Acting Like root with sudo
As you know by now, logging in as root gives you the power to make changes across the entire Unix system, not just within the directories and files that you individually have permissions to access, read, or modify. Of course, having all this power also comes with responsibilitiesnot to screw up the entire system, among other possibilities. Especially as you're learning about system administration, you may want to experiment with these skills by logging in as sudo instead. Using the sudo utility, you can run some commands as if you were root, but it's not as risky as being root. The real root user has to give permission to use sudo, and sometimes the permission is limited to using specific utilitiesyou'll have to experiment.
Code Listing 16.1. The sudo command lets you do things that you can't do as a normal user, but that isn't as risky as being root.
[jdoe@frazz jdoe]$ cd /var/log [jdoe@frazz log]$ tail messages tail: messages: Permission denied [jdoe@frazz log]$ sudo tail messages We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things: #1) Respect the privacy of others. #2) Think before you type. Password: Jan 25 06:01:01 frazz CROND: (root) CMD (nice -n 19 run-parts /etc/cron.hourly) Jan 25 06:01:01 frazz CROND:(mail)CMD(/usr/bin/python-S/var/lib/mailman/cron/qrunner) Jan 25 06:01:01 frazz su(pam_unix): session opened for user news by (uid=0) Jan 25 06:01:01 frazz su(pam_unix): session closed for user news Jan 25 06:01:02 frazz msec: unable to run chage: chage: unknown user: ejray Jan 25 06:01:03 frazz msec: changed mode of /var/log/news/nntpsend.log from 660 to 640 Jan 25 06:02:00 frazz CROND:(mail)CMD(/usr/bin/python-S/var/lib/mailman/cron/qrunner) Jan 25 06:03:00 frazz CROND:(mail)CMD(/usr/bin/python-S/var/lib/mailman/cron/qrunner) Jan 25 06:04:00 frazz CROND:(mail)CMD(/usr/bin/python-S/var/lib/mailman/cron/qrunner) Jan 25 06:04:17 frazz sudo:jdoe : TTY=pts/1 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/tail messages [jdoe@frazz log]$.
Note that all uses of sudo are logged. If your system administrator won't be happy with your experimenting with being root, don't use sudo on any system other than your own. In Code Listing 16.1, we show the difference between being a normal user and acting with authority with sudo.
To act like root with sudo:
cd /var/log; tail messages
As plain-old you, try to look at the system log files in /var/log. On a Linux system, it's usually /var/log/messages; on a Solaris system, it's usually /var/adm/ messages. Other Unix flavors will have other, but similar, locations.
Note that some of these files will require root access to view them, while others won't. If you can view a file as you, then choose a different file to see how sudo helps.
sudo tail messages
After permission was denied on the previous attempt, use sudo before the command to try to issue the same command with root authority.
Enter your password after the interesting warning, and then note that the command succeeded this time (see Code Listing 16.1).
After you've used sudo once, you can use it again within a specific amount of time (usually five minutes) without entering your password again.
Some versions of sudo have pretty entertaining prompts if you mess up your password (Code Listing 16.2). You're likely to irritate your system administrator tremendously if you try to look at these on purpose, though.
If you haven't been given permission (not just technical permission, but actual, "you may do this" permission) to use sudo, don't. Everything that happens with sudo is logged, and you'll probably have to answer for your actions.
Whenever possible, it's better to use sudo only when you need it, than to become root. Any typo can be problematic, and it's a good thing to have to consciously add sudo when you want to act with root authority.
Code Listing 16.2. More surprisingly, sudo has a sense of humor.
1001 jdoe@foo $ sudo ls Password: My mind is going. I can feel it. Password: Take a stress pill and think things over. Password: He has fallen in the water! sudo: 3 incorrect password attempts 1002 jdoe@foo $