sudo
Execute commands with elevated privileges
TLDR
Run a command as the superuser
Edit a file as the superuser with your default editor
Run a command as another user and/or group
Repeat the last command prefixed with sudo (only in Bash, Zsh, etc.)
Launch the default shell with superuser privileges and run login-specific files (.profile, .bash_profile, etc.)
Launch the default shell with superuser privileges without changing the environment
Launch the default shell as the specified user, loading the user's environment and reading login-specific files (.profile, .bash_profile, etc.)
List the allowed (and forbidden) commands for the invoking user
SYNOPSIS
sudo [options] command
PARAMETERS
-u user
Run the command as specified user. If omitted the command will be executed as root.
-g group
Run the command as specified group. Must be used with the -u flag.
-l, --list
List allowed and forbidden commands for the invoking user on the current host. If a user is specified after the -u option, list the privileges for that user rather than the invoking user.
-v, --validate
Update the user's timestamp file, authenticating the user's password if necessary. This extends the sudo timeout.
-k, --kill-timestamp
Invalidate the user's timestamp file. This forces the user to re-authenticate on the next sudo invocation.
-K, --remove-timestamp
Completely remove the user's timestamp file. Similar to -k, but more aggressive.
-b, --background
Run the given command in the background.
-H, --set-home
Set the HOME environment variable to match the target user's.
-i, --login
Simulate initial login, executing the shell specified in the passwd file for the target user.
-s, --shell
Execute the shell specified by the SHELL environment variable if it is set or the shell specified in /etc/passwd. A command may also be specified.
DESCRIPTION
The sudo command allows permitted users to execute a command as the superuser (root) or another user, as specified in the /etc/sudoers file. It provides a secure way to grant administrative privileges to specific users without sharing the root password.
When a user invokes sudo, the system verifies if the user is authorized to run the specified command based on the rules defined in the sudoers file. If authorized, the command is executed with the privileges of the target user (usually root). Sudo logs all commands executed via it, providing an audit trail for security purposes. It aims to minimize the risk of accidental misuse of root privileges while empowering users to perform necessary administrative tasks. Proper configuration of the sudoers file is critical to ensure system security.
CAVEATS
Improper configuration of the /etc/sudoers file can lead to severe security vulnerabilities. Always carefully review and test any changes made to the sudoers file using the visudo command which performs syntax checking.
TIMESTAMP FILES
Sudo uses timestamp files to track when a user last authenticated. After successful authentication, the user doesn't need to enter their password again for a certain period (typically 5 minutes) for subsequent sudo commands. The timeout is configurable. You can force re-authentication using the -k or -K option.
THE <I>SUDOERS</I> FILE
The /etc/sudoers file is the central configuration file for sudo. It defines which users or groups can execute which commands as which users. The visudo command *must* be used to edit this file to ensure syntax validation and prevent corruption.
HISTORY
The sudo command was originally developed by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science, SUNY/Buffalo. It was designed to allow users to run commands as root without logging in as root directly, thus improving system security and accountability. The command has been continuously refined and improved over the years, becoming a standard part of nearly all Unix-like operating systems. Sudo's development focused on providing a secure and auditable mechanism for privilege escalation, balancing security with usability for system administrators.