Sudo
- The correct title of this article is sudo. The initial letter is capitalized due to technical restrictions.
sudo (superuser do) is a command line tool that allows users to run programs in the guise of another user (normally in the guise of the system's superuser). It is currently maintained by Todd C. Miller.
Usage
By default and as a security measure, users who invoke sudo
must supply their own password before running the target program. sudo
authenticates users against their own password rather than that of the target user in order to allow the delegation of specific commands to specific users on specific hosts without sharing passwords among them and while mitigating the risk of any unattended terminals. Once authentication has taken place, the system updates a timestamp and the user may then use sudo
without a password for a short period of time (five minutes unless overridden in /etc/sudoers
).
Configuration
Access to sudo
is configured with the configuration file /etc/sudoers
which lists each user who can run sudo
, along with the programs they can run. Configurable defaults and options for the program also appear in /etc/sudoers
. Be aware that sudo is very picky about correct syntax in its configuration file and will refuse to work if you make the slightest mistake. (Considering that sudo can grant root privileges, this is not an entirely bad idea, as user-unfriendly as it seems.) Therefore, you should use visudo
tool to edit the file, rather than opening it directly. visudo will check your changes for correctness after saving them, and will inform you of any errors, in which case it will offer to reject the changes or re-edit the file.
Shell logging
sudo
does not log commands executed within a shell. For example if a user had permission to access a shell through sudo
and executed sudo -s
, none of the commands executed within that shell would be logged. In order to log commands within a shell sudo needs to be used with another security tool, i.e. sudosh, which will offer the user a logged shell. sudosh can also be used as a login shell.
See also
External links
- sudo homepage
- How to audit and log user and root shells with sudo via sudosh
- sudo tools
- a logging root shell
- sudo(8) man page from OpenBSD
- sudo(8) man page from linuxmanpages.com
- Wikipedia article on sudo