The translation is temporarily closed for contributions due to maintenance, please come back later.
English Sinhala
The sudo Command
The [command]#sudo# command offers another approach to giving users administrative access. When trusted users precede an administrative command with [command]#sudo#, they are prompted for *their own* password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the `root` user.
The basic format of the [command]#sudo# command is as follows:
[command]#sudo# _command_
In the above example, _command_ would be replaced by a command normally reserved for the `root` user, such as [command]#mount#.
The [command]#sudo# command allows for a high degree of flexibility. For instance, only users listed in the `/etc/sudoers` configuration file are allowed to use the [command]#sudo# command and the command is executed in *the user's* shell, not a `root` shell. This means the `root` shell can be completely disabled as shown in the link:++https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/++[Red{nbsp}Hat Enterprise{nbsp}Linux{nbsp}7 Security Guide].
Each successful authentication using the [command]#sudo# command is logged to the file `/var/log/messages` and the command issued along with the issuer's user name is logged to the file `/var/log/secure`. If additional logging is required, use the `pam_tty_audit` module to enable TTY auditing for specified users by adding the following line to your `/etc/pam.d/system-auth` file:
session required pam_tty_audit.so disable=pass:quotes[_pattern_] enable=pass:quotes[_pattern_]
where _pattern_ represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the `root` user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Another advantage of the [command]#sudo# command is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the [command]#sudo# configuration file, `/etc/sudoers`, should use the [command]#visudo# command.
To give someone full administrative privileges, type [command]#visudo# and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user, `juan`, can use [command]#sudo# from any host and execute any command.
The example below illustrates the granularity possible when configuring [command]#sudo#:
%users localhost=/sbin/shutdown -h now
This example states that any member of the `users` system group can issue the command [command]#/sbin/shutdown -h now# as long as it is issued from the console.
The man page for `sudoers` has a detailed listing of options for this file.
Important