Using sudo to Delegate Privileges
By default, Cumulus Linux has two user accounts: root and cumulus. The cumulus account is a normal user and is in the group sudo.
You can add more user accounts as needed. Like the cumulus account,
these accounts must use
sudo to execute privileged commands.
sudo allows you to execute a command as superuser or another user as
specified by the security policy. See
man sudo(8) for details.
The default security policy is sudoers, which is configured using
/etc/sudoers.d/ to add to the default sudoers
man sudoers(5) for details.
visudo only to edit the
sudoers file; do not use another editor
visudo(8) for details.
When creating a new file in
visudo -f. This
option performs sanity checks before writing the file to avoid errors
that prevent sudo from working.
Errors in the
sudoers file can result in losing the ability to elevate
privileges to root. You can fix this issue only by power cycling the
switch and booting into single user mode. Before modifying
enable the root user by setting a password for the root user.
By default, users in the sudo group can use
sudo to execute
privileged commands. To add users to the sudo group, use the
usermod(8) command. To see which users belong to the
sudo group, see
Any command can be run as
su. A password is
The example below shows how to use
sudo as a non-privileged user
cumulus to bring up an interface:
cumulus@switch:~$ ip link show dev swp1 3: swp1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master br0 state DOWN mode DEFAULT qlen 500 link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff cumulus@switch:~$ ip link set dev swp1 up RTNETLINK answers: Operation not permitted cumulus@switch:~$ sudo ip link set dev swp1 up Password: cumulus@switch:~$ ip link show dev swp1 3: swp1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT qlen 500 link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff
The following examples show how you grant as few privileges as necessary to a user or group of users to allow them to perform the required task. For each example, the system group noc is used; groups are prefixed with an %.
When executed by an unprivileged user, the example commands below must
be prefixed with