Sudo

The Sudo utility allows an administrator to give privileges to users that allows them to execute privileged programs or to execute programs using another user account other than their own. The configuration file is called /etc/sudoers. You use the utility visudo to edit the file. You invoke sudo with a command line such as:

$ sudo /path-to-some-privileged-program

This will run the named program as root and will also log the activity to the /var/log/messages file.

There are several man pages related to sudo; as an apropos shows:

$ apropos sudo

sudo (8) - execute a command as another user

sudoedit (8) - execute a command as another user

sudoers (5) - list of which users may execute what

visudo (8) - edit the sudoers file

A few helpful tips:

    • Take advantage of the group id wheel. Put all your system administrators accounts in the group wheel. You don't need to make their primary group memebership wheel, but you should at least make it an additional group. Most Linux distributions will include an entry in the /etc/sudoers file that makes a reference to the wheel group. Here's a snip of that file:

snip from /etc/sudoers:

# Uncomment to allow people in group wheel to run all commands

%wheel ALL=(ALL) NOPASSWD: ALL

    • The advantage here is that now your administrators can run privileged commands as root without needing to enter the root password. As a CAUTION: ONLY PUT YOUR ADMINISTRATOR ACCOUNTS AS MEMBERS OF THE WHEEL GROUP!

  • Always use the visudo utility to edit the /etc/sudoers file. This program will create a lock file as well as sanity check the edits you make. This ensures that only one person at a time is editing the file besides checking that you haven't totally mangled it.

  • You may have Oracle DBA's that will periodically need to execute some program as the root user during Oracle installation. You can eliminate their need to contact a system administrator to run the program by adding the following to the /etc/sudoers file:

oracle ALL=(ALL) NOPASSWD: /opt/oracle/root.sh

This will allow the user account oracle to run the program /opt/oracle/root.sh as the privileged user root without needing the root password. The activity will be logged to /var/log/messages. The oracle user would invoke the program by using the following:

$ sudo /opt/oracle/root.sh

    • When the visudo utility is invoked the default editor is determined by the contents of the shell environment variable VISUAL or EDITOR. NOTE: check your man page on visudo for details on the use of these shell variables. These variable may or may not be honored by visudo depending on how it was compiled for your distribution.