INLS283 Sample Installation
January 14, 1999
Prof. Greg Newby

Sudo is a utility that lets a regular username run commands as root. It’s much better than "su" because:

1. It does better logging (who did what command)
2. You can specify which commands a username may run as root
3. It means fewer people need to know (or type) the root password

The main detriment is that if lots of people can sudo, then that means that all of their usernames are potential security holes, not just root. The sudo utility is for systems with more than one manager where they can all have their own (hopefully secure) passwords to do their work, without needing to know or type the root password.

The easiest way to install software with a RedHat Linux system is with "rpm," the RedHat Package Manager (called RPM, but the command to type is lowercase "rpm"). The RedHat CD comes with all of the packages that RedHat includes by default on it, and they can be installed with RPM.

Many 3^rd parties (that is, people other than the RedHat company) make RPM-ready software. The format is similar to a regular software source code distribution (not described in this write-up): it’s basically just one file that, when unpacked, contains several other files. The main difference is that RPM knows exactly where to put the files and what special things need to be done to them, if any (like changing file permissions).

Third party software RPMs are available from the same places as the RedHat distributions are on the Internet. To search for a sudo RPM, I looked through the directory ftp://metalab.unc.edu/pub/Linux/distributions/redhat/contrib. Eventually, I found the file sudo-1.5.3-6.i386.rpm in the i386 directory.

After finding the package file, installation was a snap. I took the very easiest route:

1. Logged into blue as gbnewby; then used "su –" to become root
2. Typed (all on one line)
   rpm -Uvh ftp://metalab.unc.edu/pub/Linux/distributions/redhat/contrib/i386/sudo-1.5.3-6.i386.rpm
3. Watched a little status bar that told me the software was being installed

Next, I needed to know how to actually use sudo. The rpm command doesn’t tell you much of what’s happening (you can add –vv to get more information). Luckily, I already knew that there was a file (usually /etc/sudoers) and a program to run to add to the file, visudo.

The problem was finding the file visudo to run. It’s almost always somewhere where the regular user wouldn’t find it (it’s usually not even in your search PATH – maybe to make it harder for hackers to find). I did this:

1. Typed "ls /usr/local/etc/visudo" but it wasn’t there (that’s where it is on Ruby)
2. Typed "ls /*/visudo" but it wasn’t anywhere in the top-level subdirectories
3. Typed "ls /*/*/visudo" and finally found it: /usr/sbin/visudo

Now, I was ready to run (as root) /usr/sbin/visudo and add this line:

gbnewby ALL=(ALL) ALL

This gives user ‘gbnewby’ the access to run any command via sudo. I tested it:

First I used "whoami" to prove that I’m gbnewby. I couldn’t look at /etc/shadow (the protected password file), but could with sudo!

The second time I tried sudo, to get a Unix shell, I wasn’t prompted. Sudo defaults to remember that you’ve been authenticated for a few minutes.

Overall, this experience with sudo was a success. I could have installed the source code from scratch, or even just ftp’d the sudo-1.5.3-6.i386.rpm file by hand and used "rpm –i –vv sudo-1.5.3-6.i386.rpm" to install it.

Additional information may be found in the SUDO FAQ at http://www.courtesan.com/sudo/.

PS: Where did I get the weird syntax for the rpm command I used? I’m on a RedHat announcements mailing list, and this is how they let you know about new things to add. Usually they just tell you the rpm filename, but I remembered having seen the easy approach before.

NOTE: A script file of the installation should be attached (but isn’t).