Performing administration tasks using sudo
How to perform tasks requiring root privileges without logging in as root.
sudo command allows users to gain administrative or root access. When trusted users precede an administrative command with
sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
Only users listed in the
/etc/sudoers configuration file are allowed to use the
sudo command. The command is executed in the user’s shell, not a root shell.
The syntax for the sudo command is as follows:
COMMAND with the command to run as the root user.
Add users to the
/etc/sudoers configuration file to allow them to use the
sudo command. For these users, the
sudo command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.
The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the
visudo command to edit the
/etc/sudoers configuration file.
To assign full administrative privileges to a user, type
visudo and add the following line to the user privilege section after replacing
USERNAME with the target user name:
USERNAME ALL=(ALL) ALL
This line allows the specified user to use
sudo from any host and execute any command.
To allow a user access to specific commands, use the following example after replacing
USERS with a target system group:
%USERS localhost=/usr/sbin/shutdown -h now
This command allows all members of the
USERS system group to issue the
/sbin/shutdown -h as long as the command is issued from the console.
The man page for
sudoers has a detailed listing of options for this file.
If you use a single user desktop, you might find it convenient to configure
sudo, so you can use the same password to access root as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:
Become the root user:
$ su -
Enter the password for the root account when prompted.
To use your regular password for the root access, run:
# usermod USERNAME -a -G groupname
USERNAMEwith your account name
Log off and back on in order to have access to the group.
Each successful authentication using the
sudo command is logged to the
/var/log/messages file. For each authentication, the
/var/log/secure file lists the user name and the command that was executed.
For additional logging, use the
pam_tty_audit module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your
session required pam_tty_audit.so disable=pattern enable=PATTERN
PATTERN with a comma-separated list of users (and globs, if needed).
For example, the following command enables TTY auditing for the root user and disables it for all other users:
session required pam_tty_audit.so disable=* enable=root
pam_tty_audit PAM module for auditing only records TTY input. As a result, when the audited user logs in,
pam_tty_audit records the user’s exact keystrokes and saves them in
/var/log/audit/audit.log. For more information, see the pam_tty_audit(8) manual page.
You must use the user account you created following the installation process, at first boot, for daily use and the root account only for system administration. Avoid using root for any non-administration usage, since the account makes it easy to create security or data risks.
There are several potential risks to keep in mind when using the
sudo command. You can avoid them by editing the
/etc/sudoers configuration file using
sudo stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt you for a password. This could be exploited by an attacker if you leave your workstation unattended and unlocked while still being logged in. You can change this behavior by adding the following line to the
/etc/sudoers configuration file:
VALUE is the desired timeout length in minutes. Setting the value to 0 causes
sudo to require a password every time.
If an account is compromised, an attacker can use
sudo to open a new shell with administrative privileges.
Opening a new shell as a root user in this way allows an attacker administrative access for a theoretically unlimited period of time and bypasses the timeout period specified in the
/etc/sudoers file. Using this method, the attacker does not need to provide a password for
sudo again until the session ends.
Docker has the ability to change the group ownership of the Docker socket to allow users added to the Docker group to be able to run Docker containers without having to execute the
su command to become root.
Enabling access to the Docker daemon from non-root users is a problem from a security perspective. It is a security issue for Fedora, because if a user can talk to the Docker socket they can execute a command which gives them full root access to the host system. Docker has no auditing or logging built in, while
It is recommended that sudo rules are implemented to permit access to the Docker daemon. This allows
sudo to provide logging and audit functionality.
sudoas shown in Using sudo to assign administrator privileges.
Create an alias for running the docker command by adding the following line to your
alias docker="sudo /usr/bin/docker"
When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.
You can enable
root access without a password specified, allowing any process on your system to become
root. Add the following line to your
user ALL=(ALL) NOPASSWD: /usr/bin/docker
This will allow
user to access docker without a password.
For security reasons, it is recommended that you always use
Want to help? Learn how to contribute to Fedora Docs ›