LinuxCommandLibrary

sudo

Execute commands with elevated privileges

TLDR

Run a command as the superuser

$ sudo [less /var/log/syslog]
copy

Edit a file as the superuser with your default editor
$ sudo [[-e|--edit]] [/etc/fstab]
copy

Run a command as another user and/or group
$ sudo [[-u|--user]] [user] [[-g|--group]] [group] [id -a]
copy

Repeat the last command prefixed with sudo (only in Bash, Zsh, etc.)
$ sudo !!
copy

Launch the default shell with superuser privileges and run login-specific files (.profile, .bash_profile, etc.)
$ sudo [[-i|--login]]
copy

Launch the default shell with superuser privileges without changing the environment
$ sudo [[-s|--shell]]
copy

Launch the default shell as the specified user, loading the user's environment and reading login-specific files (.profile, .bash_profile, etc.)
$ sudo [[-i|--login]] [[-u|--user]] [user]
copy

List the allowed (and forbidden) commands for the invoking user
$ sudo [[-ll|--list --list]]
copy

SYNOPSIS

sudo [-bEHklPSsV] [-p prompt] [-u user] [command ...]
sudo [-i] [-u user] [command ...]
sudo [-Kk]

PARAMETERS

-u user
    Run the command as the specified user (default is root).

-i
    Run the shell specified by the target user's password database entry as a login shell, setting appropriate environment variables and sourcing login shell resource files.

-s
    Run the shell specified by the SHELL environment variable or the invoking user's password database entry. No environment variables are changed, and resource files are not sourced.

-l
    List the commands the user is allowed to run on the current host.

-v
    Display the version information or update the user's timestamp file, prolonging the effective password timeout.

-k
    Invalidate the user's cached password timestamp, forcing re-authentication the next time sudo is used.

-K
    Like -k, but also removes any cached credentials entirely.

-b
    Run the command in the background. Standard input, output, and error streams are redirected to /dev/null.

-E
    Preserve the user's environment variables when running the command. By default, sudo resets the environment to a safe minimal set.

-H
    Set the HOME environment variable to the home directory of the target user (root by default).

-p prompt
    Use a custom password prompt instead of the default.

-S
    Read the password from standard input instead of the terminal.

DESCRIPTION

The sudo (superuser do) command allows a permitted user to execute a command as another user, typically the superuser (root). It provides a secure way to grant specific users administrative privileges without sharing the root password. When a user invokes sudo, they are prompted for their own password, not the root password. This authentication, combined with the configuration in the /etc/sudoers file, determines if the user is authorized to run the specified command with elevated privileges. sudo logs all successful and failed attempts, enhancing system accountability. It is a cornerstone of Unix-like system security and administration, enabling fine-grained control over who can perform privileged operations and which operations they can perform.

The primary benefit of sudo over directly using the root account is the principle of least privilege: users only gain elevated privileges for the specific tasks they need to perform, reducing the attack surface. It also allows administrators to delegate specific tasks to non-root users, improving workflow and maintainability.

CAVEATS

  • Sudoers File Integrity: Any syntax errors in the /etc/sudoers file can prevent anyone from using sudo, effectively locking out administrative access. Always use visudo to edit this file, as it performs syntax checking.
  • Environment Variables: sudo, by default, cleans the environment to prevent malicious manipulation through environment variables (e.g., PATH, LD_PRELOAD). Using the -E option can reintroduce security risks if not carefully managed.
  • Password Caching: For convenience, sudo caches authentication for a period (typically 5 minutes), meaning subsequent sudo commands within that timeframe may not require a password. This can be a security concern if a user leaves their session unattended. Use sudo -k or sudo -K to invalidate the cache.
  • Wildcard Use: Overly broad rules in /etc/sudoers (e.g., allowing all commands or commands with wildcards) can inadvertently grant more privileges than intended.

THE <I>SUDOERS</I> FILE

The behavior of sudo is entirely controlled by the /etc/sudoers file. This file specifies which users or groups can execute which commands, on which hosts, and as which target users. It supports aliases for users, hosts, commands, and runas users, providing highly flexible and granular control. It is critical to edit this file using the visudo command, which locks the file, checks for syntax errors before saving, and prevents accidental misconfigurations that could compromise system access.

AUTHENTICATION AND TIMESTAMPS

When a user runs sudo for the first time, they are prompted for their own password. Upon successful authentication, a timestamp file is created or updated for that user in /var/run/sudo (or similar location). For a configurable period (defaulting to 5 minutes), the user can execute subsequent sudo commands without re-entering their password. This timestamp can be manually invalidated with sudo -k or sudo -K.

LOGGING

sudo logs all successful and failed attempts to execute commands. These logs are typically sent to the system's logging daemon (e.g., syslog, rsyslog) and can be found in files like /var/log/auth.log or /var/log/secure, depending on the system configuration. This logging is crucial for auditing and security monitoring.

HISTORY

The sudo command originated in the 1980s at the State University of New York at Buffalo. Its initial versions were developed by Bob Coggeshall and Cliff Spencer. It was designed to address the need for a mechanism to allow specific users to execute commands as root without giving them the root password directly. The current widely used version of sudo is primarily maintained and developed by Todd C. Miller, who took over the project in the mid-1990s. Over the decades, sudo has evolved significantly, adding features like logging, flexible configuration via the sudoers file, and robust security practices. It has become a standard utility in virtually all Unix-like operating systems, from Linux distributions to macOS, due to its effectiveness in managing privileged access and enhancing system security and accountability.

SEE ALSO

su(1), visudo(8), sudoers(5), id(1), passwd(1)

Copied to clipboard