Beginning with Ubuntu Server

Logging in

Ubuntu Server is loaded once the computer is powered on or restarted. After performing a series of tasks, the login screen appears.

Ubuntu Server login screen

The username and password chosen during installation must be entered in order to start an Ubuntu Server session. When the session begins, the command prompt appears on the screen.

Ubuntu Server command prompt

The command prompt has the following parts: The user name, an @ (at) symbol, the hostname given to the computer during installation, the working directory (in this case the home directory, indicated by the ~ symbol), and a dollar sign ($), which indicates that a non-root user is logged in. The cursor is placed after the $ symbol appearing at the end, waiting for a command entered by the user. Some concepts, like home directory or non-root user, will be explained later.

The sudo command

When Ubuntu Server was installed, a username and password were supplied to log into a session after installation. This user account lacks administrative privileges, so any attempt to execute a command that requires these privileges will be denied. But what if an administrative task must be done? The sudo command comes to save the day!

sudo stands for “super user do” and it’s generally pronounced as “sue dough.” When the user prefixes any command with sudo, it will run with elevated privileges. Elevated privileges are required to perform certain administrative tasks like shutting down or rebooting the computer.

For those who are used to Windows, sudo is very similar to the WUAC (Windows User Account Control) dialog box that pop ups when you try to do anything important. This dialog box asks the user if they wish to continue, and if the answer is “yes,” the task is performed.

The story is more dramatic in Ubuntu; things might behave quite strangely without the proper permissions. A configuration file may not save correctly, or a program previously installed might simply refuse to run, but all that is needed to do is ask for permission. And that’s when the sudo command comes into play.

When the user tries to issue the following command:

Code Listing 1

This command fails, citing: “must be superuser.” In this case, superuser refers to the root user, which holds all necessary permissions to perform any task. To avoid this failure, the sudo command is used, as shown in the following snippet.

Code Listing 2

sudo asks for the current user password, and if it is supplied correctly, then executes the command indicated.

Note: The $ sign, which appears here and will be appear in every given sample, refers to the Ubuntu Server command prompt. The user does not have to type it when entering commands.

Why is sudo better?

sudo is the best and safest way to get elevated privileges because the user doesn’t need to know the root password. Every time sudo is executed, the user’s password is required. 

Let’s look at another way of doing things. The switch user command su will ask the person who uses the computer for the root password. Then, it gives that person a superuser prompt identified by the # symbol. That # symbol means “Danger! You’re logged in as root!” The first command that this person issues may go well. But their forgetfulness will cause them to remain logged in as root. One bad typo, and bam! The entire hard drive is erased instead of that fake file that was downloaded. With sudo, that person has to enter sudo every time a command is issued. Thus, they don’t have to remember to switch back to regular user mode, and fewer accidents will happen.

The sudoers file

This file controls who can use the sudo command to gain elevated privileges. Generally, it is located at /etc/sudoers. The best and safest way to edit this file is by using the following command.

Code Listing 3

This command will start the VI editor with elevated privileges so the user can edit the file and save it. The editor also will put a file lock on the sudoers file, avoiding edits by anybody else until it is saved. Also, before saving the file, the editor will parse it, looking for simple errors.

By default, the visudo command will edit /etc/sudoers, so the following sample is also valid for editing this file.

Code Listing 4

The default sudoers file is configured to grant elevated privileges for the superuser (root) and for all members of the group admin. Also, all members of the group sudo can execute any command. Any user outside the admin and sudo groups cannot use the sudo command to gain elevated privileges. This default configuration is shown in the following figure.

The sudoers Default File

The sudoers file is composed of aliases (basically variables) and user specifications, which control who can run what.

Aliases

There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias, and Cmnd_Alias. An alias definition must be stored in the file using the following form.

Code Listing 5

Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias. A name is a string of uppercase letters, numbers, and underscores starting with an uppercase letter. Several aliases of the same type can be placed on one line by separating them with colons (:) using the following form.

Code Listing 6

User aliases

User aliases allow you to specify groups of users. Usernames, system groups (prefixed by a %), and netgroups (prefixed by a +) can be declared, as shown in the following sample.

Code Listing 7

Runas aliases

Runas aliases are almost the same as user aliases, but you are allowed to specify users by user IDs (UIDs). For example:

Code Listing 8

In the previous example, the UID 15 is specified as a member of the ROOT alias. Then an alias ADMINS is defined with the admin group and the root user. Assuming the sudoers file has a command definition in which one or more commands need to be executed with superuser privileges, and that definition grants these privileges for both aliases (ROOT and ADMINS), the user with a UID of 15 will get superuser privileges.

Host aliases

A host alias is a list of hostnames, IP addresses, networks, and netgroups (prefixed with a +). If a netmask is not specified with a network, the netmask of the host’s Ethernet interface(s) will be used when matching.

Code Listing 9

Command aliases

Command aliases are lists of commands and directories. You can use this to specify a group of commands. If you specify a directory, it will include any file within that directory, but not in any subdirectories.

Code Listing 10

User specifications

User specifications are where the sudoers file sets who can run what as who. It is the key part of the file, and all the aliases have just been set up for this very point. If this was a film, this is where all the key threads of the story come together in the glorious unveiling before the climatic ending. Basically, it is important, and without this, any prior setting in the file doesn’t make sense.

A user specification is in the following format:

Code Listing 11

The user list is a list of users or a user alias that has already been set, the host list is a list of hosts or a host alias, the operator list is a list of users they must be running as or a Runas_alias, and the command list is a list of commands or a Cmnd_alias.

The tag list allows you to set special things for each command. The PASSWD and NOPASSWD clauses can be used to specify whether the user must enter a password or not. NOEXEC can also be used to prevent any programs launching shells themselves (once a program is running with sudo as root, it has full root privileges, so it could launch a root shell to circumvent any restrictions in the sudoers file).

For example:

Code Listing 12

Shutting down the computer without a password

Every time a shutdown command is issued using sudo, the password for the current user is required to execute it. This can be annoying for the server administrator. There’s a way to prevent password requirement for shutdown commands, and this is accomplished by editing the sudoers file.

For security reasons, making a backup copy of the default sudoers file is suggested. The following command can do this task.

Code Listing 13

cp is the command for copying files or directories. In this case, the copy of default sudoers file will be stored in sudoers.bak. The sudo command is used to avoid an “access denied” error when cp attempts to copy the sudoers file.

Note: The first time the sudo command is issued, Ubuntu will ask for the password belonging to the user logged in. After that, the next time sudo is executed, sudo won’t ask for the user password again until a 15-minute period has elapsed. This behavior can be changed using the timestamp_timeout option in the sudoers file (e.g., timestamp_timeout = 3 will shorten the timeout period to three minutes).

The following command will open the file for editing.

Code Listing 14

There are two modes in visudo editor: Command Mode, which is accessed pressing the Esc key, and Insert Mode, which is accessed pressing the I key. The user is always in one of them.

To move around the sudoers file, the user must press the Esc key and use the arrow keys to place the cursor where changes need to be made. Then, pressing the I key will switch visudo to Insert Mode where text can be entered.

First, a Cmnd_Alias needs to be created in order to specify which commands must be considered for shutting down the computer.

Code Listing 15

In the previous example, a SHUTDOWN_CMDS alias is created. It groups the commands poweroff, halt, and reboot, which are located in the /sbin directory and perform all operations for shutting down the computer.

Then, a user specification must be created to assign SHUTDOWN_CMDS to the user who is responsible for server administration.

Code Listing 16

In this case, <username> must be replaced with the username of the person responsible for server administration. This specification indicates that every time sudo attempts to execute any command from the SHUTDOWN_CMDS alias and the username corresponds to the server administrator, no password will be required.

Once the previous lines are added, the sudoers file should look like the following figure.

The sudoers File After Being Edited

To save all changes made, press Esc to enter Command Mode. Then, type :w and press Enter to save changes to the disk. To exit visudo, type :q and press Enter. Typing :q! and pressing Enter will exit visudo without saving any changes.

At this moment, if you issue a sudo command with any of those specified in the SHUTDOWN_CMDS alias, you won’t need to provide a password, and the command will be executed as expected.

To shut down the computer server administrator, you can type the following:

Code Listing 17

Tip: A backup copy of any file should be made before making modifications to it.

Chapter summary

A description about logging in to Ubuntu Server was shown at the beginning of this chapter. The rest of the chapter focused on how the sudo command works. sudo is the most important command in Ubuntu, and is used to grant superuser privileges to any command that is executed along with it. It’s the best option for doing administrative tasks because every time such a task ends its execution, sudo revokes the elevated privileges and brings the system to a normal user state. This forces the use of sudo for every administrative command, helping you avoid fatal accidents. When the sudo command is used, the system asks for the active user password. This behavior can be modified using the sudoers file. The sudoers file tells the sudo command which users can gain superuser privileges, and in some cases, how certain commands must be executed, and by whom. The chapter ended with an example that explains how to shut down the computer with no password request by the sudo command.