Linux's "secure by design" philosophy places many constraints on the default permissions granted to every new user. Some of these precautions include disabling the ability to run commands with "sudo". Sudo is a special command that permits running admin level command without actually being root. Sometimes however, you need to let people run these commands for server maintenance etc. In this article, I show you how to do this and add users to something called the "sudoers" file.
Testing for Sudo Permissions
Before making any changes, you can first check to see whether you as a user already have sudo permissions by typing:
Type in your password and if you don't have sudo permissions, here's what you should see:
The above command is to check if you yourself can run sudo. If you're root however, and want to check if a particular user has sudo, here's the command:
sudo -U [username] -l
Replace [username] with the name of the user whose permissions you want to check. If sudo permissions do not exist, you should see this:
So once you've determined that a specific user can't run sudo, let's see now how to obtain that permission.
Using the "visudo" Tool
As with everything in Linux, we can make all the configuration changes via text files. And if we want, we can do the same here. However, this file is rather dangerous to edit manually like any other. The reason is that inconsistencies in this file can seriously mess things up. For example, you don't want multiple users to edit it simultaneously.
For this reason, there's a separate tool in Linux for handling the sudoers file called "visudo". This is just another version of the standard "vi" editing tool, but with some additional features. Its sole purpose is to edit the sudoers file and lock it against multiple editing attempts. Not only that, it performs some basic "sanity checks" and syntax verifications to prevent users from being locked out.
But Why is This File So Important?
Here's one scenario. One of the first security measures to harden a Linux server is to disable root logins. But before we do that, we must ensure that another user has the ability to run admin commands. If you omit this intermediate step, you'll suddenly be left in a situation where no one can run admin commands and you're locked out of root!
So visudo just ensures we didn't mess stuff up too badly with syntax errors and like.
Adding a Username to visudo
Open the sudoers file by typing:
Now scroll down all the way till you see this line:
"Allow root to run any commands anywhere"
You should find it somewhere towards the end of the file like this:
It should have the line below it:
root ALL=(ALL) ALL
Now add the following line just below:
[username] ALL=(ALL) ALL
As before, replace [username] with the name of the user to whom you want to give sudo permissions.
Once done, save your changes.
Testing Sudo Permissions
To check if the changes have gone through, re-run the command in the first step. This time, you should see a different message:
As you can see in the screenshot above, I now have the ability to run sudo commands! We can now proceed to the next step of disabling root logins for security reasons. After that, we can also disable password based logins and enforce it SSH keys instead. But that's for another tutorial!