Now that you know how to set sudo
permissions, let’s see how to actually use it. First, let’s tell sudo
that your account has permission to run any command. (You should have root access on your test machine, at least, so this won’t be a security issue.)
The easy way to accomplish this is to uncomment the sudoers entry allowing wheel
members access to all commands.
%wheel ALL=(ALL) SETENV: ALL
As a user in wheel
, check your sudo
permissions.
$ sudo -l
Password:
Matching Defaults entries for mwlucas on this host:
env_keep+="DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE",
env_keep+="MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE",
env_keep+="PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR",
env_keep+="RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL",
env_keep+=WRKOBJDIR
User mwlucas may run the following commands on this host:
(ALL) SETENV: ALL
When sudo
asks for a password, enter your own password, not the root password.
The -l
flag tells sudo
to show you which privileges and settings you have. In response, sudo
parses /etc/sudoers and spits out all of the settings that apply to your account on this system. Any host-specific limitations are already evaluated and do not appear.
When you enter your password correctly, sudo
records the time, and for the next five minutes, it remembers that you’ve recently entered your password and will work without requiring you to enter it again. After five minutes, you must reauthenticate. This simplifies work when entering a series of sudo
commands, but it times out reasonably quickly.
You can tell sudo
to forget your cached password by running sudo -k
. You can control the number of minutes before sudo
asks for the password again with the timestamp_timeout
option in sudoers. Here, we tell sudo
to not time out the password for 10 minutes:
Defaults timestamp_timeout 10
If you set the timeout to 0, sudo
always asks for a password. If you set it to a negative value, sudo
caches the password throughout this login session. You must run sudo -k
to make sudo
forget that you entered your password.
To run commands via sudo
, just put the command name after the sudo
command. For example, here’s how you would run tcpdump
via sudo
:
$ sudo tcpdump
The sudo
command should prompt for your password. Enter it correctly, and tcpdump
should run as root.
You can also run commands that include arguments under sudo
. For example, I use tail -f
to view the end of a log file and show new entries as they appear. But some log files are accessible only to root, such as the authentication log and the log that contains detailed sudo
logs. You can view these logs without becoming root by using sudo
.
$ sudo tail -f /var/log/authlog
You can configure sudoers to permit any combination of commands and arguments.
Earlier, you saw how to give some users permission to run commands as users other than root. Specify the user with the -u
flag.
$ sudo -u _postgresql pg_dump
If you don’t have permission to run that command as that user, you’ll get an error.