Use visudo command to update the file /etc/sudoers, do not manual edit

Which password will be asked ? default is target user password, and for group wheel, source user password:

Defaults targetpw
Defaults:%wheel !targetpw

In the following sudo entry:

<user> <host>=(<taget_user>[:<target_group>]) <cmd>

Example:

alan   ALL = (root, bin : operator, system) /bin/ls, /bin/kill
%adm ALL=(ALL) NOPASSWD: ALL

Here, alan is allowed to run the two commands /bin/ls and /bin/kill as root (or bin), possibly with additional operator or system groups privileges.

So alan may choose to run ls as the bin user and with operator's group privileges like this (additional operator groups privileges):

# sudo -u bin -g operator /bin/ls /whatever/directory

[root@aix001]/etc/sudoers.d> cat zabbix
%AIXUSERS ALL=(root) NOPASSWD: /usr/bin/vi /etc/zabbix/*
%AIXUSERS ALL=(root) NOPASSWD: /etc/rc.d/init.d/zabbix-agent
%testaixgrp ALL=(root) NOPASSWD: /usr/bin/vi /etc/zabbix/*
%testaixgrp ALL=(root) NOPASSWD: /etc/rc.d/init.d/zabbix-agent

[root@aix001]/etc/sudoers.d> su - myaixuser01
[myaixuser01@aix001]/home/myaixuser01> sudo vi /etc/zabbix/zabbix_agentd.d/toto
[myaixuser01@aix001]/home/myaixuser01> sudo /etc/rc.d/init.d/zabbix-agent start
Zabbix agent started

Change sudo default timeout (5 min):

root@nimprod /root> sudo -V | grep -i time
Lecture user the first time they run sudo
Authentication timestamp timeout: 120.0 minutes
Password prompt timeout: 5.0 minutes
Path to authentication timestamp dir: /var/run/sudo/ts
Type of authentication timestamp record: tty
Sudo log server timeout in seconds: 30

root@nimprod /root> grep -i time /etc/sudoers
Defaults timestamp_timeout=120

This command asks for the current user’s password rather than root.

It’s essentially the same as just running su in the shell, save for one crucial difference: instead of telling the system to “switch users” directly, you’re telling it to run the su command with superuser privileges. When sudo su is run, “.profile,” “.bashrc” and “/etc/profile” will be started, much like running su (or su root). If any command is run with sudo in front of it, it is given root privileges.

Though there isn’t a large divergence between sudo su and su, the former is still a very useful command for one important reason: when a user is running su to gain root access on a system, they must know the root password. Root is given with sudo su by requesting the current user’s password, which makes it possible to gain root without the root password.

This is useful in situations where you may have forgotten the root password if it’s different from the password for your user account. While you could do this in the meantime, you should still reset the root password at some point.

Using sudo -i is virtually the same as the sudo su command with one exception: it does not directly interact with the root user.

Much like sudo su, the -i flag allows a user to get a root environment without having to know the root account password. sudo -i is also very similar to using sudo su: it’ll read all of the environmental files (“.profile”, etc.) and set the environment inside the shell.

Where it differs from sudo su is that sudo -i is a much cleaner way of gaining root and a root environment without directly interacting with the root user.

To clarify: with sudo su, you’re using more than one root setuid command in the background. This makes it much more challenging to figure out which environmental variables will be kept and which will be changed (when swapping to the root environment). This is not true with sudo -i. Because of this, most people view it as the preferred method to gain root without logging in directly.

In simpler language: sudo -i will give you a “clean” root login in your “/root” folder, which is the “home” folder for the root user.

This command summons a shell with your $SHELL variable.

The -s switch for the sudo command reads the $SHELL variable of the current user executing commands. This command works as if the user is running sudo /bin/bash, if the shell the user comes from is bash.

In our case, sudo -s gave us the fish interactive shell, as we previously installed fish as our default shell, so it would be as if we ran sudo /usr/bin/fish.

Sudo -s is a “non-login” style shell. Unlike a command like sudo -i or sudo su, the system will not read any environmental files. When a user tells the shell to run sudo -s, it gains root but will not change the user environment. Your home will not be the root home, etc.

This command is best used when the user wants to switch over to root but keep the same shell environment.

As user with nologin shell can't be reached with “su - user”, but you can use instead the command

runuser