Sudo

From Christoph's Personal Wiki
Jump to: navigation, search
The correct title of this article is sudo. The initial letter is capitalized due to technical restrictions.

sudo (superuser do) is a command line tool that allows users to run programs in the guise of another user (normally in the guise of the system's superuser). It is currently maintained by Todd C. Miller.

Usage

By default and as a security measure, users who invoke sudo must supply their own password before running the target program. sudo authenticates users against their own password rather than that of the target user in order to allow the delegation of specific commands to specific users on specific hosts without sharing passwords among them and while mitigating the risk of any unattended terminals. Once authentication has taken place, the system updates a timestamp and the user may then use sudo without a password for a short period of time (five minutes unless overridden in /etc/sudoers).

Configuration

Access to sudo is configured with the configuration file /etc/sudoers (see: sudoers) which lists each user who can run sudo, along with the programs they can run. Configurable defaults and options for the program also appear in /etc/sudoers. Be aware that sudo is very picky about correct syntax in its configuration file and will refuse to work if you make the slightest mistake. (Considering that sudo can grant root privileges, this is not an entirely bad idea, as user-unfriendly as it seems.) Therefore, you should use visudo tool to edit the file, rather than opening it directly. visudo will check your changes for correctness after saving them, and will inform you of any errors, in which case it will offer to reject the changes or re-edit the file.

Shell logging

sudo does not log commands executed within a shell. For example if a user had permission to access a shell through sudo and executed sudo -s, none of the commands executed within that shell would be logged. In order to log commands within a shell, sudo needs to be used with another security tool, sudosh, which will offer the user a logged shell. sudosh can also be used as a login shell.

See also

External links