Ubuntu: Questions and Answers (2014)
Sudo
Skip to questions, Wiki by user braiam
sudo which is a short for "super user do", is the recommended way to do administrative tasks in Ubuntu. It's usage is more granulated and configurable than it's counterpart su.
This commands allows to:
· Run an specific command as some user.
· Execute an interactive shell as some user.
· Elevate privileges of certain commands.
The sudo binary is included in the sudo package, along other tools as visudo and sudoedit. The first is the recommended way to edit the sudoers file which includes the way sudo behaves, and sudoedit opens the default editor with super user privileges.
This command can be configured using the /etc/sudoers file. It follows a specific syntax so is recommended to always use visudo to prevent errors.
Questions
Q: How do I add a user to the "sudo" group?
Tags: sudo (Next Q)
In /etc/sudoers I see this:
# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
So how do I add a user to that sudo group?
Tags: sudo (Next Q)
User: coffee-grinder
Answer by maco
sudo usermod -aG sudo <username>
The a is very important. Without it they'll be removed from all other groups. You will need to either restart your shell/terminal or log out and back in for this to take effect.
See also:
· How can I add a new user as sudoer using the command line?
Answer by txwikinger
You can either use the user management GUI for it (same place where you create users), or use sudo adduser <username> sudo in the command line.
Answer by qbi
You can also use a graphical interface. Click on the gear on the top right of the panel, then select "System Settings" and then "User Accounts"
You need to click the little unlock button to be able to edit things in this window. Then click on the person's account and select the proper dropdown for "Account Type"
Tags: sudo (Next Q)
Q: How to avoid using sudo when working in /var/www?
Tags: sudo (Next Q)
I want to stop having to use sudo everytime I work in /var/www. How can I do that? I simply want to put all of my sites into this directory and work with them without too much pain.
Tags: sudo (Next Q)
User: taylorotwell
Answer by lekensteyn
Most answers here are not written with security in mind. It's good to get a feeling that running sudo each time is not very wise. If you make a typo (e.g. (do not execute) sudo rm -rf / var/www/dir), you might trash your system.
Bad ideas:
· chmod 777 (sagarchalise) - this allows anyone with access to your system write into the directories and files and thereby allowing the intruder to execute any code under the www-data user
· chgrp -R www-data $HOME (cob) - this allows www-data to read or write any files in the home directory. This is not keeping the Least Privilege rule in mind
· chown -R $USER:$USER /var/www (kv1dr) - unless the world has read permissions on /var/www, the webserver running under www-data will not be able to read (serve) the files. If the file is a public-accessible plain HTML document, it might not be an issue if the world can read the file. But if the file is a PHP file containing passwords, it is.
NOTE: in the below solutions, I've granted www-data write privileges. However, /usr/share/doc/base-passwd/users-and-groups.txt.gz states:
www-data
Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers will be owned by www-data.
Where possible, do not grant write permissions to the www-data group. www-data only needs to be able to read the files so the webserver can serve it. The only case where www-data needs write permissions is for directories storing uploads and other locations which needs to be written.
Solution 1
Add yourself to the www-data group and set the setgid bit on the /var/www directory such that all newly created files inherit this group as well.
sudo gpasswd -a "$USER" www-data
Correct previously created files (assuming you to be the only user of /var/www):
sudo chown -R "$USER":www-data /var/www
find /var/www -type f -exec chmod 0660 {} \;
sudo find /var/www -type d -exec chmod 2770 {} \;
(even safer: use 640 or 2750 and manually chmod g+w file-or-dir that needs to be writable by the webserver)
Solution 2
Create a symlink for each project to your home directory. Say your project is located at ~/projects/foo and you want to have it located at /var/www/foo, run:
sudo ln -sT ~/projects/foo /var/www/foo
If your home directory has no execute bit (descend) set for other (for security reasons), change the group of it to www-data, but set the execute bit only (no read/write). Do the same for the ~/projects folder as it may contain other projects than www. (You don't need sudo if you have previously added your user to the www-data group.)
sudo chgrp www-data ~ ~/projects
chmod 710 ~ ~/projects
Set the group to www-data on ~/projects/foo and allow the webserver to read and write to files and files+directories and descend into directories:
sudo chgrp www-data ~/projects/foo
find ~/projects/foo -type f -exec chmod 660 {} \;
find ~/projects/foo -type d -exec chmod 2770 {} \;
Even safer: use 640 and 2750 by default and manually chmod files and directories that need to be writable by the webserver user. The setgid bit should be added only if you want every newly created file in ~/projects/foo to be accessible by the group.
From now on, you can access your site at http://localhost/foo and edit your project files in ~/projects/foo.
See also
· Permissions issue: how can Apache access files in my Home directory?
· Reasons why /var/www should not have chmod 777
Tags: sudo (Next Q)
Q: Error message when I run sudo: unable to resolve host (none)
Tags: sudo (Next Q), error-handling (Next Q)
I have this issue on AWS on some servers. Whenever I run sudo the terminal is stuck doing seemingly nothing, until it finally spits out this error message. My terminal looks like this:
ubuntu@(none):~$ sudo true
sudo: unable to resolve host (none)
What can I do to solve it?
Tags: sudo (Next Q), error-handling (Next Q)
User: kit-sunde
Answer by jeremy-kerr
Two things to check (assuming your machine is called my-machine, you can change this as appropriate):
1. That the /etc/hostname file contains just the name of the machine.
2. That /etc/hosts has an entry for localhost. It should have something like:
3. 127.0.0.1 localhost.localdomain localhost
4. 127.0.1.1 my-machine
If either of these files aren't correct (since you can't sudo), you may have to reboot the machine into recovery mode and make the modifications, then reboot to your usual environment.
Answer by lekensteyn
Edit /etc/hosts and add your new host name to the 127.0.0.1 line.
Mine looks like:
127.0.0.1 localhost
192.168.2.2 penguin
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Replace "penguin" in the above example by your new hostname as stated in the /etc/hostname file.
Answer by thor
Note, this is an answer to this question which has been merged with this one.
Your hostname (dave00-G31M-ES2L) is not represented in /etc/hosts. Add an L to this line:
127.0.1.1 dave00-G31M-ES2
So it becomes:
127.0.1.1 dave00-G31M-ES2L
In order to accomplish this, open a console (press Ctrl+Alt+T) and type:
sudo gedit /etc/hosts
Add the letter L as mentioned, save and exit.
Tags: sudo (Next Q), error-handling (Next Q)
Q: How to modify a invalid /etc/sudoers file? It throws out an error and not allowing me to edit again
Tags: sudo (Next Q)
How do I edit an invalid visudo file?
Here is what happens:
$ sudo visudo
>>> /etc/sudoers: syntax error near line 28 <<<
sudo: parse error in /etc/sudoers near line 28
sudo: no valid sudoers sources found, quitting
Tags: sudo (Next Q)
User: yumyumyum
Answer by eliah-kagan
On a modern Ubuntu system (and many other GNU/Linux distributions), fixing a corrupted sudoers file is actually quite easy, and doesn't require rebooting, using a live CD, or physical access to the machine.
To do this via SSH, log in to the machine and run the command pkexec visudo. If you have physical access to the machine, SSH is unnecessary; just open a Terminal window and run that pkexec command.
Assuming you (or some other user) are authorized to run programs as root with PolicyKit, you can enter your password, and then it will run visudo as root, and you can fix your /etc/sudoers.
If you need to edit one of the configuration files in /etc/sudoers.d (which in uncommon in this situation, but possible), use pkexec visudo -f /etc/sudoers.d/filename.
If you have a related situation where you have to perform additional system administration commands as root to fix the problem (also uncommon in this circumstance, but common in others), you can start an interactive root shell with pkexec bash. Generally speaking, any non-graphical command you'd run with sudo can be run with pkexec instead.
(If there is more than one user account on the system authorized to run programs as root with PolicyKit, then for any of those actions, you'll be asked to select which one you want to use, before being asked for your password.)
If that doesn't work--for example, if there are no users authorized to run programs as root via PolicyKit--then boot from an Ubuntu live CD (like the CD you probably used to install Ubuntu) and mount the filesystem for the installed system. You can do this by running sudo parted -l to view your partitions--there is probably just one ext4 partition, and that's the root filesystem.
Suppose the installed Ubuntu system's root filesystem is on /dev/sda1. Then you could mount it with sudo mount /dev/sda1 /mnt. Then you can edit the installed system's sudoers file with sudo nano -w /mnt/etc/sudoers. Or, even better, you can edit it with
sudo visudo -f /mnt/etc/sudoers
(which will prevent you from saving a sudoers file with incorrect syntax).
Answer by caesium
Always use visudo to edit your sudoers file, never edit it directly yourself. It will prevent you saving it to disk unless it validates.
Tags: sudo (Next Q)
Q: How do I run specific sudo commands without a password?
Tags: sudo
On one particular machine I often need to run sudo commands every now n then.
I am fine with entering password on sudo in most of the cases.
However there are three sudo commands I want to run without entering password:
· sudo reboot
· sudo shutdown -r now
· sudo shutdown -P now
How can i exclude these commands from password protection to sudo?
Tags: sudo
User: z9it
Answer by mgd
Use the NOPASSWD directive
You can use the NOPASSWD directive in your /etc/sudoers file.
If your user is called user and your host is called host you could add these lines to /etc/sudoers:
user host = (root) NOPASSWD: /sbin/shutdown
user host = (root) NOPASSWD: /sbin/reboot
This will allow the user user to run the desired commands on host without entering a password. All other sudoed commands will still require a password.
Note! Use the command visudo to edit the sudoers file to make sure you do not lock yourself out of the system just in case you accidentally write something incorrect to the sudoers file.
Using /etc/sudoers.d instead of modifying /etc/sudoers
As an alternative to editing the /etc/sudoers file, you could add the two lines to a new file in /etc/sudoers.d e.g. /etc/sudoers.d/shutdown. This is an elegant way of separating different changes to the sudo rights and also leaves the original sudoers file untouched for easier upgrades.
Note! Again, you should use the command visudo to edit the file to make sure you do not lock yourself out of the system:
sudo visudo -f /etc/sudoers.d/shutdown
This also automatically ensures that the owner and permissions of the new file is set correctly.
If sudoers is messed up
If you did not use visudo to edit your files and then accidentally messed up /etc/sudoers or messed up a file in /etc/sudoers.d then you will be locked out of sudo.
The solution could be to fix the files using pkexec which is an alternative to sudo.
To fix /etc/sudoers:
pkexec visudo
To fix /etc/sudoers.d/shutdown:
pkexec visudo -f /etc/sudoers.d/shutdown
If the ownership and/or permissions are incorrect for any sudoers file, the file will be ignored by sudo so you might also find yourself locked out in this situation. Again, you can use pkexec to fix this.
The correct permissions should be like this:
$ ls -l /etc/sudoers.d/shutdown
-r--r----- 1 root root 86 Jul 16 15:37 /etc/sudoers.d/shutdown
Use pkexec like this to fix ownership and permissions:
pkexec chown root:root /etc/sudoers.d/shutdown
pkexec chmod 0440 /etc/sudoers.d/shutdown
Tags: sudo
Q: How do I add a user to the "sudo" group?
Q: How can I add a new user as sudoer using the command line?
Q: What is the difference between "gksudo nautilus" and "sudo nautilus"?
Q: How to avoid using sudo when working in /var/www?
Q: Error message when I run sudo: unable to resolve host (none)
Q: How to modify a invalid /etc/sudoers file? It throws out an error and not allowing me to edit again
Q: How do I run specific sudo commands without a password?
Q: Run same command again but as root
Q: What does `!!` mean in `sudo !!`?
Q: Can sudo be reinstalled after being removed?