If you are on large network it can be done. But remember it is complex operation and needs careful planning.

    >I mean, if “rocky” telnets/SSHs to dbserver will he be able to restart apache-server?

    Yup that is how it works. You can telnet (do not use it as it is insecure) / ssh into dbserver and restart the apache server.

    • dsp September 7, 2011, 4:11 am

      init 6

  • anand March 10, 2008, 11:17 am

    i am very much impressed with this site,through this site there is chance for self development in techninical knowledge .
    thanku very much
    i hoppe u will continue this forever
    God Bless you
    Convey my regards to u and all ur supportes involved in this project


  • Ted October 11, 2008, 9:16 pm

    Youre exampes have been very helpful.

  • varun Goswami December 10, 2008, 9:19 am

    I want to run a shell script by apache user, but that script is owned by root .
    i made the required changes in sudoers file but still it is not working, actually when this script runs it write some log file this is also owned by some other user,….can u help me how i can run this script..

  • dravien April 3, 2009, 12:02 am

    im tottally froze out of my ubuntu and im new to this how do i format the hard drive and start over or else what should i do

  • Prince May 25, 2009, 12:29 pm

    Hi Vivek,
    I have configured sudo & its working fine. I need your small help on this. I dont want to type “sudo” evrytime when I run any command. Also wants to keep sepearate log for all sudo activitses. How do I do that? Please help.


  • PRADEEP KUMAR PATHAK May 28, 2009, 7:53 am

    How can we allow the normal user as root & how can we recover the root password if the sudoer file has been changed as 06660 permission

  • mailmado June 3, 2009, 6:08 am

    i am unable to run iptables command and root related commands from html page in apache server
    but iptables -h is working
    pl help

  • Rakesh James May 4, 2010, 7:41 am

    Hi all,
    i just add user name is “rakesh” into /etc/sudoers
    Where under on the line
    # root (ALL)=(ALL) ALL
    # rakesh (ALL)=(ALL) ALL

    am i right?
    Still i cant run the commands as “rakesh”

    When i type
    #sudo fdisk -l
    Then i got the answer command not found.

    I really want to know , how can change “rakesh” to superuser like “root” which can run all command.
    Please help , I desperately need your help

    Warm regards

    • C.Raja November 5, 2010, 8:48 am

      i just add user name is “rakesh” into /etc/sudoers
      Where under on the line
      # root (ALL)=(ALL) ALL
      # rakesh (ALL)=(ALL) ALL

      hai rakesh, I hope you are newbie to linux.

      If the “/etc/sudoers” file lines are exactly as above. Remove the “#” symbol from the “# rakesh (ALL)=(ALL) ALL” line and save it.

      “fdisk” command by default available in “/sbin/fdisk” the path variable will not point to “/sbin” directory for normal user. so use the command as follows “$sudo /sbinfdisk -l” or set your “PATH” environment variable to point to “/sbin” directory also.

      I hope this will resolve your issue.

  • Bella May 13, 2011, 11:54 am

    can someone please tell me step by step what to do to unblock:
    Message: mysql_connect() [function.mysql-connect]: Host ‘s15449709.onlinehome-server.info’ is blocked because of many connection errors; unblock with ‘mysqladmin flush-hosts’

    Filename: mysql/mysql_driver.php

    Line Number: 66

    I know absolutely nothing so start from once the power is on please. I use both Linux and MAC and both are blocked for this site.

    Best regards,

  • kaushick August 6, 2011, 4:31 pm

    i want to permit a normal user to create user using sudo…………… how would i so that

  • Akash Sali June 1, 2012, 1:07 pm

    Thanks … :)

  • balumahendranvt September 5, 2012, 12:05 pm

    i have created a system user with root privilege..now i don’t want that user not to change root password. ? any possibilities

  • bob September 12, 2012, 12:34 pm

    I test this…
    my_user dbserver=/etc/init.d/networking restart

    … and of course it didn’t work. Not permission to file 1 and file 2 and file 3 ets

    How to do that?

  • George August 2, 2013, 7:24 am


    I add the following code in my /etc/sudoers:
    g_tsvetanov ALL= NOPASSWD: /usr/bin/stunnel

    When I open new terminal and execute “sudo stunnel” or “sudo /usr/bin/stunnel” everything works but when I add the command on start up applications I get the following error in the log file (/var/log/secure/) and the procces is not started:
    Aug 2 10:18:53 andromeda su: pam_unix(su:auth): authentication failure; logname=g_tsvetanov uid=500 euid=0 tty=pts/0 ruser=g_tsvetanov rhost= user=root
    Aug 2 10:18:57 andromeda su: pam_unix(su:session): session opened for user root by g_tsvetanov(uid=500)

    Any ideas?

    Best regards,

  • sroot August 28, 2013, 5:51 pm

    In my case
    I run a Debian Squeeze distribution

    I have edited the /etc/sudoers like this
    # User privilege specification
    root ALL=(ALL) ALL

    Then the commands:
    chmod u+s /usr/bin/sudo
    chmod 400 /etc/sudoers


  • swapan November 20, 2014, 10:43 am

    kindly help to get the useradd command executed through perl command using web browser.

    It says permission denied.
    I tried the all the above trics …but no luck

  • Anil October 2, 2015, 4:05 pm

    I need a help into the issue,,,,

    tigo-sn > ssh ericsson
    Connecting to as user ericsson
    ericsson@’s password:
    [ericsson@ALACM02 ~]$ sudo su –
    [sudo] password for ericsson:
    [root@ALACM02 ~]#
    for ericsson user sudo is working
    [inbadio@ALACM02 ~]$ sudo su –
    [sudo] password for inbadio:
    Sorry, try again.
    [sudo] password for inbadio:
    for user inbadio sudo su –
    is not working

    [root@ALACM02 ~]# cat /etc/sudoers | grep -i ericsson
    ericsson ALL = (ALL) ALL
    [root@ALACM02 ~]# cat /etc/sudoers | grep -i inbadio
    inbadio ALL = (ALL) ALL
    [root@ALACM02 ~]#

    [root@ALACM02 ~]# cat /etc/passwd | grep -i inbadio
    [root@ALACM02 ~]#
    [root@ALACM02 ~]# cat /etc/passwd | grep -i ericsson

    Kindly help into the issue.

Leave a Comment

   Tagged with: , , , , , , , , , , ,