How to use Sudo on Cloud Server 2023

Introduction

This guide will teach you about root access, the sudo command, how to perform tasks with sudo, and the distinctions between sudo and root access. Instructions for creating a sudo user for various operating systems are also provided below.

What is Root?

root  On Unix-like systems such as Linux, refers to the superuser account It is the most privileged account on the system, having the most access permissions. It is used for system management. Regardless of the account’s name, this root/superuser account has a user identifier (UID) of zero.

The root user has complete access to the system (root privileges). It has the ability to edit fundamental system components, upgrade the system, change system configuration, and start, stop, and restart all operating system services.

The terminal command prompt symbol changes from to when you log in as root. $ to #. For example:

$ echo 'This is a normal user shell'

# echo 'This is a root shell'

What is Sudo?

The  sudo (superuser do) command is a command-line utility that allows a user to run commands as root or another user. It provides an efficient method for granting specified users access to execute specific system commands or run scripts as the root user.

Although similar to  su,  sudo requires the logged-in user’s password for authentication rather than the target user’s password like  su does. Sudo, like  su, does not launch a root shell; instead, it executes the program or command with elevated privileges.

A system administrator can use sudo, to do the following tasks:

• Allow users or groups of users to perform certain commands with elevated or root access.
• View a list of all users who have used sudo.
• Control which commands a user is allowed to use on a host system.

Sudo logs all commands and arguments run in the  /var/log/auth.log  file, which may be studied if something goes wrong.

Sudo Vs. Root

The principle of least privilege is an information and computer security concept that maintains that programs and users should be granted the bare minimum of access necessary to complete a task.

When logged in as root, every command put into the terminal is executed with the system’s maximum privileges, which violates the concept of least privilege. When unintentional, a simple operation like rm might be used to destroy fundamental root directories or files without informing the user. For example, suppose you attempted to remove a root directory such as /etc using:

$ rm -rf /etc

You will be refused access since you are logged in as a regular user. When logged in as root, no prompts will be displayed, and the whole folder will be removed, which will very certainly destroy your system because specific configuration files required for system operation are kept in the /etc directory. You may potentially format a disk incorrectly and the system will not prompt you.

Because the application is executing with the maximum privileges, a little error in the application might destroy some system data.

Sudo allows for fine-grained access control. It only gives enhanced permissions to the program that requires them. Instead of working with a root shell, you know which program is executing with elevated rights (running every command with root privileges). By changing your sudoers file, you may also configure sudo to run commands as another user, define which users and groups are authorized to run commands with sudo, and establish timeouts for executing applications with root capabilities.

As a result, performing commands with the root shell is not recommended since the risks of damaging your system are substantially higher. If you need root access to perform a command, use sudo to ensure that just that command runs with root capabilities.

Run Commands as Sudo

To run commands as sudo, precede them with  sudo:

$ sudo command

It will question you for a password, which you should input and then press ENTER:

$ sudo command
[sudo]  password for user:

Create a Sudo User on AlmaLinux, CentOS, Fedora, Rocky Linux, and VzLinux

This section applies to:

• AlmaLinux
• CentOS 7 and later
• Fedora 31 and later
• Rocky Linux
• VzLinux

Procedure:

1. Use the  adduser  command to create a new user account.

# adduser example_user

2. Create a strong password for the new user  passwd.

# passwd example_user
Changing password for user example_user.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

3. With, add the new user to the wheel group  usermod.

# usermod -aG wheel example_user

4. Examine the sudoers file using  visudo.

# visudo

5. Locate the wheel group. If the line is disabled, remove the comment. When you’re ready to save the file, it should look like this.

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

6. Save and close vi. Enter  ESC,  : W Q, and ENTER.

Always use visudo to change  /etc/sudoers , never directly. Because a misconfigured sudoers file might harm your system, the visudo. program conducts syntax checking before submitting your changes to the file. If you make a mistake, you’ll see it after you quit visudo.

visudo: >>> /etc/sudoers: syntax error near line 64 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

7. Switch to the new user.

# su - example_user

8. Verify that you are the new user using  whoami,  then try  sudo whoami,  which should return root.

$ whoami
example_user

$ sudo whoami
[sudo] password for example_user:
root

Create a Sudo User on Arch Linux

This section applies to any recent Arch Linux release.

1. Install sudo because it isn’t included in the original installation. If you haven’t updated in a while, remember to do so.

# pacman --sync sudo

2. Create a new user account with useradd.

# useradd --create-home example_user

3. Set a strong password for the new user with passwd.

# passwd example_user

4. Add the new user to the wheel group with usermod.

# usermod --append --groups wheel example_user

5. Edit the sudoers file with visudo.

# visudo

6. Look for the wheel group at the bottom of the file in the ‘User privilege definition’ section. Remove the comment at the start of the line so that it appears like this:

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

7. Save and close vi. Enter  ESC,  : W Q, and ENTER.

Always use visudo to change  /etc/sudoers , never directly. Because a misconfigured sudoers file might harm your system, the visudo. program conducts syntax checking before submitting your changes to the file. If you make a mistake, you’ll see it after you quit visudo.

visudo: >>> /etc/sudoers: syntax error near line 64 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

8. Switch to the new user.

# su - example_user

9. Verify that you are the new user using  whoami,  then try  sudo whoami,  which should return root.

$ whoami
example_user

$ sudo whoami

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for example_user:
root

Create a Sudo User on Debian & Ubuntu

This section applies to:

Procedure:

• Debian 9 “Stretch” and later
• Ubuntu 16.04 and later

1. Install the sudo command. Some installation packages do not include sudo. If it does not, use sudo to install it.

apt.# apt install sudo

2. Use the  adduser  command to create a new user account. For the new user, create a strong password. You can enter entries for the user information fields or hit  ENTER  to leave them empty.

# adduser example_user
Adding user `example_user' ...
Adding new group `example_user' (1001) ...
Adding new user `example_user' (1001) with group `example_user' ...
Creating home directory `/home/example_user' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for example_user
Enter the new value, or press ENTER for the default
        Full Name []: Example User
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y

3. Include the new user in the sudo group.

# adduser example_user sudo

4. Switch to the new user to test.

# su - example_user

Verify that you are the new user using  whoami,  then try  sudo whoami,  which should return root.

$ whoami
example_user
$ sudo whoami
[sudo] password for example_user:
root

Create a Sudo User on FreeBSD

This section applies to FreeBSD 11 and later.

Procedure:

1. If sudo is already present on your machine, install it from the ports collection. To install sudo from ports, follow these steps:

# cd /usr/ports/security/sudo/
# make install clean

You may also use pkg to install the binary  sudo  package:

# pkg install sudo

2. Set up a new user account for sudo use:

# adduser

To create the user, answer the questions on the dialog. In this guide, we’ll utilize example_user.

3. Add the user to the wheel group, which restricts who may use  su  to get root access.

# pw group mod wheel -m example_user

4.  visudo. may be used to edit the sudoers file.

# visudo

5. Locate the wheel group. If the line is disabled, remove the comment. When you’re ready to save the file, it should look like this.

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

6. Save and close vi. Enter  ESC,  : W Q, and ENTER.

Always use visudo to change  /etc/sudoers , never directly. Because a misconfigured sudoers file might harm your system, the visudo. program conducts syntax checking before submitting your changes to the file. If you make a mistake, you’ll see it after you quit visudo.

visudo: >>> /etc/sudoers: syntax error near line 64 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

7. Switch to the new user.

# su - example_user

8. Verify that you are the new user using  whoami,  then try  sudo whoami,  which should return root.

$ whoami
example_user

$ sudo whoami
[sudo] password for example_user:
root

More about the sudoers File

Sudo employs the  sudoers  security policy and maintains a specific configuration file /etc/sudoers.  This file controls access privileges and password prompt timeouts.

Note: You must have elevated privileges to view the sudoers file

Open the /etc/sudoers file; it should look like this:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/
sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

The line:

root         ALL=(ALL:ALL)ALL

signifies that the root user has complete access to the system and can execute any command.

%sudo ALL=(ALL:ALL)ALL

Allows all members of the sudo group to run any command.

Note: ‘%’ in the sudoers file represents a group

As you can see from the first line in the /etc/sudoers file:

# This file MUST be edited with the 'visudo' command as root

Do not attempt to edit the sudoers file directly. Use the visudo command with root privileges.