sudo

"SUDO" redirects here. For the non-profit organisation, see Sudan Social Development Organization.

Sudo

sudo.ws logo

sudo in a terminal
Developer(s) Todd C. Miller
Stable release sudo 1.8.13 / March 21, 2015
Preview release nothing /
Written in C
Operating system Unix-like
Type Privilege authorization
License ISC-style[1]
Website www.sudo.ws

sudo (/ˈsd/[2] or /ˈsd/[2][3]) or super do, is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser, or root).[4] Its name is a contraction of "substitute user do", meaning to do something as a different user (typically as root, the "superuser").[5]

Unlike the related su command, users typically supply their own password to sudo rather than the root password. After authentication, and if the /usr/local/etc/sudoers (sometimes found at /etc/sudoers) configuration file permits the user access, then the system will invoke the requested command. The sudoers configuration file enables a huge amount of configurability, including but not limited to: enabling root commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands, and even supports commands with regular expressions.

History

The program was originally written by Robert Coggeshall and Cliff Spencer "around 1980" at the Department of Computer Science at SUNY/Buffalo.[6] The current version is under active development and is maintained by OpenBSD developer Todd C. Miller and distributed under a ISC-style license.[6]

In November 2009 Thomas Claburn, in response to fears that Microsoft had patented the sudo command,[7] stated that such suspicions are overblown.[8] The claims were narrowly framed to a particular GUI, rather than to the sudo concept.[9]

Design

Unlike the su command, users typically supply their own password to sudo. After authentication, and if the configuration file permits the user access, then the system will invoke the requested command. By default the user's password can be retained through a grace period (15 minutes per pseudo terminal), allowing the user to execute several successive commands as the requested user without having to provide a password again.

sudo is able to log each command run. Where a user attempts to invoke sudo without being listed in the sudoers file an error is presented to the user indicating that the attempt has been recorded in the system log.

Configuration

The /etc/sudoers file allows listed users access to execute a subset of commands while having the privileges of the root user.

sudo may be configured to require the root password, or no password at all.[10]

Impact

In some cases sudo has completely supplanted the superuser login for administrative tasks, most notably in some Linux distributions as well as Apple's Mac OS X.[11][12]

RBAC

In association with SELinux, sudo can be used to transition between roles in role-based access control (RBAC).[13]

Tools and similar programs

visudo is a command-line utility that allows editing of the /etc/sudoers file in a safe fashion. It opens /etc/sudoers, using the vi editor's interface by default (although this can be changed by setting the shell's EDITOR environment variable to a different text editor), prevents multiple simultaneous edits with locks, performs sanity checks and checks for parse errors.[14]

The runas command provides similar functionality in Microsoft Windows, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation. A true su and sudo for Windows that can pass all of that state information and start the child either elevated or as another user (or both) is included with Hamilton C shell.

There exist several frontends to sudo for use in a GUI environment, notably kdesudo, and gksudo, and user interfaces not directly built on sudo but providing similar temporary privilege elevation for administrative purposes, such as User Account Control in Microsoft Windows and Mac OS X Authorization Services.[15]

See also

References

  1. Todd C. Miller (2011-06-17). "Sudo License". Sudo.ws. Retrieved 2011-11-17.
  2. 2.0 2.1 Miller, Todd C. "Troubleshooting tips and FAQ for Sudo". Retrieved 2009-11-20.
  3. "How do YOU pronounce "sudo"?". Ars Technica.
  4. Cohen, Noam (May 26, 2008). "This Is Funny Only if You Know Unix". The New York Times. Retrieved April 9, 2012.
  5. White, Kevin M. (2009). Mac OS X Support Essentials V10.6. Peachpit Press.
  6. 6.0 6.1 Miller, Todd C. "A Brief History of Sudo". Retrieved 2007-03-05.
  7. Lilly, Paul. "Microsoft has Patented "sudo." Yes, the Command". Retrieved 2009-11-13.
  8. Thomas, Claburn (2009-11-16). "Does New Microsoft Patent Infringe On Unix Program Sudo? Some in the open source community suspicious of Microsoft's intent". Dark Reading. Retrieved 2010-11-29. A patent granted to Microsoft (NSDQ: MSFT) has stirred up worry that world's largest software company wants to claim Unix's "sudo" as its own. [...] In short, suspicions about this patent are overblown.
  9. Eaton, Nick (November 12, 2009). "Did Microsoft just sneakily patent an open-source tool?". seattlepi.com. Retrieved April 24, 2011.
  10. "Manpage for sudo". Retrieved 2007-11-04.
  11. "RootSudo". Community Ubuntu Documentation. Help.ubuntu.com. 2011-11-08. Retrieved 2011-11-17.
  12. "Top Ten Mac OS X Tips for Unix Geeks". MacDevCenter.com. Retrieved 2011-11-17.
  13. "SELinux Lockdown Part Five: SELinux RBAC". Retrieved 2012-11-17.
  14. Todd C. Miller (2011-06-17). "Visudo Manual". Gratisoft.us. Retrieved 2011-11-17.
  15. "Introduction to Authorization Services Programming Guide". Developer.apple.com. Retrieved 2011-11-17.

External links