Sudo

From Wikipedia, the free encyclopedia

The correct title of this article is sudo. The initial letter is shown capitalized due to technical restrictions.

This article is about the Unix command line program. For the non-profit organisation known by this acronym, see Sudan Social Development Organization.

sudo (superuser [or substitute user] do), generally pronounced IPA: [sudʊ], is a program for Unix-like operating systems such as BSD, Mac OS X, and Linux that allows users to run programs with the security privileges of another user (normally the system's superuser) in a secure manner. By default, it is installed in /usr/bin.

1 Usage
2 Configuration
3 History
4 Shell logging
5 See also
6 External links

[edit] Usage

Users must confirm their identity to sudo by supplying their password before running the target program. Once authentication has taken place, and if /etc/sudoers file is configured to give the user access to the command requested, then the system allows the command, but logs it. In a GUI environment, graphical frontends such as kdesu and gksudo are used to launch administrator-only applications like the Synaptic Package Manager. Mac OS X also has a GUI frontend to sudo, which is used for various applications, such as Software Update.

A console example, where user is not allowed access:

snori@rimu:~$ sudo vi /etc/resolv.conf
    
 We trust you have received the usual lecture from the local System
 Administrator. It usually boils down to these three things:
   
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
    
 Password:
 snori is not in the sudoers file.  This incident will be reported.

Below is the log of this failed attempt, then a later successful one, after snori has been added to /etc/sudoers:

snori@rimu:~$ sudo tail /var/log/auth.log
 Aug  5 06:00:28 localhost sudo:    snori : user NOT in sudoers ; TTY=pts/1 ; PWD =/home/snori ; USER=root ;  COMMAND=/usr/bin/vi /etc/resolv.conf
 Aug  5 06:01:15 localhost su[15573]: (pam_unix) session opened for user root by snori(uid=1000)
 Aug  5 06:02:09 localhost sudo:    snori : TTY=pts/1 ; PWD=/home/snori ; USER=ro ot ; COMMAND=/usr/bin/vi /etc/resolv.conf
 Aug  5 06:02:49 localhost sudo:    snori : TTY=pts/1 ; PWD=/home/snori ; USER=ro ot ; COMMAND=/usr/bin/tail /var/log/auth.log

Ubuntu and Mac OS X are well-known for forcing all administrative access to be done via sudo – the root password is disabled by default, but can be enabled via the passwd tool in Ubuntu, and NetInfo Manager in Mac OS X.

[edit] Configuration

The configuration file /etc/sudoers specifies which users can run which commands, and on which machines. Because sudo is very particular about the format of this configuration file, and errors could cause serious problems, editing should always be done with the provided visudo tool, which checks for correctness before saving.

[edit] History

sudo was originally written by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo, and the current version is maintained by OpenBSD developer Todd C. Miller and distributed under a BSD-style license.

[edit] Shell logging

sudo does not log commands executed within a shell. For example if a user had permission to access a shell through sudo and executed sudo -s, none of the commands executed within that shell would be logged. In order to log commands within a shell sudo needs to be used with another security tool, i.e. sudosh, which will offer the user a logged shell, and can itself also be used as a login shell.

[edit] See also

su
sudosh
setuid
AIX's sysctl command has sudo-like properties.
List of Unix programs

[edit] External links

sudo homepage
How to audit and log user and root shells with sudo via sudosh
sudo tools
a logging root shell
sudo(8) man page from OpenBSD
sudo(8) man page from linuxmanpages.com
sudo explained in webcomic form by xkcd

view • talk • edit Unix command line programs (more)
File and file system management:	cat \| cd \| chmod \| chown \| chgrp \| cp \| du \| df \| file \| fsck \| ln \| ls \| lsof \| mkdir \| more \| mount \| mv \| pwd \| rm \| rmdir \| split \| touch \| tree
Process management:	anacron \| at \| chroot \| crontab \| kill \| killall \| nice \| pgrep \| pidof \| pkill \| ps \| sleep \| screen \| time \| timex \| top \| wait
User Management/Environment:	env \| finger \| id \| locale \| mesg \| passwd \| su \| sudo \| uname \| uptime \| w \| wall \| who \| whoami \| write
Text processing:	awk \| cut \| diff \| ex \| head \| iconv \| join \| less \| more \| nkf \| paste \| sed \| sort \| tail \| tr \| uniq \| wc \| xargs
Shell programming:	echo \| expr \| printf \| unset	Printing:	lp
Communications: inetd \| netstat \| ping \| rlogin \| traceroute	Searching: find \| grep \| strings	Miscellaneous: banner \| bc \| cal \| man \| size \| yes