Sudo

From LQWiki
Jump to navigation Jump to search

sudo is a Linux command which provides functionality similiar to su, but with two key differences:

  • sudo provides finer grained control over what operations a user may perform as the substituted user.
  • sudo in its default configuration allows a user to authenticate himself by entering his own password, rather than the password of the substituted user. The consequence of this is that an ordinary user can be given the power to execute a certain command with root privileges without being given the root password for the entire system.
  • sudo allows control over what parameters may be passed to a command to be executed as another user.

Using sudo

If sudo is configured on a system, executing sudo -l will prompt the user to authenticate by entering his or her password, and produce a listing of the commands the user may execute as well as how and as who they may be executed.

To invoke a command through sudo, execute sudo [command]. By default, the sudo will attempt to execute the command as the root user. To invoke a command through sudo as another user, execute:

$ sudo [-u username] command

Once the user has entered a password, the user is said to be authenticated. Unlike the su command where a password will be prompted for at each invocation, when using sudo an authenticated user may continue executing commands through sudo that he or she has already been authenticated for, until the authentication timeout expires and the user must authenticate himself or herself again. The default authenticate timeout is usually 15 minutes.

A user may refresh the authentication timeout by executing sudo -v, and likewise expire the authentication timeout by executing sudo -k.

Configuring sudo

Sudo uses the configuration file /etc/sudoers. Its syntax is

 <who is allowed> <on what host>=<to execute which command>

For example the following line:

%training ALL=/usr/sbin/hwinfo

means that every member of your group training is allowed to execute /usr/sbin/hwinfo with any parameters.

%wheel        ALL=(ALL)       NOPASSWD: ALL

will let anyone in the group 'wheel' any root-prilvilege-command without further questioning.

Warnings

  • Putting mount and umount in the sudoers file could cause security issues since a user could mount filesystems that contain programs with the setuid bit.
  • sudo su - allows the sudoer to become root

External links