Sudo
From DssWiki
{{DISPLAYTITLE:{{#if:|:|}}sudo}}
On Unix-like operating systems, the sudo command is used to run commands with the root user's privilieges. This is done by entering sudo at the beginning of each line of commands. Alternatively, one may become root (system administrator) by logging in as "root" or by using the su command. Becoming root requires root's password. In contrast, the sudo command asks for the user's password and does not depend on the root user account.
sudo (super user do),<ref>Template:Cite web</ref> generally pronounced Template:IPA2, is a program for Unix-like operating systems such as BSD, Mac OS X, and Linux that allows users to run programs with the security privileges of another user (normally the system's superuser) in a secure manner. By default it is installed in /usr/bin.
sudo was originally written by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. The current version is maintained by OpenBSD developer Todd C Miller and distributed under a BSD-style license.<ref>Template:Cite web</ref>
Contents |
[edit] Usage
A user must confirm his identity to sudo by supplying his password before running the target program. Once authentication has taken place, and if the /etc/sudoers configuration file is configured to give the user access to the command requested, then the system allows the command, but logs it. In a GUI environment, graphical frontends such as kdesu and gksudo are used to launch administrator-only applications like the Synaptic Package Manager. Mac OS X also has the "authorization services", a GUI equivalent to sudo.
The configuration file /etc/sudoers specifies which users can run which commands, and on which machines. As sudo is very particular about the format of this configuration file, and errors could cause serious problems, the visudo tool is provided. This allows the file to be edited and then checks for correctness before saving.
The following is an example of a terminal session where the user is denied access:
snori@rimu:~$ sudo vi /etc/resolv.conf
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
snori is not in the sudoers file. This incident will be reported.
Below is the log of this failed attempt, then a later successful one, after snori has been added to /etc/sudoers:
snori@rimu:~$ sudo tail /var/log/auth.log Aug 5 06:00:28 localhost sudo: snori : user NOT in sudoers ; TTY=pts/1 ; PWD =/home/snori ; USER=root ; COMMAND=/usr/bin/vi /etc/resolv.conf Aug 5 06:01:15 localhost su[15573]: (pam_unix) session opened for user root by snori(uid=1000) Aug 5 06:02:09 localhost sudo: snori : TTY=pts/1 ; PWD=/home/snori ; USER=root ; COMMAND=/usr/bin/vi /etc/resolv.conf Aug 5 06:02:49 localhost sudo: snori : TTY=pts/1 ; PWD=/home/snori ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log
Ubuntu and Mac OS X encourage administrative access to be done via sudo, since the root account is disabled by default.<ref>https://help.ubuntu.com/community/RootSudo</ref><ref>http://www.macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html</ref>
[edit] Shell logging
sudo does not log commands executed within a shell. For example, if a user had permission to access a shell through sudo and executed sudo -s, none of the commands executed within that shell would be logged. In order to log commands within a shell sudo needs to be used with another security tool, such as sudosh, which will offer the user a logged shell, and can itself also be used as a login shell.
[edit] Microsoft
Microsoft Corporation has filed for a patent concerning sudo.<ref>http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6775781.PN.&OS=PN/6775781&RS=PN/6775781</ref>
[edit] See also
- su
- sudosh
- setuid
- AIX's sysctl command has sudo-like properties.
- List of Unix programs
- Comparison of privilege authorization features
- sudowin: sudo for windows
[edit] External links
- sudo homepage
- rootsh and sudosh, sudo wrappers for logging
- sudo man page
- Sudo Fun a brief sudo guide
- Full text of sudo patent claim by Microsoft
[edit] References
<references />
{{#if: |
Unix command line programs and builtins (more) | |||
| File and file system management: | cat | chattr | cd | chmod | chown | chgrp | cksum | cmp | cp | du | df | file | fsck | fuser | ln | ls | lsof | mkdir | mount | mv | pwd | rm | rmdir | split | touch | ||
| Process management: | at | chroot | crontab | exit | kill | killall | nice | pgrep | pidof | pkill | ps | sleep | time | top | wait | watch | ||
| User Management/Environment: | env | finger | id | mesg | passwd | su | sudo | uname | uptime | w | wall | who | whoami | write | ||
| Text processing: | awk | comm | cut | ed | ex | fmt | head | iconv | join | less | more | paste | pg | sed | sort | tac | tail | tr | uniq | wc | xargs | ||
| Shell programming: | basename | echo | expr | false | printf | test | true | unset | Printing: | lp |
| Communications: inetd | netstat | ping | rlogin | traceroute | Searching: find | grep | strings | Miscellaneous: banner | bc | cal | dd | man | size | yes | |
