The sudo command has been mentioned several times throughout this tutorial, so you may already understand its basics and what it does. As mentioned earlier, the basic purpose of the sudo command is to run tasks as the root user account. This is much safer than simply logging in to the computer as root, as sudo asks you for the root password, which is your reminder that the task you’re about to perform is technically reserved for root. While logged into the system as root itself, there are no password prompts, even if you are about to accidentally do something catastrophic to the system. We may be technical people, but even the smartest person is prone to making a mistake from time to time. This is why sudo is generally preferred over logging in to the root account itself. As mentioned earlier, many distributions, such as Ubuntu (as well as Mint), leave the root account disabled by default. It’s generally safer this way.

Although we’ve gone through the basic functionality of sudo, we have yet to take a look at how it actually works. The sudo command stands for super user do and executes whatever command you type in after sudo as if root was the account performing the task. However, not everyone can use sudo. In Mint, a user can be given rights to use sudo by setting the user as an Administrator using the Users and Groups tool. However, this is not the only way.

The sudo package in Mint works the same way as in other distributions. The file that controls access to use sudo is /etc/sudoers. There are various declarations of users and groups that are allowed to use sudo inside this file. However, unlike most configuration files in Linux, it’s not a good idea to edit this file directly as doing so may cause corruption. Any system that has sudo installed has the visudo command available as well. The “ vi” portion of the visudo command refers to the vi text editor, which comes standard in many distributions. However, don’t let the name fool you; you can use other text editors to edit the sudoers file. However, for good measure, you must edit it through the visudo command.

If you enter the sudo visudo command, your default text editor will open, displaying the contents of the /etc/sudoers file. In the case of Mint, the default text editor in the terminal is nano, so the /etc/sudoers file will open in the nano text editor when you run this command. If for some reason it opens in a different text editor, you can explicitly indicate which text editor you would like to use by using the following command:

sudo EDITOR=nano visudo

For the preceding example, a little explanation is in order. The first part is easy; we’re using sudo, which means that we would like to run the rest of the command as root. The word EDITOR in uppercase is a variable declaration, which we’ve not talked about much yet. In a nutshell, we’re setting the EDITOR variable to equal nano. (We’ll discuss Bash shell variables in further detail in Chapter 11, Advanced Administration Techniques.) In this case, we’re explicitly indicating that we would like to utilize the nano text editor. Then, we execute the visudo command, which tells the system that we would like to edit the /etc/sudoers file. As we declared our editor as nano, the system will open the file in nano. That’s quite a bit of instruction for just one small line in our Linux shell.

So, now that you have the file open and in your terminal, what do you do with it? Feel free to use your arrow keys to scroll through and peruse the file. There will be a few lines of interest, such as the following one:

root    ALL=(ALL:ALL) ALL

With the preceding line, you can see that the root account has access to sudo in its entirety. If you wanted to, you could add the following line just below it (or anywhere in the file, really) to give complete access to sudo on any other user account:

jdoe    ALL=(ALL:ALL) ALL

However, before you do that, go down a few more lines, where you’ll likely see the following line:

%sudo    ALL=(ALL:ALL) ALL

Here, we see the declaration that any member of the sudo group has the same access as root does. Therefore, if you want to give a user access to sudo, all you have to do is add that user to the sudo group, and you won’t need to touch this file at all. However, there’s certainly more to visudo than this. If you would like, you can limit a user to a specific command. Also, you can suppress the password prompt for a command if you like.

For example, let’s give our user jdoe the access to update the system and install applications. This can be done using the following command line:

jdoe ALL=/usr/local/bin/apt

In the previous example, we’re allowing the user jdoe to specifically use the apt command (which is used to install packages). If we wanted to, we could also remove the password requirement for apt using the following command line:

jdoe ALL= NOPASSWD: /usr/local/bin/apt

Now, the user jdoe has access to the apt command, and it won’t even prompt him or her for the password. Of course, you should only do this if you believe that the user will not only install and remove packages wisely, but they will also not allow someone else to sneak up to their desk and cause havoc while they are away.

You may be wondering what each field in the sudoers line represents. For example, consider the following command line:

jdoe    ALL=(ALL:ALL) ALL

The first item is self-explanatory; it is the username that you’re editing permissions for. The first ALL represents the host name, tying the command to a specific machine. The second ALL and the third ALL correspond to which user and group, respectively, you’re able to run the command from (in this case, all users). The fourth ALL clarifies which commands the user can run as sudo (in this case, all commands).

Another trick with sudo allows you to temporarily switch to the root account for an entire session. In all examples so far, we’ve used the sudo command in front of every command that needed root privileges. However, what if we want to run a bunch of commands as root and don’t want to use sudo every time? To do this, we use the following command:

sudo -s

The sudo -s command will prompt you for your password as usual, but after it does so, it will actually switch your logged-in user to that of root. Therefore, each command you perform will be performed as root until you type exit at the end of the sudo session. Of course, be very careful when utilizing this mode.