Linux Learning Notes – sudo

1. What is sudo

<span>sudo</span> (superuser do) is a tool used in Linux/Unix systems to execute commands as a superuser (root) or another specified user.

  • Ordinary users can gain temporary administrative privileges through <span>sudo</span>, avoiding the need to use the root account directly.
  • Using <span>sudo</span> enhances system security and reduces the risk of accidental operations.

2. What is the principle

<span>sudo</span> operates on the following core principles:

  1. Configuration file controls permissions

  • <span>sudo</span> uses the <span>/etc/sudoers</span> configuration file to define which users can execute which commands under what conditions and as which identity.
  • Use the <span>visudo</span> tool to modify the configuration file to avoid syntax errors.

  • Authentication mechanism

    • When executing <span>sudo</span>, users must enter their own password (not the root password).
    • Once the password is verified, there is no need to re-enter it for a period of time (default is 5 minutes).

  • Privilege escalation process

    • <span>sudo</span> checks if the caller has permission in the <span>sudoers</span> configuration.
    • If conditions are met, <span>sudo</span> temporarily elevates the process’s privileges using setuid technology to run the target command as root or the specified user.

    3. What configurable options are available

    Common configurable options are mainly found in <span>/etc/sudoers</span>:

    • User and command rules

      user host = (runas_user) command_list
      • <span>user</span> specifies which user
      • <span>host</span> specifies on which hosts it is effective
      • <span>(runas_user)</span> specifies which user identity to execute as (default is root)
      • <span>command_list</span> specifies the commands that are allowed to be executed

    • Aliases (simplified configuration)

      • <span>User_Alias</span> user alias
      • <span>Host_Alias</span> host alias
      • <span>Cmnd_Alias</span> command alias

    • NOPASSWD

      • Allows certain commands to be executed without password verification, for example:

        user ALL=(ALL) NOPASSWD:/usr/bin/systemctl restart nginx

    • Defaults configuration options

      • <span>Defaults timestamp_timeout=10</span> (password validity period of 10 minutes)
      • <span>Defaults logfile="/var/log/sudo.log"</span> (log file recording)
      • <span>Defaults requiretty</span> (requires sudo to be run from a terminal)

      • Controls the behavior of sudo, such as:

    4. Precautions

    1. Do not edit <span>/etc/sudoers</span> directly; use <span>visudo</span>, which checks syntax to avoid making sudo unusable.
    2. Limit user permissions by only granting necessary command execution permissions, avoiding the use of <span>ALL=(ALL) ALL</span> to give all permissions.
    3. Log auditing enable logging to facilitate auditing of user sudo operations.
    4. Validity period and security configure <span>timestamp_timeout</span> reasonably to prevent prolonged high privileges.
    5. Be cautious with passwordless execution to avoid security vulnerabilities.

    5. Practical Cases

    Case 1: Allowing a user to execute all commands

    # Add to the sudoers file
jruing ALL=(ALL) ALL

    Effect: User <span>jruing</span> can use <span>sudo</span> to execute any command.

    Case 2: Only allowing to restart the Nginx service

    jruing ALL=(ALL) NOPASSWD:/usr/bin/systemctl restart nginx

    Effect: User <span>jruing</span> can restart nginx without entering a password, but cannot execute other commands.

    Case 3: Limiting logs and time

    Defaults logfile="/var/log/sudo.log"
Defaults timestamp_timeout=2

    Effect:

    • All sudo operations will be recorded in <span>/var/log/sudo.log</span>.
    • After entering the password, the validity is only 2 minutes, after which it needs to be entered again.

    Related posts

    1. Rust for Linux: Rust Kernel Policy
    2. Managing the frps Service on Linux with systemd: Installation, Configuration, and Automation Guide
    3. 50 Million Computers to Replace Windows with Domestic Linux
    4. Installing Privoxy on Linux and Setting Up HTTP Proxy in Command Line Terminal
    5. User Feedback: Linux Version of Google Chrome 140 Disrupts Text Rendering
    6. Common Commands That Affect Cache in Linux Systems
    7. Connecting to CentOS 8 Using Windows 10 Remote Desktop
    8. Practical Analysis of Attackers Exploiting Windows and Linux Vulnerabilities for System Intrusion
    9. Automating the Build of JAR Packages with Jenkins, SVN, and Spring Boot on Linux
    10. Overview of ARMv8 System Security
    11. Understanding Armv8/Armv9 TrustZone Technology
    12. Decoding the Contents of FPGA Bitstreams
    13. Questions and Answers on Microcontroller Application Systems
    14. Understanding the Concept of Pointers in C Language in One Minute
    15. A Detailed Interpretation of #define and const Constants in C Language
    16. CVE-2025-0566 Stack Overflow Vulnerability Reproduction on A15-MIPS Architecture
    17. The Development History of the C Language
    18. C Language Program to Determine if a Number is Even or Odd
    19. Concurrency with Multiple Coroutines Using the asyncio Library in Python

    Leave a Comment