Sudo allows system administrators to delegate non-privileged users the ability to run commands as root or another user and provides logs of what is run by users leaving an audit trail. The default installation of CentOS 6 does not include sudo, but it can be installed by yum.

yum -y install sudo

You can edit the /etc/sudoers file with any editor, but it is highly recommended to use the visudo command included with the install as it checks for syntax errors. A simple typo in the sudoers file can lock yourself and other users out of privileged mode. If you don’t know the root password, or root login is disabled via ssh (common security practice) you may need to gain physical access to the server and either login locally as root to fix the problem, or even potentially boot off external media to reset the root password (which causes downtime). Obviously these scenarios are not desirable, hence the suggestion to just use visudo.

Edit the sudoers file with visudo:


This file contains aliases (basically variables) and user specifications that define who may run what on what hosts.

In its simplist form, you can define a user, host and command. This will allow user “motorrobot” to run /etc/init.d/httpd restart on a host called www as root.

motorrobot www=(root) /etc/init.d/httpd restart


There are four kinds of aliases for sudo, User, Runas, Host and Cmnd. For example, you can create a Host alias to only allow defined users to run on QA servers by adding all of those server names to an alias. This keeps the sudoers file less bloated because you don’t have to define the same command for multiple users on multiple hosts, you can just associate it with a host alias that contains all the hosts.

This is similar to the example above but allows group qaweb to run the httpd restart command on all qawwwservers. First we will define qawwwservers as a host alias that contains three qa web servers (wwwqa00, wwwqa01 and wwwqa02). The qaweb is a group on the system which differs from a User alias which can be created within sudoers.

Host_Alias qawwwservers = wwwqa00, wwwqa01, wwwqa02
%qaweb qawebservers=(root) /etc/init.d/httpd restart