Log of sudo commands

I recently discovered that a user on a server had accidentally killed my program. Many users, including me, on this server have sudo permissions. So, I guess the kill was carried out by using sudo. How to find out who is the killer?

Thankfully, all actions taken under sudo are logged in the /var/log/auth.log file. You will find entries of this form:

Sep 26 08:31:26 foobar-machine sudo:   joe : TTY=pts/1 ; PWD=/home/joe/scripts ; USER=root ; COMMAND=/usr/sbin/openvpn --daemon --config foobar.ovpn
Sep 26 08:31:26 foobar-machine sudo: pam_unix(sudo:session): session opened for user root by joe(uid=0)
Sep 26 08:31:27 foobar-machine sudo: pam_unix(sudo:session): session closed for user root

You can see that all pertinent information is available in the log: who ran the command, what command and when.

Tried with: Ubuntu 16.04

PATH environment variable in sudo

Using sudo is a common, safe and recommended method to execute commands that require superuser privileges. However, this command resets the PATH environment variable. So, some badly written installation scripts that require a particular PATH will fail in strange ways when run as sudo.

Here is some useful information about sudo and the PATH environment variable:

  • To ensure safety, sudo by default does not use the PATH environment variable of the user or that of root.

  • sudo also ignores the system-wide environment variables set in /etc/environment or in /etc/profile.d/*.sh.

  • The PATH variable for sudo is hardcoded to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

  • If you really want sudo to pick up the system-wide PATH or other environment variables, then try this:

    1. Set the PATH or environment variable in a new file named /etc/profile.d/name_anything.sh using export
    2. Start root shell using sudo su -
    3. Check if your path is correct: echo $PATH
    4. Run the command that requires superuser privilege.
  • Reference:

Tried with: Ubuntu 14.04

sudoedit

When I need to edit files with superuser privileges, like those in etc directory, I used to do:

$ sudo vim /etc/hosts

This launches the editor with root privileges.

I recently learnt that there is a safer and more elegant way do this: using sudoedit. This makes a temporary copy of the file you want to edit in /tmp and opens it in your favorite editor with normal user privileges. After you save the file, the original file is replaced with the updated copy.

To do this:

$ sudoedit /etc/hosts

Or equivalently:

$ sudo -e /etc/hosts

Tried with: Ubuntu 14.04

How to use sudo

  • To give sudo permissions to a user, say joe, add the user to the sudo group:
$ sudo adduser joe sudo
  • To run a command as superuser:
$ sudo some_command

The superuser privileges last at this shell session for about 15 minutes. Any other superuser commands you execute within this time at this shell session will not require you to enter the password.

  • To run a command as another user, say joe:
$ sudo -u joe some_command
  • If you want to execute many commands or need a shell with superuser:
$ sudo -s
  • To have all your environment variables when you execute sudo:
$ sudo -E some_command
  • To list of commands allowed for you:
$ sudo -l
  • To list the commands allowed for another user, say joe:
$ sudo -l -U joe

Tried with: Ubuntu 18.04