SH - Sudo (Switch User and do)

1 - About

sudo execute a command as another user

sudo determines who is an authorized user by consulting the sudoers configuration files

See also:

3 - Example

sudo -H -u UserOtherThanRoot


  • - H: sets the HOME environment variable to the homedir of the target user
  • - u: run the specified command as a user other than root

4 - Configuration Files

4.1 - sudoers syntax

The sudoers file is composed of two types of entries:

When multiple entries match for a user, they are applied in order


4.1.1 - Alias

aliases are basically variables that can be user in the user specification - User_Alias

User_Alias ADMINS = jsmith, mikem
User_Alias WEBMASTERS = will, wendy, wim - RunAsAlias

Runas_Alias - determines the user and/or the group that a command may be run as.

Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper

Example with a user specification

dgb boulder = (ADMINGRP) /bin/ls, (root) /bin/kill, /usr/bin/lprm

The user dgb may run on the host boulder:

  • /bin/ls as ADMINGRP,
  • /bin/kill, and /usr/bin/lprm as root


sudo -u oper /bin/ls
sudo -u adm /bin/ls
sudo /bin/kill - Host Alias
  • Host_Alias

Host_Alias SERVERS = master, mail, www, ns - Command alias
  • Cmnd_Alias - define a command to run. Example:

Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\

4.1.2 - User specification

User specifications specify who may run what.




More specifically in regular expression EBNF (see the sudoers and search for the section User specification)



every user in the group wheel may run:

  • on any machine ALL (machine)
  • as any user (ALL) (run as)
  • without any password NOPASSWD: (tag)
  • any command ANY (command)

4.2 - sudoers files

4.2.1 - /etc/sudoers

The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP.

Open the sudoers file

sudo visudo

4.2.2 - /etc/sudoers.d/

The last line of the /etc/sudoers files include others configuration that can be added in the directory /etc/sudoers.d/

The last line is not a comment. A comment in the sudoers file as a space after the hash tag

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Example in Azure they will add the file waagent


4.3 - /etc/sudo.conf

The sudo configuration is in the file /etc/sudo.conf


5 - Management

Language of the configuration file

5.1 - wheel / sudo admin group

If the wheel line is uncommented, you got an admin group.

## Allows people in group wheel to run all commands
%wheel	ALL=(ALL) ALL

Any user in the group wheel can run any command on any host as any user.


cat /etc/group | grep wheel


5.2 - Allow a user to run a command

In a sudoers file add the following rules:

userName ALL=(ALL) NOPASSWD: /full/path/to/command
# or
userName ALL=(ALL) NOPASSWD: /full/path/to/command ARG1 ARG2

Example allow the powercenter user to start and stop its services

powercenter  ALL=(ALL) NOPASSWD: /sbin/service infa start
powercenter  ALL=(ALL) NOPASSWD: /sbin/service infa stop

5.3 - Disable password prompt

Disable password prompt for all command.

  • Open the sudoers file.

sudo visudo

  • Append the following line at the bottom of the sudoers file:

<username> ALL=NOPASSWD: ALL

  • Save the file and exit the editor.
  • Log out and log in to apply the changes.

5.4 - Test if allowed

run sudo with the -l or -v flags

Example with the su command

$ sudo -l su

[sudo] password for gerard:

If a user who is not listed in the sudoers file tries to run a command via sudo without the -l or -v flags, mail is sent to the proper authorities, as defined at configure time or the sudoers file (defaults to root).

6 - Documentation / Reference

Data Science
Data Analysis
Data Science
Linear Algebra Mathematics

Powered by ComboStrap