Sudo: Difference between revisions

sudo
	sudo in a terminal
Developer(s)	Todd C. Miller
Stable release	1.7.2p5 / March 1, 2010
Repository	github.com/sudo-project/sudo ;
Operating system	Unix-like
Type	Privilege authorization
License	ISC-style
Website	www.sudo.ws

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 14:28, 13 April 2010

The sudo ("su do", Template:Pron-en^[2], though /ˈsuːdoʊ/ is also common, as is /ˌɛsˌjuːˈduː/) command is a program for some Unix and Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser, or root). It is an abbreviation for "substitute user do" (as in, do a command with another user's privileges). By default, sudo will prompt for a user password but it may be configured to require the root password, or require it only once per pseudo terminal, or no password at all.^[3] Sudo is able to log each command run and in some cases has completely supplanted the superuser login for administrative tasks, most notably in Ubuntu Linux and Apple's Mac OS X.^[4]^[5]

The program was originally written by Bob Coggeshall and Cliff Spencer "around 1980" at the Department of Computer Science at SUNY/Buffalo. The current version is under active development and is maintained by OpenBSD developer Todd C Miller and distributed under a BSD-style license.^[6]

Recent fears that Microsoft had patented the sudo command^[7] were found to be "overblown" with the claims being narrowly framed to a particular GUI rather than the sudo concept.^[8]

Design

Before running a command with sudo, users typically supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run. There exist several graphical frontends for use in a GUI environment, notably kdesu, kdesudo, gksu, and gksudo; Mac OS X also has Authorization Services.^[9] By default the user's password can be retained through a grace period, allowing the user to execute several successive commands as root without having to provide the password again.

The following is an example where the user is denied access:

snorri@rimu:~$ sudo emacs /etc/resolv.conf

 We assume you have received the usual lecture from the local System
 Administrator. It usually boils down to these three things:

 #1) Respect the privacy of others.
 #2) Think before you type.
 #3) With great power comes great responsibility.

 Password:
 snorri is not in the sudoers file. This incident will be reported.
 snorri@rimu:~$

Below is the log of this failed attempt, then a later successful one, after snorri has been added to /etc/sudoers:

snorri@rimu:~$ sudo tail /var/log/auth.log
 Aug 5 06:00:28 localhost sudo: snorri : user NOT in sudoers ; TTY=pts/1 ; PWD =/home/snorri ; USER=root ; COMMAND=/usr/bin/emacs /etc/resolv.conf
 Aug 5 06:01:15 localhost su[15573]: (pam_unix) session opened for user root by snorri(uid=1000)
 Aug 5 06:02:09 localhost sudo: snorri : TTY=pts/1 ; PWD=/home/snorri ; USER=root ; COMMAND=/usr/bin/emacs /etc/resolv.conf
 Aug 5 06:02:49 localhost sudo: snorri : TTY=pts/1 ; PWD=/home/snorri ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log

Runas, su and sudo

Windows has a command called runas. It has similar functionality, but neither runas nor UAC is sudo; rather, they impersonate another user rather than add privileges.

Runas and su:

do not allow authorized users to launch processes with elevated privileges using their own passphrase.
do not preserve the user's profile and ownership of created objects.

The runas command is (more or less) equivalent to Unix su, not sudo. The reason sudo is superior to su is that it allows privilege escalation based on the user’s own identity, and most importantly does not require use of a shared password. Using runas or su to access a privileged account requires distribution of a password to an admin-capable account, a security weakness that sudo does not have.

References

^ Sudo License
^ Miller, Todd C. "Troubleshooting tips and FAQ for Sudo". Retrieved 2009-11-20.
^ "Manpage for sudo". Retrieved 2007-11-04.
^ RootSudo - Community Ubuntu Documentation
^ MacDevCenter.com - Top Ten Mac OS X Tips for Unix Geeks
^ Miller, Todd C. "A Brief History of Sudo". Retrieved 2007-03-05.
^ Lilly, Paul. "Microsoft has Patented "sudo." Yes, the Command". Retrieved 2009-11-13.
^ http://darkreading.com/security/management/showArticle.jhtml
^ Introduction to Authorization Services Programming Guide

External links

Official website
rootsh and sudosh, sudo wrappers for logging
Sudo Fun, a brief guide to sudo on the Mac OS X

[1] Sudo License

[2] Miller, Todd C. "Troubleshooting tips and FAQ for Sudo". Retrieved 2009-11-20.

[3] "Manpage for sudo". Retrieved 2007-11-04.

[4] RootSudo - Community Ubuntu Documentation

[5] MacDevCenter.com - Top Ten Mac OS X Tips for Unix Geeks

[6] Miller, Todd C. "A Brief History of Sudo". Retrieved 2007-03-05.

[7] Lilly, Paul. "Microsoft has Patented "sudo." Yes, the Command". Retrieved 2009-11-13.

[8] ttp://darkreading.com/security/management/showArticle.jhtml

[9] Introduction to Authorization Services Programming Guide

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

@@ Line 20: / Line 20: @@
 The program was originally written by Bob Coggeshall and Cliff Spencer "around 1980" at the Department of [[Computer Science]] at [[University at Buffalo, The State University of New York|SUNY/Buffalo]]. The current version is under active development and is maintained by [[OpenBSD]] developer Todd C Miller and distributed under a [[BSD License|BSD-style]] license.<ref>{{cite web|url=http://www.gratisoft.us/sudo/history.html|title=A Brief History of Sudo|author=Miller, Todd C|accessdate=2007-03-05}}</ref>
-Recent fears that Microsoft had patented the sudo command<ref>{{cite web|url=http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command|title=Microsoft has Patented "sudo." Yes, the Command|author=Lilly, Paul|accessdate=2009-11-13}}</ref> were found to be "overblown" with the [[Claim (patent)|claims]] being narrowly framed to a particular [[GUI]] rather than the sudo concept.<ref>http://www.informationweek.com/news/windows/opensource/showArticle.jhtml?articleID=221700117</ref>
+Recent fears that Microsoft had patented the sudo command<ref>{{cite web|url=http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command|title=Microsoft has Patented "sudo." Yes, the Command|author=Lilly, Paul|accessdate=2009-11-13}}</ref> were found to be "overblown" with the [[Claim (patent)|claims]] being narrowly framed to a particular [[GUI]] rather than the sudo concept.<ref>http://darkreading.com/security/management/showArticle.jhtml</ref>
 ==Design==

v t e Unix command-line interface programs and shell builtins
File system	cat chattr chmod chown chgrp cksum cmp cp dd du df file fuser ln ls mkdir mv pax pwd rm rmdir split tee touch type umask
Processes	at bg crontab fg kill nice ps time
User environment	env exit logname mesg talk tput uname who write
Text processing	awk basename comm csplit cut diff dirname ed ex fold head iconv join m4 more nl paste patch printf read sed sort strings tail tr troff uniq vi wc xargs
Shell builtins	alias cd echo test unset wait
Searching	find grep
Documentation	man
Software development	ar ctags lex make nm strip yacc
Miscellaneous	bc cal expr lp od sleep true and false
Categories Standard Unix programs Unix SUS2008 utilities List

Revision as of 14:28, 13 April 2010

Design

Runas, su and sudo

See also

References

External links