4:22 visudo is not editing the sudoers directly, it is doing it through a temporary file that is checked for correctness on exiting, this is a protective measure since you may lose admin access if you mess up the file.
Yes, as it says in the man page: visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors.
I used to teach Unix/Linux system administration. In those days logging in as root was acceptable practice. Then it was log in as an ordinary user then su to root. 2 different passwords had to be known. Now it's log in as ordinary user and sudo with same password. Seems less secure to me. I'm retired now. On my home network I use sudo -i to become root instead of keying sudo for every command. bash history logs all of the commands. FYI, doing rm -r /* as root is not instantaneous disaster as some claim. It takes a long time to wipe out a system because there are thousands of files to remove. Of course as root one must ALWAYS work carefully. Make backup of config files before changing them. Document your changes in the config file and a separate log file. For any command that is potentially destructive key your command, read it carefully a couple of times, think about it, edit as necessary, think again before pressing enter. Accuracy comes with practice but never get over confident. Sometimes the fingers, eyes and brain do not correctly coordinate. I enjoy your videos. Thanks for investing all of those heartbeats into them.
Also !* stands for the arguments of the previous command, !:- for the previous command without arguments, !c for the last command that starts with c, and !n for the nth command in your history. History navigation is a more useful skill than most people think.
I just wanted to say thank U Gary ! I learn so much from your vids, and I hope U continue doing these great GE's stuff, because I think I'm not alone learning something new from your vids either novas or power-user, I think there's something to learn from all levels of users, so thanks again Gary and keep up the good vids !
One important thing of sudo in a multi user system is the logging so you can trace important changes. However you also should limit commands that can be executed using sudo. Perhaps an idea to explain this in a next video. Be warned: It is also possible to do something like 'sudo csh' to start a cshell as root.
Yes, the idea of limiting sudo for certain commands for certain users/groups is something that seemed so "wow" for me when I first read about it in some manuals. However, me being the single user for my machines I have not found a use for that, but the idea is still something very interesting and I would like to hear how system administrators use it.
@@tomsmansvards Also as singe user on a system you should protect your system. Run (maintence) cron jobs ony with te rights needed to protect the system for errors. E g. an archiver needs read rights to a lot of locationd, however only write to the current backup/archive location. As user it is nice of you can read and copy the archive. However you can protect it by preventing delete/modify. You procect yourself for errors with the archive/backup (also in scripts) by limiting rights.
I really enjoyed this... Didn't know sudo was that configurable. What about the fields with ALL? Can we restrict some commands on specific groups? Or maybe some repositories? I would love a bit more advanced video on sudo
Another nice feature is the ability to allow users to execute specific commands as root without a password. For instance on my Debian machine, dmesg can only be used by root (because of the read access on /proc/kmsg) so I have the following sudoers rule to allow my user foobar to do a 'sudo dmesg' without a password: foobar ALL = (root) NOPASSWD: /bin/dmesg "" The empty argument "" after dmesg is there to prevent sudo from accepting additional arguments. WARNING: An attacker could abuse a command argument to read or write protected file. Other typical uses of that feature are load/unload of kernel modules and also write into protected /sys files (e.g. change the cpufreq governor, flush the disk caches before running a benchmark, ...). Also, users can run the command 'sudo -l' to get a summary of all relevant sudoers rules.
4 года назад
Nice! Thanks. I would be interested in a more in depth follow up.
Great video, I like the way you explain things. thanks Gary! ..question: I Am just starting to learn command lines, are there books or tutorials that you can recommend to really learn how to use command lines?? ... much appreciated.
@@GaryExplains thanks so much!!.. I will check them out, you see, there are are tons of people who know a lot , but not everyone knows how to explain things in a clear and concise way, not everyone knows how to teach
There’s a lot of bits of Unix that make sense if you have a hundred users logged into a single system like the mini computers and dumb terminals of old.
Hey Gary, all this commands shit just look like years 70´s computing for me. When we are going to have implementations by one click on Linux ? Man, this is 21 century !
Sudo su logs you into root Think it it this way. Superuser do switch user No user specified to you must be root who is the God of the system. For there must always be a user.
"sudo !!" will probably be the most useful one for me although I did something like up arrow then home then type "sudo " which is also very fast. Thanks for revealing the "super" powers.
`Ctrl+e` takes you to the end of the line, `Ctrl+a` takes you to the beginning. `Ctrl+f` takes you forward one character, `alt+f` takes you forward one word, same commands with `b` will do the reverse. Because the shell uses emacs key bindings.
Su does stand for substitute user. Saying switch user is also acceptable. But claiming that it stands for superuser is unacceptable because 90% of the time we use it, we're already root and we are becoming someone else to test that's users environment permissions. Sudo is almost universally preferable to actually becoming root.
Sorry, but "90% of the time we use it, we're already root" might be true for you, but that has never been true for me. When I started using Unix back in 90s it was common for people around me to call su superuser because you substitute user to root who is the superuser. PS. I love your confidence is declaring what is acceptable and what is not acceptable. LOL.
4:22 visudo is not editing the sudoers directly, it is doing it through a temporary file that is checked for correctness on exiting, this is a protective measure since you may lose admin access if you mess up the file.
Yes, as it says in the man page: visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors.
I used to teach Unix/Linux system administration. In those days logging in as root was acceptable practice. Then it was log in as an ordinary user then su to root. 2 different passwords had to be known. Now it's log in as ordinary user and sudo with same password. Seems less secure to me. I'm retired now. On my home network I use sudo -i to become root instead of keying sudo for every command. bash history logs all of the commands.
FYI, doing rm -r /* as root is not instantaneous disaster as some claim. It takes a long time to wipe out a system because there are thousands of files to remove.
Of course as root one must ALWAYS work carefully. Make backup of config files before changing them. Document your changes in the config file and a separate log file. For any command that is potentially destructive key your command, read it carefully a couple of times, think about it, edit as necessary, think again before pressing enter. Accuracy comes with practice but never get over confident. Sometimes the fingers, eyes and brain do not correctly coordinate.
I enjoy your videos. Thanks for investing all of those heartbeats into them.
You need to be listed on the /etc/sudoers file in order to use sudo.
Did you know that those "incidents" get reported to Santa.
xkcd to the rescue!
And this whole time I just been retyping. Thank you sudo !!
Also !* stands for the arguments of the previous command, !:- for the previous command without arguments, !c for the last command that starts with c, and !n for the nth command in your history.
History navigation is a more useful skill than most people think.
@@akkesm Wow, thanks for the info. I probably didn't know that until now.
I’m learning all kind of goodys today
Your keyboard doesn't come with UP arrow and HOME key? , , sudo, has worked for decades.
I just wanted to say thank U Gary ! I learn so much from your vids, and I hope U continue doing these great GE's stuff, because I think I'm not alone learning something new from your vids either novas or power-user, I think there's something to learn from all levels of users, so thanks again Gary and keep up the good vids !
Glad you like them!
Thank you Gary, I love sysadmin-related videos.
Superb Gary.
Glad you enjoyed it
Great video, thank you
One important thing of sudo in a multi user system is the logging so you can trace important changes.
However you also should limit commands that can be executed using sudo. Perhaps an idea to explain this in a next video.
Be warned: It is also possible to do something like 'sudo csh' to start a cshell as root.
Yes, the idea of limiting sudo for certain commands for certain users/groups is something that seemed so "wow" for me when I first read about it in some manuals. However, me being the single user for my machines I have not found a use for that, but the idea is still something very interesting and I would like to hear how system administrators use it.
@@tomsmansvards Also as singe user on a system you should protect your system. Run (maintence) cron jobs ony with te rights needed to protect the system for errors. E g. an archiver needs read rights to a lot of locationd, however only write to the current backup/archive location. As user it is nice of you can read and copy the archive. However you can protect it by preventing delete/modify. You procect yourself for errors with the archive/backup (also in scripts) by limiting rights.
I really enjoyed this... Didn't know sudo was that configurable.
What about the fields with ALL? Can we restrict some commands on specific groups? Or maybe some repositories? I would love a bit more advanced video on sudo
Another nice feature is the ability to allow users to execute specific commands as root without a password. For instance on my Debian machine, dmesg can only be used by root (because of the read access on /proc/kmsg) so I have the following sudoers rule to allow my user foobar to do a 'sudo dmesg' without a password:
foobar ALL = (root) NOPASSWD: /bin/dmesg ""
The empty argument "" after dmesg is there to prevent sudo from accepting additional arguments.
WARNING: An attacker could abuse a command argument to read or write protected file.
Other typical uses of that feature are load/unload of kernel modules and also write into protected /sys files (e.g. change the cpufreq governor, flush the disk caches before running a benchmark, ...).
Also, users can run the command 'sudo -l' to get a summary of all relevant sudoers rules.
Nice! Thanks. I would be interested in a more in depth follow up.
Great video, I like the way you explain things. thanks Gary! ..question: I Am just starting to learn command lines, are there books or tutorials that you can recommend to really learn how to use command lines?? ... much appreciated.
I would suggest you start with this video ruclips.net/video/CpTfQ-q6MPU/видео.html and then watch all the videos in my Linux playlist.
@@GaryExplains thanks so much!!.. I will check them out, you see, there are are tons of people who know a lot , but not everyone knows how to explain things in a clear and concise way, not everyone knows how to teach
Brilliant! Never knew that “bang bang” was “pling pling”.
*GARY!!!*
*Good Evening Professor!*
*Good Evening Fellow Classmates!*
Stay safe out there everyone!
MARK!!!
Ah.. magical spell of sudo
There’s a lot of bits of Unix that make sense if you have a hundred users logged into a single system like the mini computers and dumb terminals of old.
On machines where security is not important, I like to 'sudo echo "ALL ALL = NOPASSWD: ALL" > /etc/sudoers.d/wideopen'
Very nice !
Very interesting, not sure I'll change anything as I am the only Linux user on my network.
Garry, "The sudo sorcerer".
Gary bro, what is task threshold and adaptive lmk?
Thank you! I wanted to setup a no password sudo account. This made it very easy :D
I can't believe you didn't mention the insults.
TL;DR add "Defaults insults" and using sudo with sausage fingers becomes waaaay more entertaining.
Yeah, I skipped over that deliberately. I don't think insulting people for fun is a good idea.
Hey Gary, all this commands shit just look like years 70´s computing for me. When we are going to have implementations by one click on Linux ? Man, this is 21 century !
We are not going to be cliking keyboards for ever !
OK, I will fix that straight away. Just let me create world peace and solve world poverty and then I will be laser focused on this issue. 😂
Removing the sudo password was one of the worst ideas in the RasPi
"sudo make me a sandwich"
make: *** No rule to make target 'me'. Stop.
You are not in the sudoers file, this incident will be reported
bash: command not found
Undo´s brother !
.phony me:
i don't need sudo, I'M ROOT!!!!!!
fun fact, in italian "io sudo" means "i sweat"
same in Spanish: yo sudo
That, s the best command.
Ese es el mejor comando.
Not a Linux user, but sometimes I use Linux system and use cmd "sudo- su" what is that
Sudo su logs you into root
Think it it this way.
Superuser do switch user
No user specified to you must be root who is the God of the system. For there must always be a user.
"sudo !!" will probably be the most useful one for me although I did something like up arrow then home then type "sudo " which is also very fast.
Thanks for revealing the "super" powers.
`Ctrl+e` takes you to the end of the line, `Ctrl+a` takes you to the beginning. `Ctrl+f` takes you forward one character, `alt+f` takes you forward one word, same commands with `b` will do the reverse. Because the shell uses emacs key bindings.
Also sudo su - username is another way to accomplish sudo -i -u username
Su does stand for substitute user. Saying switch user is also acceptable. But claiming that it stands for superuser is unacceptable because 90% of the time we use it, we're already root and we are becoming someone else to test that's users environment permissions. Sudo is almost universally preferable to actually becoming root.
Sorry, but "90% of the time we use it, we're already root" might be true for you, but that has never been true for me. When I started using Unix back in 90s it was common for people around me to call su superuser because you substitute user to root who is the superuser. PS. I love your confidence is declaring what is acceptable and what is not acceptable. LOL.
David can edit sudoers and disable lecture...
OpenDoas > sudo
sudo -- the magic wand of Linux
Sorry for my quip.
visudo opening nano 🤔
There are details in the visudo man page about how it chooses the editor. The term "visomethingorother" comes from the vipw legacy.
not in sudo group, but can sudo just fine...
You can list individual users on the sudoers file.
666 likes, 6 dislikes, and 6100 views
My second comment
sudo is pronounced sudo and not sudo
Wow, my first "First!" comment