Command Center

Specify Users With Sudo Permissions

Make Sudo Forget Your Password

sudo –k

Always Ask For a Password

sudo visudo

Defaults timestamp_timeout=0

Change the Password Timeout

Default timestamp_timeout=5

Never Ask for a Password

username ALL=(ALL) NOPASSWD: ALL

%sudo ALL=(ALL:ALL) NOPASSWD:ALL

Run Specific Commands Without a Password

username ALL=(ALL) NOPASSWD: /usr/bin/apt-get,/sbin/shutdown

Allow a User to Run Only Specific Commands

standarduser ALL=/usr/bin/apt-get,/sbin/shutdown

sudo -U standarduser –l

Logging Sudo Access

Defaults logfile=/var/log/sudo

sudo cat /var/log/sudo

REFERENCES
http://www.howtogeek.com/116757/8-ways-to-tweak-and-configure-sudo-on-ubuntu/

I'm not told to use the root user to perform activities that do not require it. I've configured sudo for myself and for other web developers so that they can restart MySQL or Apache web server. How do I send email when sudo run by one of my user? How do I keep track of user login done via sudo command?

sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.
Configure sudo To Send E-mail

Sudo can be configured to to send e-mail when the sudo command is used. Open /etc/sudoers file, enter:
# vi /etc/sudoers
Configure alter email id:


mailto "admin@staff.example.com"
mail_always on


Where,

* mailto "admin@staff.example.com" : Your email id.
* mail_always : Send mail to the mailto user every time a users runs sudo. This flag is off by default.

Additional options:
Option Description
mail_badpass Send mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
mail_no_host If set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag is off by default.
mail_no_perms If set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.
mail_no_user If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.
Sudo Logfile

By default, sudo logs vis syslog. You can see sudo log in /var/log/auth.log (Debian / Ubuntu) or /var/log/secure (Redhat and friends). However, you can set path to the sudo log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. Type the following command to edit the file:
# sudoedit /etc/sudoers
Set path to log file:


Defaults !lecture,tty_tickets,!fqdn,!syslog
Defaults logfile=/var/log/sudo.log


Save and close the file. To see logs type:
# tail -f /var/log/sudo.log
# egrep -i 'foo' /var/log/sudo.log
# egrep -i 'user1|user2|cmd2' /var/log/sudo.log
Sample Outputs:

Jul 1 12:30:13 : vivek : TTY=pts/3 ; PWD=/home/vivek ; USER=root ; COMMAND=/bin/bash
Jul 1 12:34:02 : vivek : TTY=pts/0 ; PWD=/home/vivek ; USER=root ;
COMMAND=sudoedit /etc/sudoers

Reference: http://www.cyberciti.biz/faq/sudo-send-e-mail-sudo-log-file/

Here is the thing, the other day I wanted to copy one subdirectory from one computer to another, I can not rely on scp because I needed root permissions, neither tar worked because there was symlinks, different file permissions and owners, and there wasn’t space enough to do it (of course, you can send the tar using netcat…). The perfect solution to do such a copy is use rsync, it works nice, and can be used to reupdate a backup, and so on.

The problem is I need both root permissions on both machines, on the local machine having root permissions is the easy part but how should we proceed to get root permissions at the other end ?

You can do several things, like creating the root user, disable sudo asking for password, … but I won’t recommend them. The solution I came across ( I don’t remember from where ) is simple, but quite forgivable (that’s why I’m writing a post-to-myself). Here it is:
view plaincopy to clipboardprint?

1. stty -echo; ssh myUser@REMOTE_SERVER "sudo -v"; stty echo
2. rsync -avze ssh --rsync-path='sudo rsync' myUser@REMOTE_SERVER:/REMOTE_PATH/ LOCAL_PATH

stty -echo; ssh myUser@REMOTE_SERVER "sudo -v"; stty echo
rsync -avze ssh --rsync-path='sudo rsync' myUser@REMOTE_SERVER:/REMOTE_PATH/ LOCAL_PATH

The second line tells sudo to execute “sudo rsync” instead of “rsync” on the remote host. Without the first line sudo will prompt for a password (and we won’t be able to input it), the “sudo -v” is the one which does the trick. It simply touches the timestamp sudo has to avoid asking the password on each call.

The “stty [-]echo” avoid others to have a look at our passwords while we type them


Reference: http://www.pplux.com/2009/02/07/rsync-root-and-sudo/

unable to cd when using sudo

base function cd "change dir" seems to be missing. When I do sudo cd

$ sudo cd config
Password:
sudo: cd: command not found

strange that I can not cd to a dir using sudo.
Bryce Harrington said on 2007-02-12:

Actually cd is not a program, but a built-in for the bash shell. So you don't really 'run' it in sudo like that.

Instead, try doing this:

$ sudo bash
# cd
# [other commands...]
# exit
$

Hope this helps.
tokj said on 2007-02-12:

It is normal. There is no need to be superuser for using cd, so cd is not recognized as a command to be used with sudo. ;)
Gabriel Patiño said on 2007-02-12:

The cd command is a bash internal command, if you want an interactive root session, try using 'sudo -i'

After that, you will be working as root (be carefull). To leave the root session, type exit, or ctrl+d
tokj said on 2007-02-17:

It would be nice if you mark this problem as "solved" if you haven't any other problems or questions.

Best regards

From my mail bag:

I would like to run few commands such as stop or start web server as a root user. How do I allow a normal user to run these commands as root?

You need to use sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config that defines or list of who can run what) file. i.e. the sudo command allows users to do tasks on a Linux system as another user.

sudo is more more secure then su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).

If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default (NOTE: in the default configuration this is the user's password, not the root password). Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).
/etc/sudoers Syntax

Following is general syntax used by /etc/sudoers file:
USER HOSTNAME=COMMAND
Where,

* USER: Name of normal user
* HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
* COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command line arguments.

How do I use sudo?

For example, you want to give user rokcy access to halt/shutdown command and restart apache web server.
1) Login as root user

2) Use visudo command edit to edit the config file:
# visudo
3) Append the following lines to file:
rokcy localhost=/sbin/halt
rokcy dbserver=/etc/init.d/apache-perl restart
4) Save the file and exit to shell prompt.
5) Now rokcy user can restart apache server by typing the following command:
$ sudo /etc/init.d/apache-perl restart
Output:

Password:
Restarting apache-perl 1.3 web server....

The sudo command has logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/auth.log
Output:

May 13 08:37:43 debian sudo: rokcy : TTY=pts/4 ; PWD=/home/rokcy ; USER=root ; COMMAND=/etc/init.d/apache-perl restart

If rokcy want to shutdown computer he needs to type command:
$ sudo /sbin/halt
Output:

Password:

Before running a command with sudo, users usually supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run. sudo logs each command run and in some cases has completely supplanted the superuser login for administrative tasks.
More examples

a) Specify multiple commands for user jadmin:
jadmin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b) Allow user jadmin to run /sbin/halt without any password i.e. as root without authenticating himself:
jadmin ALL= NOPASSWD: /sbin/halt
c) Allow user charvi to run any command from /usr/bin directory on the system devl02:
charvi devl02 = /usr/bin/*

REFERENCE
http://www.cyberciti.biz/tips/allow-a-normal-user-to-run-commands-as-root.html