LinuxCommandLibrary

dzdo

Execute commands as another Delinea-managed user

TLDR

Run a command with elevated privileges

$ dzdo [command]
copy

Run a command as another user
$ dzdo -u [user] [command]
copy

Edit a file with elevated privileges using the default editor
$ dzdo -e [path/to/file]
copy

Launch an interactive login shell with elevated privileges
$ dzdo -i
copy

Launch the default shell with elevated privileges
$ dzdo -s
copy

List allowed commands for the current user
$ dzdo -l
copy

Validate and update authentication timestamp
$ dzdo -v
copy

Display version
$ dzdo -V
copy

SYNOPSIS

dzdo [-bEHPSV] [-p prompt] [-u user] [-g group] [runas_spec] [command]

PARAMETERS

-b
    Run command in background

-E
    Preserve user ENVIRONMENT

-H
    Set HOME in subshell

-h
    Display help

-i
    Run login shell

-K
    Forget cached credentials

-k
    Invalidate timestamp

-l
    List allowed commands

-L
    List defaults for user

-n
    Non-interactive mode

-p prompt
    Custom password prompt

-r
    Role (SELinux)

-S
    Read password from stdin

-s
    Run specified shell

-u user
    Run as specified user

-v
    Verify credentials

-V
    Show version

DESCRIPTION

dzdo is a privilege escalation tool from the sudo package on Debian and Ubuntu systems. It allows authorized users to run commands as root or another user, mirroring sudo's functionality but reading policy from /etc/sudoers.dzdo instead of /etc/sudoers. This separation supports distinct configurations, ideal for LDAP environments, multi-admin setups, or avoiding conflicts with standard sudo policies.

Users authenticate via password (cached like sudo), and commands are logged. Permissions are granted via visudo-edited sudoers.dzdo files using host, user, group, and command specs. It handles runas targets, shell execution, file editing, and timeouts.

Primarily for sysadmins delegating tasks securely without full root shells. Install via sudo package; configure with visudo -f /etc/sudoers.dzdo. Supports all sudo options for compatibility.

CAVEATS

Requires configuration in /etc/sudoers.dzdo; users not listed get denied. Uses sudo's binary, so same security model. Not enabled by default on minimal installs.

CONFIGURATION

Use visudo -f /etc/sudoers.dzdo to safely edit. Example: %admin ALL=(ALL) ALL

EXAMPLES

dzdo apt update
dzdo -u mysql mysqldump db
dzdo -s /bin/bash

HISTORY

Introduced in Debian's sudo package (circa 1.6.x, early 2000s) for sudo-ldap integration, allowing separate policy via sudoers.dzdo. Evolved with sudo versions; now standard for policy isolation.

SEE ALSO

sudo(8), visudo(8), doas(1)

Copied to clipboard