Sudo

From Wikipedia, the free encyclopedia

The correct title of this article is sudo. The initial letter is shown capitalized due to technical restrictions.

This article is about the Unix command line program. For the non-profit organisation known by this acronym, see Sudan Social Development Organization.

sudo in a terminal window on Ubuntu

sudo (super user do),^[1] generally pronounced IPA: [sudʊ], is a program for Unix-like operating systems such as BSD, Mac OS X, and Linux that allows users to run programs with the security privileges of another user (normally the system's superuser) in a secure manner. By default it is installed in /usr/bin.

sudo was originally written by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. The current version is maintained by OpenBSD developer Todd C Miller and distributed under a BSD-style license.^[2]

1 Usage
2 Shell logging
3 See also
4 External links
5 References

[edit] Usage

gksudo on Ubuntu

The "Authenticate" dialog in Mac OS X

Users must confirm their identity to sudo by supplying their password before running the target program. Once authentication has taken place, and if the /etc/sudoers configuration file is configured to give the user access to the command requested, then the system allows the command, but logs it. In a GUI environment, graphical frontends such as kdesu and gksudo are used to launch administrator-only applications like the Synaptic Package Manager. Mac OS X also has the "authorization services", a GUI equivalent to sudo.

The configuration file /etc/sudoers specifies which users can run which commands, and on which machines. As sudo is very particular about the format of this configuration file, and errors could cause serious problems, the visudo tool is provided. This allows the file to be edited and then checks for correctness before saving.

The following is an example of a terminal session where the user is denied access:

snori@rimu:~$ sudo vi /etc/resolv.conf

 We trust you have received the usual lecture from the local System
 Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

 Password:
 snori is not in the sudoers file.  This incident will be reported.

Below is the log of this failed attempt, then a later successful one, after snori has been added to /etc/sudoers:

snori@rimu:~$ sudo tail /var/log/auth.log
 Aug  5 06:00:28 localhost sudo:    snori : user NOT in sudoers ; TTY=pts/1 ; PWD =/home/snori ; USER=root ;  COMMAND=/usr/bin/vi /etc/resolv.conf
 Aug  5 06:01:15 localhost su[15573]: (pam_unix) session opened for user root by snori(uid=1000)
 Aug  5 06:02:09 localhost sudo:    snori : TTY=pts/1 ; PWD=/home/snori ; USER=root ; COMMAND=/usr/bin/vi /etc/resolv.conf
 Aug  5 06:02:49 localhost sudo:    snori : TTY=pts/1 ; PWD=/home/snori ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log

Ubuntu and Mac OS X encourage administrative access to be done via sudo, since the root account is disabled by default.^{[citation needed]}

[edit] Shell logging

sudo does not log commands executed within a shell. For example, if a user had permission to access a shell through sudo and executed sudo -s, none of the commands executed within that shell would be logged. In order to log commands within a shell sudo needs to be used with another security tool, such as sudosh, which will offer the user a logged shell, and can itself also be used as a login shell.

[edit] See also

su
sudosh
setuid
AIX's sysctl command has sudo-like properties.
List of Unix programs
Comparison of privilege authorization features

[edit] External links

sudo homepage
rootsh and sudosh, sudo wrappers for logging
sudo man page
Sudo Fun a brief sudo guide

[edit] References

^ Miller, Todd C. Sudo Main Page. Retrieved on 2007-03-05.
^ Miller, Todd C. A Brief History of Sudo. Retrieved on 2007-03-05.

view • talk • edit Unix command line programs and builtins (more)
File and file system management:	cat \| cd \| chmod \| chown \| chgrp \| cp \| du \| df \| file \| fsck \| ln \| ls \| lsof \| mkdir \| mount \| mv \| pwd \| rm \| rmdir \| split \| touch
Process management:	at \| chroot \| crontab \| exit \| kill \| killall \| nice \| pgrep \| pidof \| pkill \| ps \| sleep \| time \| top \| wait \| watch
User Management/Environment:	env \| finger \| id \| mesg \| passwd \| su \| sudo \| uname \| uptime \| w \| wall \| who \| whoami \| write
Text processing:	awk \| comm \| cut \| ex \| head \| iconv \| join \| less \| more \| paste \| sed \| sort \| tail \| tr \| uniq \| wc \| xargs
Shell programming:	echo \| expr \| printf \| unset	Printing:	lp
Communications: inetd \| netstat \| ping \| rlogin \| traceroute	Searching: find \| grep \| strings	Miscellaneous: banner \| bc \| cal \| man \| size \| yes