Sudo: Difference between revisions
Content deleted Content added
Feedmecereal (talk | contribs) providing better citation link for the Microsoft patent |
→History: more description about the logo origin |
||
| (579 intermediate revisions by more than 100 users not shown) | |||
| Line 1: | Line 1: | ||
{{short description|Command on Unix systems to temporarily assume root privileges}} |
|||
{{Lowercase|title=sudo}} |
|||
{{ |
{{Redirect|SUDO|the non-profit organization|Sudan Social Development Organization|other uses|Sudo (disambiguation)}} |
||
{{lowercase title|title=sure}} |
|||
{{Infobox software |
{{Infobox software |
||
| name |
| name = |
||
| title = sudo |
|||
| developer = Todd C. Miller |
|||
| |
| logo = File:Sudo logo.png |
||
| caption |
| logo caption = |
||
| logo_size = 137px |
|||
| latest release version = 1.7.2p5 |
|||
| logo_alt = |
|||
| latest release date = {{release date|2010|03|01}} |
|||
| screenshot = File:Sudo on Linux (Fedora).png |
|||
| latest preview version = |
|||
| caption = The {{code|sudo}} command in a terminal |
|||
| latest preview date = |
|||
| screenshot_size = |
|||
| operating system = [[Unix-like]] |
|||
| screenshot_alt = |
|||
| genre = Privilege authorization |
|||
| collapsible = |
|||
| license = [[ISC license|ISC]]-style<ref>[http://www.sudo.ws/sudo/license.html Sudo License]</ref> |
|||
| author = Robert Coggeshall, Cliff Spencer |
|||
| website = [http://www.sudo.ws/ www.sudo.ws] |
|||
| developer = Todd C. Miller |
|||
| released = Around 1980<ref>{{cite web|url=https://www.sudo.ws/history.html|title=A Brief History of Sudo|access-date=15 November 2018|first=Todd C.|last=Miller|archive-date=16 November 2018|archive-url=https://web.archive.org/web/20181116043314/https://www.sudo.ws/history.html|url-status=live}}</ref> |
|||
| discontinued = |
|||
| latest release version = {{wikidata|property|preferred|edit|Q300883|P348|P548=Q2804309}}<ref name="sudo-version">{{cite web|url=https://www.sudo.ws/news.html|access-date=12 April 2023|title=Sudo News|archive-date=1 December 2021|archive-url=https://web.archive.org/web/20211201213835/https://www.sudo.ws/news.html|url-status=live}}</ref> |
|||
| latest release date = {{Start date and age|{{wikidata|qualifier|preferred|single|Q300883|P348|P548=Q2804309|P577}}}} |
|||
| repo = |
|||
| programming language = [[C (programming language)|C]] |
|||
| operating system = [[Unix-like]] |
|||
| platform = |
|||
| size = |
|||
| language = |
|||
| language count = <!-- DO NOT include this parameter unless you know what it does --> |
|||
| language footnote = |
|||
| genre = Privilege authorization |
|||
| license = [[ISC license|ISC]]-style<ref name="todmil7"/> |
|||
| alexa = |
|||
| website = {{official URL}} |
|||
| standard = |
|||
| AsOf = |
|||
}} |
}} |
||
'''sudo''' ({{IPAc-en|s|uː|d|uː}}<ref name="todmil8"/>) is a [[computer program|program]] for [[Unix-like]] computer [[operating system]]s that enables users to run programs with the security privileges of another user, by default the [[superuser]].<ref name="nyt080526"/> It originally stood for "superuser do",<ref>{{Cite web|last=By|date=2014-05-28|title=Interview: Inventing The Unix "sudo" Command|url=https://hackaday.com/2014/05/28/interview-inventing-the-unix-sudo-command/|access-date=2022-01-10|website=Hackaday|language=en-US|archive-date=2022-01-10|archive-url=https://web.archive.org/web/20220110231327/https://hackaday.com/2014/05/28/interview-inventing-the-unix-sudo-command/|url-status=live}}</ref> as that was all it did, and this remains its most common usage;<ref>{{Cite web|url=https://pthree.org/2009/12/31/the-meaning-of-su/|title=Aaron Toponce : The Meaning of 'su'|access-date=2015-08-18|archive-date=2023-02-24|archive-url=https://web.archive.org/web/20230224155431/https://pthree.org/2009/12/31/the-meaning-of-su/|url-status=dead}}</ref> however, the official Sudo project page lists it as "su 'do{{'"}}.<ref>{{Cite web|url=https://www.sudo.ws/|title=What is Sudo|access-date=2022-06-07|archive-date=2022-06-03|archive-url=https://web.archive.org/web/20220603193806/https://www.sudo.ws/|url-status=live}}</ref> The current Linux manual pages for su define it as "substitute user",<ref>{{Cite web|url=https://man7.org/linux/man-pages/man1/su.1.html|title=su(1) Linux manual page|access-date=2022-06-08|archive-date=2022-06-05|archive-url=https://web.archive.org/web/20220605211428/https://man7.org/linux/man-pages/man1/su.1.html|url-status=live}}</ref> making the correct meaning of sudo "substitute user, do", because sudo can run a [[Command (computing)|command]] as other users as well.<ref>{{cite web |url=https://wiki.archlinux.org/index.php/Sudo |website=wiki.archlinux.org |title=Sudo - ArchWiki |format=[[MediaWiki]] |access-date=2015-11-09 |archive-date=2021-04-25 |archive-url=https://web.archive.org/web/20210425201708/https://wiki.archlinux.org/index.php/Sudo |url-status=live }}</ref><ref>Haeder, A.; Schneiter, S. A..; Pessanha, B. G.; Stanger, J. ''LPI Linux Certification in a Nutshell''. O'Reilly Media, 2010. p. 409. {{ISBN|978-0596804879}}.</ref> |
|||
The '''sudo''' ("[[Su (Unix)|su]] do"<!-- Do NOT bold the individual letters here; see the MoS on abbreviations -->, {{pron-en|ˈsuːduː}}<ref>{{cite web|url=http://sudo.ws/sudo/troubleshooting.html|title=Troubleshooting tips and FAQ for Sudo|author=Miller, Todd C|accessdate=2009-11-20}}</ref>, though {{IPA-en|ˈsuːdoʊ|}} is also common, as is {{IPA-en|ˌɛsˌjuːˈduː|}}) command is a [[computer program|program]] for some [[Unix]] and [[Unix-like]] computer [[operating system]]s that allows users to run programs with the security privileges of another user (normally the [[superuser]], or root). It is an abbreviation for "[[su (Unix)|'''s'''ubstitute '''u'''ser]] '''do'''" (as in, ''do'' a command with another user's privileges). By default, sudo will prompt for a user password but it may be configured to require the root password, or require it only once per [[pseudo terminal]], <!-- that, btw, makes it so insecure --> or no password at all.<ref>{{cite web |url=http://www.gratisoft.us/sudo/man/sudo.html |title=Manpage for sudo |accessdate=2007-11-04}}</ref> Sudo is able to log each command run and in some cases has completely supplanted the superuser login for administrative tasks, most notably in [[Ubuntu (operating system)|Ubuntu]] Linux and Apple's [[Mac OS X]].<ref>[https://help.ubuntu.com/community/RootSudo RootSudo - Community Ubuntu Documentation]</ref><ref>[http://www.macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html MacDevCenter.com - Top Ten Mac OS X Tips for Unix Geeks]</ref> |
|||
Unlike the similar command ''[[Su (Unix)|su]]'', users must, by default, supply their own [[password]] for authentication, rather than the password of the target user. After authentication, and if the [[configuration file]] (typically <code>[[#Configuration|/etc/sudoers]]</code>) permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands. |
|||
The program was originally written by Bob Coggeshall and Cliff Spencer "around 1980" at the Department of [[Computer Science]] at [[University at Buffalo, The State University of New York|SUNY/Buffalo]]. The current version is under active development and is maintained by [[OpenBSD]] developer Todd C Miller and distributed under a [[BSD License|BSD-style]] license.<ref>{{cite web|url=http://www.gratisoft.us/sudo/history.html|title=A Brief History of Sudo|author=Miller, Todd C|accessdate=2007-03-05}}</ref> |
|||
==History== |
|||
Recent fears that Microsoft had patented the sudo command<ref>{{cite web|url=http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command|title=Microsoft has Patented "sudo." Yes, the Command|author=Lilly, Paul|accessdate=2009-11-13}}</ref> were found to be "overblown" with the [[Claim (patent)|claims]] being narrowly framed to a particular [[GUI]] rather than the sudo concept.<ref>http://darkreading.com/security/management/showArticle.jhtml</ref> |
|||
Robert Coggeshall and Cliff Spencer wrote the original subsystem around 1980 at the Department of Computer Science at [[University at Buffalo, The State University of New York|SUNY/Buffalo]].<ref name="grati9"/> Robert Coggeshall brought sudo with him to the [[University of Colorado Boulder]]. Between 1986 and 1993, the code and features were substantially modified by the IT staff of the [[University of Colorado Boulder Computer Science Department]] and the College of Engineering and Applied Science, including Todd C. Miller.<ref name="grati9" /> The current version has been publicly maintained by [[OpenBSD]] developer Todd C. Miller since 1994,<ref name="grati9"/> and has been distributed under an [[ISC license|ISC-style]] license since 1999.<ref name="grati9"/> |
|||
In November 2009 Thomas Claburn, in response to concerns that [[Microsoft]] had patented sudo,<ref name="maxi10"/> characterized such suspicions as overblown.<ref name="dark11"/> The [[claim (patent)|claims]] were narrowly framed to a particular [[GUI]], rather than to the sudo concept.<ref name="spi091112"/> |
|||
The logo is a reference to an [[xkcd]] strip, where an order for a sandwich is accepted when preceded with 'sudo'.<ref>{{cite web | url=https://xkcd.com/149/ | title=Sandwich | access-date=2022-04-11 | archive-date=2022-04-09 | archive-url=https://web.archive.org/web/20220409063050/https://xkcd.com/149/ | url-status=live }}</ref><ref>{{cite web | url=https://www.sudo.ws/about/logo/ | title=Sudo Logo | access-date=2022-04-11 | archive-date=2022-04-27 | archive-url=https://web.archive.org/web/20220427150715/https://www.sudo.ws/about/logo/ | url-status=live }}</ref> |
|||
==Design== |
==Design== |
||
Unlike the command ''[[Su (Unix)|su]]'', users supply their personal password to sudo (if necessary)<ref name="iu.edu">{{Cite web |date=June 18, 2019 |title=About Unix sudo and su commands |url=https://kb.iu.edu/d/amyi |access-date=September 10, 2022 |website=University Information Technology Services |archive-date=September 10, 2022 |archive-url=https://web.archive.org/web/20220910145149/https://kb.iu.edu/d/amyi |url-status=live }}</ref> rather than that of the superuser or other account. This allows authorized users to exercise altered privileges without compromising the secrecy of the other account's password.<ref>{{Cite web |last=Wallen |first=Jack |date=2023-05-16 |title=Linux security: What is sudo and why is it so important? |url=https://www.zdnet.com/article/why-sudo-is-so-important-in-linux-and-how-to-use-it/ |access-date=2024-01-23 |website=ZDNET |language=en}}</ref> Users must be in a certain [[Group (computing)|group]] to use the sudo command, typically either the wheel group or the sudo group.<ref>{{Cite web |last=Aleksic |first=Marko |date=2020-08-18 |title=Linux Sudo Command, How to Use With Examples |url=https://phoenixnap.com/kb/linux-sudo-command |access-date=2024-01-23 |website=Knowledge Base by phoenixNAP |language=en-US}}</ref> After authentication, and if the configuration file permits the user access, the system invokes the requested command. ''sudo'' retains the user's invocation rights through a grace period (typically 5 minutes) per [[pseudo terminal]], allowing the user to execute several successive commands as the requested user without having to provide a password again.<ref>{{Cite web |last=Sheldon |first=Robert |date=February 2023 |title=What is the sudo (su 'do') command-line utility? – TechTarget Definition |url=https://www.techtarget.com/searchsecurity/definition/sudo-superuser-do |access-date=2024-01-23 |website=TechTarget Security |language=en}}</ref> |
|||
Before running a command with sudo, users typically supply their [[password]]. Once authenticated, and if the <code>/etc/sudoers</code> configuration file permits the user access, then the command is run. There exist several graphical frontends for use in a [[Graphical user interface|GUI]] environment, notably '''kdesu''', '''kdesudo''', '''gksu''', and '''gksudo'''; [[Mac OS X]] also has Authorization Services.<ref>[http://developer.apple.com/mac/library/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html Introduction to Authorization Services Programming Guide]</ref> By default the user's password can be retained through a grace period, allowing the user to execute several successive commands as root without having to provide the password again. |
|||
As a security and auditing feature, sudo may be configured to log each command run. When a user attempts to invoke sudo without being listed in the configuration file, an exception indication is presented to the user indicating that the attempt has been recorded. If configured, the root user will be alerted via [[Mail (Unix)|mail]]. By default, an entry is recorded in the system.<ref>[https://www.baeldung.com/linux/sudo-incident-logs Where are sudo Incidents Reported?] {{Webarchive|url=https://web.archive.org/web/20230409210655/https://www.baeldung.com/linux/sudo-incident-logs|date=2023-04-09}} Retrieved April 10, 2023</ref> |
|||
The following is an example where the user is denied access: |
|||
==Configuration== |
|||
<pre>snorri@rimu:~$ sudo emacs /etc/resolv.conf |
|||
The <code>/etc/sudoers</code> file contains a list of users or user groups with permission to execute a subset of commands while having the privileges of the [[root user]] or another specified user. The file is recommended{{by whom?|date=October 2024}} to be edited by using the command <code>sudo visudo</code>. Sudo contains several configuration options such as allowing commands to be run as sudo without a password, changing which users can use sudo, and changing the message displayed upon entering an incorrect password.<ref>{{Cite web |last=Wallen |first=Jack |date=2010-05-12 |title=Linux 101: Introduction to sudo |url=https://www.linux.com/training-tutorials/linux-101-introduction-sudo/ |access-date=2024-01-23 |website=Linux.com |language=en-US}}</ref> Sudo features an [[Easter egg (media)|easter egg]] that can be enabled from the configuration file that will display an insult every time an incorrect password is entered.<ref>{{Cite web |last=Kili |first=Aaron |date=2017-01-12 |title=Let Sudo Insult You When You Enter Incorrect Password |url=https://www.tecmint.com/sudo-insult-when-enter-wrong-password/ |access-date=2024-01-23 |website=www.tecmint.com |language=en-US}}</ref> |
|||
==Impact== |
|||
We assume you have received the usual lecture from the local System |
|||
In some system distributions, sudo has largely supplanted the default use of a distinct superuser login for administrative tasks, most notably in some [[Linux distribution]]s as well as Apple's [[macOS]].<ref name="ubunt5"/><ref name="macdv4"/> This allows for more secure logging of admin commands and prevents some exploits. |
|||
Administrator. It usually boils down to these three things: |
|||
==RBAC== |
|||
#1) Respect the privacy of others. |
|||
{{main|Role-based access control}} |
|||
#2) Think before you type. |
|||
#3) With great power comes great responsibility. |
|||
In association with [[SELinux]], sudo can be used to transition between roles in [[role-based access control]] (RBAC).<ref>{{cite web|title=SELinux Lockdown Part Five: SELinux RBAC|url=http://selinux-mac.blogspot.com.au/2009/06/selinux-lockdown-part-five-selinux-rbac.html|access-date=2012-11-17|archive-date=2013-05-11|archive-url=https://web.archive.org/web/20130511065723/http://selinux-mac.blogspot.com.au/2009/06/selinux-lockdown-part-five-selinux-rbac.html|url-status=live}}</ref> |
|||
Password: |
|||
snorri is not in the sudoers file. This incident will be reported. |
|||
snorri@rimu:~$</pre> |
|||
==Tools and similar programs== |
|||
Below is the log of this failed attempt, then a later successful one, after ''snorri'' has been added to /etc/sudoers: |
|||
''visudo'' is a command-line utility that allows editing the sudo configuration file in a fail-safe manner. It prevents multiple simultaneous edits with [[File locking|locks]] and performs [[sanity testing|sanity and syntax checks]]. |
|||
Sudoedit is a program that symlinks to the sudo binary.<ref>{{Cite web|first=Jonathan|last=Bennett|date=2021-01-29|title=This Week In Security: Sudo, Database Breaches, And Ransomware|url=https://hackaday.com/2021/01/29/this-week-in-security-sudo-database-breaches-and-ransomware/|access-date=2021-05-24|website=Hackaday|language=en-US|archive-date=2021-06-21|archive-url=https://web.archive.org/web/20210621050109/https://hackaday.com/2021/01/29/this-week-in-security-sudo-database-breaches-and-ransomware/|url-status=live}}</ref> When sudo is run via its sudoedit alias, sudo behaves as if the -e flag has been passed and allows users to edit files that require additional privileges to write to.<ref>{{Cite web|title=sudoedit(8) - Linux manual page|url=https://man7.org/linux/man-pages/man8/sudoedit.8.html|access-date=2021-05-24|website=man7.org|archive-date=2021-05-24|archive-url=https://web.archive.org/web/20210524193317/https://man7.org/linux/man-pages/man8/sudoedit.8.html|url-status=live}}</ref> |
|||
<pre> |
|||
snorri@rimu:~$ sudo tail /var/log/auth.log |
|||
Aug 5 06:00:28 localhost sudo: snorri : user NOT in sudoers ; TTY=pts/1 ; PWD =/home/snorri ; USER=root ; COMMAND=/usr/bin/emacs /etc/resolv.conf |
|||
Aug 5 06:01:15 localhost su[15573]: (pam_unix) session opened for user root by snorri(uid=1000) |
|||
Aug 5 06:02:09 localhost sudo: snorri : TTY=pts/1 ; PWD=/home/snorri ; USER=root ; COMMAND=/usr/bin/emacs /etc/resolv.conf |
|||
Aug 5 06:02:49 localhost sudo: snorri : TTY=pts/1 ; PWD=/home/snorri ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log |
|||
</pre> |
|||
Microsoft released its own version of ''sudo'' for [[Microsoft Windows|Windows]] in February 2024. It functions similar to its Unix counterpart by giving the ability to run elevated commands from an unelevated console session.<ref>{{Cite web |last=Adoumie |first=Jordi |date=2024-02-07 |title=Introducing Sudo for Windows! |url=https://devblogs.microsoft.com/commandline/introducing-sudo-for-windows/ |access-date=2024-02-08 |website=Windows Command Line |language=en-US}}</ref> The program [[runas]] provides comparable functionality in Windows, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation. [[Hamilton C shell]] also includes true ''su'' and ''sudo'' for Windows that can pass all of that state information and start the child either elevated or as another user (or both).<ref>{{cite web |title=su |url=http://hamiltonlabs.com/UserGuide/Utilities/su.htm |url-status=live |archive-url=https://web.archive.org/web/20150717034225/http://hamiltonlabs.com/UserGuide/Utilities/su.htm |archive-date=July 17, 2015 |access-date=August 17, 2015 |publisher=Hamilton Laboratories}}</ref><ref>{{cite web |title=Predefined aliases: sudo |url=http://hamiltonlabs.com/UserGuide/52-PredefinedAliases.htm#sudo |url-status=live |archive-url=https://web.archive.org/web/20150826052938/http://hamiltonlabs.com/UserGuide/52-PredefinedAliases.htm#sudo |archive-date=August 26, 2015 |access-date=August 17, 2015 |publisher=Hamilton Laboratories}}</ref> |
|||
==Runas, su and sudo== |
|||
[[Microsoft Windows|Windows]] has a command called [[runas]]. It has similar functionality, <!-- On a Windows system, "Administrator" has superuser permissions. --> but neither runas nor [[User Account Control|UAC]] is sudo; rather, they impersonate another user rather than add privileges. |
|||
[[Graphical user interface]]s exist for sudo – notably ''gksudo'' – but are deprecated in [[Debian]] and no longer included in [[Ubuntu]].<ref>{{cite web |url=https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618 |title=Remove gksu from Ubuntu |last=Bicha |first=Jeremy |date=December 30, 2017 |publisher=[[Canonical (company)|Canonical]], which owns [[Launchpad (website)|Launchpad]] |access-date=January 10, 2020 |archive-date=May 5, 2020 |archive-url=https://web.archive.org/web/20200505225540/https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618 |url-status=live }}</ref><ref>{{cite web |url=https://packages.ubuntu.com/bionic/allpackages |title=Software Packages in "bionic" |author=<!--Not stated--> |date=<!--Not stated--> |publisher=[[Canonical (company)|Canonical]] |access-date=January 10, 2020 |archive-date=October 18, 2019 |archive-url=https://web.archive.org/web/20191018054647/https://packages.ubuntu.com/bionic/allpackages |url-status=live }}</ref> Other user interfaces are not directly built on sudo, but provide similar temporary privilege elevation for administrative purposes, such as [[Polkit|pkexec]] in Unix-like operating systems, [[User Account Control]] in [[Microsoft Windows]] and [[Mac OS X]] Authorization Services.<ref name="apple2"/> |
|||
Runas and su: |
|||
* do not allow authorized users to launch processes with elevated privileges using their own passphrase. |
|||
* do not preserve the user's profile and ownership of created objects. |
|||
[[doas]], available since [[OpenBSD]] 5.8 (October 2015), has been written in order to replace ''sudo'' in the [[OpenBSD]] base system, with the latter still being made available as a [[Ports collection#OpenBSD ports|port]].<ref>{{cite web |
|||
The runas command is (more or less) equivalent to Unix [[Su (Unix)|su]], not sudo. The reason sudo is superior to su is that it allows privilege escalation based on the user’s own identity, and most importantly does not require use of a shared password. Using runas or su to access a privileged account requires distribution of a password to an admin-capable account, a security weakness that sudo does not have. |
|||
| url = http://ports.su/security/sudo |
|||
| title = sudo-1.8.26 – execute a command as another user |
|||
| work = [[OpenBSD ports]] |
|||
| date = 2018-11-16 |
|||
| access-date = 2019-02-26 |
|||
| archive-date = 2019-02-27 |
|||
| archive-url = https://web.archive.org/web/20190227060200/http://ports.su/security/sudo |
|||
| url-status = live |
|||
}}</ref> |
|||
gosu is a tool similar to sudo that is popular in containers where the terminal may not be fully functional or where there are undesirable effects from running sudo in a containerized environment.<ref>{{cite web | url=https://github.com/tianon/gosu |title=gosu|website=[[GitHub]] }}</ref> |
|||
==See also== |
==See also== |
||
{{Portal|Free |
{{Portal|Free and open-source software}} |
||
* [[chroot]] |
|||
* [[doas]] |
|||
* [[runas]] |
|||
* [[Comparison of privilege authorization features]] |
* [[Comparison of privilege authorization features]] |
||
* [[visudo]], a [[vi]]-based program used to edit the <code>/etc/sudoers</code> file |
|||
==References== |
==References== |
||
{{reflist |
{{reflist|1=30em|refs= |
||
<ref name="nyt080526">{{cite news | first = Noam | last = Cohen | work = [[The New York Times]] | title = This Is Funny Only if You Know Unix | url = https://www.nytimes.com/2008/05/26/business/media/26link.html | date = May 26, 2008 | access-date = April 9, 2012 | archive-date = January 22, 2018 | archive-url = https://web.archive.org/web/20180122165833/http://www.nytimes.com/2008/05/26/business/media/26link.html | url-status = live}}</ref> |
|||
{{Refimprove|date=December 2009}} |
|||
<ref name="apple2">{{cite web | url = https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html | title = Introduction to Authorization Services Programming Guide | publisher = developer.apple.com | access-date = 2022-05-27 | archive-date = 2022-05-28 | archive-url = https://web.archive.org/web/20220528003210/https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html | url-status = live}}</ref> |
|||
<ref name="macdv4">{{cite web | url = http://www.macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html | archive-url= https://web.archive.org/web/20121015045622/http://macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html | archive-date = 2012-10-15 | url-status = dead | title = Top Ten Mac OS X Tips for Unix Geeks | publisher = MacDevCenter.com | access-date = 2022-05-27}}</ref> |
|||
<ref name="ubunt5">{{cite web |url = https://help.ubuntu.com/community/RootSudo |title = RootSudo |work = Community Ubuntu Documentation |publisher = help.ubuntu.com |date = 2011-11-08 |access-date = 2011-11-17 |archive-date = 2011-11-05 |archive-url = https://web.archive.org/web/20111105004600/https://help.ubuntu.com/community/RootSudo |url-status = live}}</ref> |
|||
<ref name="todmil7">{{cite web |author = Todd C. Miller |url = http://www.sudo.ws/sudo/license.html |title = Sudo License |publisher = sudo.ws |date = 2011-06-17 |access-date = 2011-11-17 |archive-date = 2015-07-31 |archive-url = https://web.archive.org/web/20150731135949/http://www.sudo.ws/sudo/license.html |url-status = live}}</ref> |
|||
<ref name="todmil8">{{cite web | url = http://sudo.ws/sudo/troubleshooting.html | title = Troubleshooting tips and FAQ for Sudo | author = Miller, Todd C | access-date = 2009-11-20 | archive-date = 2021-11-27 | archive-url = https://web.archive.org/web/20211127153002/https://www.sudo.ws/sudo/troubleshooting.html | url-status = live}}</ref> |
|||
<ref name="grati9">{{cite web | url = https://www.sudo.ws/history.html | title = A Brief History of Sudo | author = Miller, Todd C | access-date = 2021-02-08 | archive-date = 2021-01-27 | archive-url = https://web.archive.org/web/20210127114014/https://www.sudo.ws/history.html | url-status = live}}</ref> |
|||
<ref name="maxi10">{{cite web | url = http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command | archive-url= https://web.archive.org/web/20140701234003/http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command | archive-date = 2014-07-01 | url-status= dead | title = Microsoft has Patented "sudo." Yes, the Command | last = Lilly | first = Paul | access-date = 2009-11-13}}</ref> |
|||
<ref name="dark11">{{cite web |url = https://www.darkreading.com/analytics/does-new-microsoft-patent-infringe-on-unix-program-sudo- |title = Does New Microsoft Patent Infringe On Unix Program Sudo? Some in the open source community suspicious of Microsoft's intent |date = 2009-11-16 |work = Dark Reading |access-date = 2022-05-27 |quote = A patent granted to Microsoft (NSDQ: MSFT) has stirred up worry that world's largest software company wants to claim Unix's "sudo" as its own. [...] In short, suspicions about this patent are overblown. |archive-date = 2022-08-20 |archive-url = https://web.archive.org/web/20220820031048/https://www.darkreading.com/analytics/does-new-microsoft-patent-infringe-on-unix-program-sudo- |url-status = live}}</ref> |
|||
<ref name="spi091112">{{cite news | last = Eaton | first = Nick | url = http://blog.seattlepi.com/microsoft/2009/11/12/did-microsoft-just-sneakily-patent-an-open-source-tool/ | archive-url= https://web.archive.org/web/20210620170544/http://blog.seattlepi.com/microsoft/2009/11/12/did-microsoft-just-sneakily-patent-an-open-source-tool/ | archive-date = 2021-06-20 | url-status = dead | title = Did Microsoft just sneakily patent an open-source tool? | publisher = seattlepi.com | date = November 12, 2009 | access-date = April 24, 2011}}</ref> |
|||
}} |
|||
==External links== |
==External links== |
||
* {{Official website}} |
|||
* {{official|http://www.sudo.ws/}} |
|||
* [http://sourceforge.net/projects/rootsh rootsh] and [http://sourceforge.net/projects/sudosh/ sudosh], sudo wrappers for logging |
|||
* [http://rixstep.com/2/20070201,00.shtml ''Sudo Fun''], a brief guide to sudo on the Mac OS X |
|||
{{Unix commands}} |
{{Unix commands}} |
||
{{OpenBSD}} |
|||
[[Category:Computer security software]] |
|||
[[Category:System administration]] |
|||
[[Category:Unix user management and support-related utilities]] |
[[Category:Unix user management and support-related utilities]] |
||
[[Category: |
[[Category:Software using the ISC license]] |
||
[[ar:سودو]] |
|||
[[bar:Sudo]] |
|||
[[ca:Sudo]] |
|||
[[cs:Sudo]] |
|||
[[da:Sudo]] |
|||
[[de:Sudo]] |
|||
[[es:Sudo]] |
|||
[[fr:Sudo]] |
|||
[[id:Sudo]] |
|||
[[it:Sudo]] |
|||
[[ja:Sudo]] |
|||
[[pl:Sudo]] |
|||
[[pt:Sudo]] |
|||
[[ru:Sudo]] |
|||
[[sl:Sudo]] |
|||
[[sv:Sudo]] |
|||
[[uk:Sudo]] |
|||
[[zh:Sudo]] |
|||
Latest revision as of 12:50, 28 December 2024
 | |
.png) The sudo command in a terminal | |
| Original author(s) | Robert Coggeshall, Cliff Spencer |
|---|---|
| Developer(s) | Todd C. Miller |
| Initial release | Around 1980[1] |
| Stable release | 1.9.16p2  [2]
/ 25 November 2024 |
| Repository | |
| Written in | C |
| Operating system | Unix-like |
| Type | Privilege authorization |
| License | ISC-style[3] |
| Website | www |
sudo (/suːduː/[4]) is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser.[5] It originally stood for "superuser do",[6] as that was all it did, and this remains its most common usage;[7] however, the official Sudo project page lists it as "su 'do'".[8] The current Linux manual pages for su define it as "substitute user",[9] making the correct meaning of sudo "substitute user, do", because sudo can run a command as other users as well.[10][11]
Unlike the similar command su, users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file (typically /etc/sudoers) permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.
History
[edit]Robert Coggeshall and Cliff Spencer wrote the original subsystem around 1980 at the Department of Computer Science at SUNY/Buffalo.[12] Robert Coggeshall brought sudo with him to the University of Colorado Boulder. Between 1986 and 1993, the code and features were substantially modified by the IT staff of the University of Colorado Boulder Computer Science Department and the College of Engineering and Applied Science, including Todd C. Miller.[12] The current version has been publicly maintained by OpenBSD developer Todd C. Miller since 1994,[12] and has been distributed under an ISC-style license since 1999.[12]
In November 2009 Thomas Claburn, in response to concerns that Microsoft had patented sudo,[13] characterized such suspicions as overblown.[14] The claims were narrowly framed to a particular GUI, rather than to the sudo concept.[15]
The logo is a reference to an xkcd strip, where an order for a sandwich is accepted when preceded with 'sudo'.[16][17]
Design
[edit]Unlike the command su, users supply their personal password to sudo (if necessary)[18] rather than that of the superuser or other account. This allows authorized users to exercise altered privileges without compromising the secrecy of the other account's password.[19] Users must be in a certain group to use the sudo command, typically either the wheel group or the sudo group.[20] After authentication, and if the configuration file permits the user access, the system invokes the requested command. sudo retains the user's invocation rights through a grace period (typically 5 minutes) per pseudo terminal, allowing the user to execute several successive commands as the requested user without having to provide a password again.[21]
As a security and auditing feature, sudo may be configured to log each command run. When a user attempts to invoke sudo without being listed in the configuration file, an exception indication is presented to the user indicating that the attempt has been recorded. If configured, the root user will be alerted via mail. By default, an entry is recorded in the system.[22]
Configuration
[edit]The /etc/sudoers file contains a list of users or user groups with permission to execute a subset of commands while having the privileges of the root user or another specified user. The file is recommended[by whom?] to be edited by using the command sudo visudo. Sudo contains several configuration options such as allowing commands to be run as sudo without a password, changing which users can use sudo, and changing the message displayed upon entering an incorrect password.[23] Sudo features an easter egg that can be enabled from the configuration file that will display an insult every time an incorrect password is entered.[24]
Impact
[edit]In some system distributions, sudo has largely supplanted the default use of a distinct superuser login for administrative tasks, most notably in some Linux distributions as well as Apple's macOS.[25][26] This allows for more secure logging of admin commands and prevents some exploits.
RBAC
[edit]In association with SELinux, sudo can be used to transition between roles in role-based access control (RBAC).[27]
Tools and similar programs
[edit]visudo is a command-line utility that allows editing the sudo configuration file in a fail-safe manner. It prevents multiple simultaneous edits with locks and performs sanity and syntax checks.
Sudoedit is a program that symlinks to the sudo binary.[28] When sudo is run via its sudoedit alias, sudo behaves as if the -e flag has been passed and allows users to edit files that require additional privileges to write to.[29]
Microsoft released its own version of sudo for Windows in February 2024. It functions similar to its Unix counterpart by giving the ability to run elevated commands from an unelevated console session.[30] The program runas provides comparable functionality in Windows, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation. Hamilton C shell also includes true su and sudo for Windows that can pass all of that state information and start the child either elevated or as another user (or both).[31][32]
Graphical user interfaces exist for sudo – notably gksudo – but are deprecated in Debian and no longer included in Ubuntu.[33][34] Other user interfaces are not directly built on sudo, but provide similar temporary privilege elevation for administrative purposes, such as pkexec in Unix-like operating systems, User Account Control in Microsoft Windows and Mac OS X Authorization Services.[35]
doas, available since OpenBSD 5.8 (October 2015), has been written in order to replace sudo in the OpenBSD base system, with the latter still being made available as a port.[36]
gosu is a tool similar to sudo that is popular in containers where the terminal may not be fully functional or where there are undesirable effects from running sudo in a containerized environment.[37]
See also
[edit]
References
[edit]- ^ Miller, Todd C. "A Brief History of Sudo". Archived from the original on 16 November 2018. Retrieved 15 November 2018.
- ^ "Sudo News". Archived from the original on 1 December 2021. Retrieved 12 April 2023.
- ^ Todd C. Miller (2011-06-17). "Sudo License". sudo.ws. Archived from the original on 2015-07-31. Retrieved 2011-11-17.
- ^ Miller, Todd C. "Troubleshooting tips and FAQ for Sudo". Archived from the original on 2021-11-27. Retrieved 2009-11-20.
- ^ Cohen, Noam (May 26, 2008). "This Is Funny Only if You Know Unix". The New York Times. Archived from the original on January 22, 2018. Retrieved April 9, 2012.
- ^ By (2014-05-28). "Interview: Inventing The Unix "sudo" Command". Hackaday. Archived from the original on 2022-01-10. Retrieved 2022-01-10.
- ^ "Aaron Toponce : The Meaning of 'su'". Archived from the original on 2023-02-24. Retrieved 2015-08-18.
- ^ "What is Sudo". Archived from the original on 2022-06-03. Retrieved 2022-06-07.
- ^ "su(1) Linux manual page". Archived from the original on 2022-06-05. Retrieved 2022-06-08.
- ^ "Sudo - ArchWiki" (MediaWiki). wiki.archlinux.org. Archived from the original on 2021-04-25. Retrieved 2015-11-09.
- ^ Haeder, A.; Schneiter, S. A..; Pessanha, B. G.; Stanger, J. LPI Linux Certification in a Nutshell. O'Reilly Media, 2010. p. 409. ISBN 978-0596804879.
- ^ a b c d Miller, Todd C. "A Brief History of Sudo". Archived from the original on 2021-01-27. Retrieved 2021-02-08.
- ^ Lilly, Paul. "Microsoft has Patented "sudo." Yes, the Command". Archived from the original on 2014-07-01. Retrieved 2009-11-13.
- ^ "Does New Microsoft Patent Infringe On Unix Program Sudo? Some in the open source community suspicious of Microsoft's intent". Dark Reading. 2009-11-16. Archived from the original on 2022-08-20. Retrieved 2022-05-27.
A patent granted to Microsoft (NSDQ: MSFT) has stirred up worry that world's largest software company wants to claim Unix's "sudo" as its own. [...] In short, suspicions about this patent are overblown.
- ^ Eaton, Nick (November 12, 2009). "Did Microsoft just sneakily patent an open-source tool?". seattlepi.com. Archived from the original on 2021-06-20. Retrieved April 24, 2011.
- ^ "Sandwich". Archived from the original on 2022-04-09. Retrieved 2022-04-11.
- ^ "Sudo Logo". Archived from the original on 2022-04-27. Retrieved 2022-04-11.
- ^ "About Unix sudo and su commands". University Information Technology Services. June 18, 2019. Archived from the original on September 10, 2022. Retrieved September 10, 2022.
- ^ Wallen, Jack (2023-05-16). "Linux security: What is sudo and why is it so important?". ZDNET. Retrieved 2024-01-23.
- ^ Aleksic, Marko (2020-08-18). "Linux Sudo Command, How to Use With Examples". Knowledge Base by phoenixNAP. Retrieved 2024-01-23.
- ^ Sheldon, Robert (February 2023). "What is the sudo (su 'do') command-line utility? – TechTarget Definition". TechTarget Security. Retrieved 2024-01-23.
- ^ Where are sudo Incidents Reported? Archived 2023-04-09 at the Wayback Machine Retrieved April 10, 2023
- ^ Wallen, Jack (2010-05-12). "Linux 101: Introduction to sudo". Linux.com. Retrieved 2024-01-23.
- ^ Kili, Aaron (2017-01-12). "Let Sudo Insult You When You Enter Incorrect Password". www.tecmint.com. Retrieved 2024-01-23.
- ^ "RootSudo". Community Ubuntu Documentation. help.ubuntu.com. 2011-11-08. Archived from the original on 2011-11-05. Retrieved 2011-11-17.
- ^ "Top Ten Mac OS X Tips for Unix Geeks". MacDevCenter.com. Archived from the original on 2012-10-15. Retrieved 2022-05-27.
- ^ "SELinux Lockdown Part Five: SELinux RBAC". Archived from the original on 2013-05-11. Retrieved 2012-11-17.
- ^ Bennett, Jonathan (2021-01-29). "This Week In Security: Sudo, Database Breaches, And Ransomware". Hackaday. Archived from the original on 2021-06-21. Retrieved 2021-05-24.
- ^ "sudoedit(8) - Linux manual page". man7.org. Archived from the original on 2021-05-24. Retrieved 2021-05-24.
- ^ Adoumie, Jordi (2024-02-07). "Introducing Sudo for Windows!". Windows Command Line. Retrieved 2024-02-08.
- ^ "su". Hamilton Laboratories. Archived from the original on July 17, 2015. Retrieved August 17, 2015.
- ^ "Predefined aliases: sudo". Hamilton Laboratories. Archived from the original on August 26, 2015. Retrieved August 17, 2015.
- ^ Bicha, Jeremy (December 30, 2017). "Remove gksu from Ubuntu". Canonical, which owns Launchpad. Archived from the original on May 5, 2020. Retrieved January 10, 2020.
- ^ "Software Packages in "bionic"". Canonical. Archived from the original on October 18, 2019. Retrieved January 10, 2020.
- ^ "Introduction to Authorization Services Programming Guide". developer.apple.com. Archived from the original on 2022-05-28. Retrieved 2022-05-27.
- ^ "sudo-1.8.26 – execute a command as another user". OpenBSD ports. 2018-11-16. Archived from the original on 2019-02-27. Retrieved 2019-02-26.
- ^ "gosu". GitHub.
External links
[edit]| File system | |
|---|---|
| Processes | |
| User environment | |
| Text processing | |
| Shell builtins | |
| Searching | |
| Documentation | |
| Software development | |
| Miscellaneous | |
| |
