SDB:Administer with sudo

Jump to: navigation, search


Instead of using the root user, administering a system with sudo is safer. This will also log all commands run via sudo to /var/log/messages (can be changed with Sudo logging). Sudo is installed by default.

Configuring Sudo

To enable sudo access for a user account, do the following.

sudo /usr/sbin/visudo

or when using GNOME

EDITOR=gedit gnomesu visudo

or when using KDE

EDITOR=kate kdesu visudo

Any user in the default 'users' group can run sudo if they know the root password. This will change later. Answer the password prompt with the root password.

Setting group access

Find the entry for %wheel. This is the wheel group. The '%' tells sudo to match vs a group name in /etc/groups. Uncomment the line.

%wheel        ALL=(ALL)       ALL

Save and exit with :wq (not necessary when using gedit or kate)

Add the desired username to the wheel group.The new group is effective for given user after new login.

sudo /usr/sbin/usermod -aG wheel username

Edit the sudoers file again. This time remove the ability for every user to run sudo. Comment out these lines, save and exit.

#Defaults targetpw    # ask for the password of the target user i.e. root
#%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

In OpenSuse 12.3 the second line may be

#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

Now when running sudo, use username's login password instead of the root password.

Running applications with root permissions in X

If you want to run X windows programs such as kate for editing, the recommended method is to use

 su -

to become the root user. Or you can use graphical su commands, for example

xdg-su -c

. But they behavior as su instead of sudo. Local installations is doable with sudo by editing with /usr/sbin/visudo, adding the DISPLAY and XAUTHORITY variable in the line.

 Defaults env_keep = "LANG..."

Additionally the X server must be set to allow access for other users with the xhost program, see manpage for xhost. All that lowers the security level for the machine, please be aware of that.