Use of the Linux Sudo command: Complete guide for administrators and users

Posted onbyBlockmyIP| Category:Linux terminal commands

Introduction

In the Linux world, the sudo command is one of the most powerful and often used tools by both system administrators and common users. It allows you to run commands with privileges from another user, usually the root superuser, without the need to log in directly as root. This provides a balance between safety and convenience, as it limits the time and scope of high privileges.

What's sudo?

Sudo, acronym of 'superuser do', is a program that allows an authorized user to run a command as another user, according to the policy defined in the / etc / sudoers file. Instead of sharing the root password, sudo requests the user's own password and checks if you have permission to perform the requested action. This mechanism is based on a access control list that specifies which users or groups can run which commands, which hosts and with which privileges.

Why use sudo instead of root

Using sudo instead of opening a session as root has several security advantages. First, it reduces the risk of accidental errors: when working with a root shell, any harmful command is run without restrictions; with sudo, each high operation must be explicitly authorized. Secondly, it generates a detailed record: each use of sudo is recorded in the system's log, which facilitates the audit and detection of suspicious activities. Third, it allows the application of the principle of lesser privilege: a user can only obtain the necessary permissions for a specific task, rather than have absolute control over the entire environment.

Basic syntax

The simplest way to use sudo is: sudo command [arguments]. When running, the system will request the user's password (unless it has been configured to not require it). If authentication is correct, the command will be executed with the privileges specified in the sudoers policy. For example, to update the package list in a Debian-based distribution, it is written: sudo apt update. If you need to run a command like a user other than root, you use the -or followed by the user name: sudo -or user command.

Most commonly used options

  • - or user: Run the command as the specified user instead of root.
  • -l: List the commands that the user is authorized to run with sudo.
  • -v: Validation of the password waiting time, extending the period without re-entry.
  • -k: Invalid the sudo timestamp, forcing the next request to require a password.
  • -b: Run the command in the background.
  • - H: Set the HOME environment variable to the target user's home directory.

Practical examples

  • Update the system in Ubuntu / Debian:sudo apt update && sudo apt upgrade -y
  • Install a package in Fedora:sudo dnf install nombre_paquete
  • See the sudoers configuration (reading only):sudo -l
  • Run a script with other user privileges:sudo -u www-data /var/www/script.sh
  • Mounting a file system that requires privileges:sudo mount /dev/sdb1 /mnt
  • Change the owner of a file safely:sudo chown usuario:grupo archivo
  • Reset a system service:sudo systemctl restart nombre_servicio

Best security practices

  • Edit the / etc / sudoers file exclusively with widower, which verifies the syntax before saving and prevents blocking access.
  • Apply the principle of lesser privilege: grant only the necessary commands to each user or group.
  • Avoid the use of NOPASSWD except in trusted automated scripts and always limit its scope to specific commands.
  • Keep the system up to date to benefit from safety patches that affect sudo.
  • Review the sudo log (/ var / log / auth.log or / var / log / secure) regularly to detect unusual uses.
  • Configure a reasonable waiting time (e.g. 5 minutes) for the sudo credential to expire automatically.
  • Use the -H option when running commands that depend on the HOME variable, preventing programs from reading root user settings.

Common problem solution

  • 'user is not in the sudoers file ': This message indicates that the user has no permissions. Solution: add an appropriate rule in sudoers by visudo.
  • 'you must set a password ': If you ask for a password and the user forgets it, you need to recover it or use another set authentication method.
  • Syntax error in sudoers: By saving a poorly formed file, sudo stops working. Use a recovery console or use pkexec visudo if available.
  • The command is not found when using sudo: Verify the PATH variable; sometimes the root environment has a different PATH. Use absolute routes or adjust secure _ path in sudoers.
  • Timestamp credentials expired too soon: Adjust the timestamp _ timeout parameter in sudoers to increase grace time.

Conclusion

The Sudo command is a fundamental part of the secure management of Linux systems. Its ability to raise privileges in a controlled way, record actions and apply the principle of lesser privilege makes it an indispensable tool for both experienced administrators and new users. By understanding its functioning, options and best practices, all its power can be harnessed without compromising the security of the system. Practice its use in test environments and regularly review the sudoers configuration ensures a stable and protected Linux environment.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish