sudo

Run a command as the superuser

$ sudo [less /var/log/syslog]

$ sudo [[-e|--edit]] [/etc/fstab]

$ sudo [[-u|--user]] [user] [[-g|--group]] [group] [id -a]

$ sudo !!

$ sudo [[-i|--login]]

$ sudo [[-s|--shell]]

$ sudo [[-i|--login]] [[-u|--user]] [user]

$ sudo [[-ll|--list --list]]

sudo [options] command

-u user
    Run the command as specified user. If omitted the command will be executed as root.

-g group
    Run the command as specified group. Must be used with the -u flag.

-l, --list
    List allowed and forbidden commands for the invoking user on the current host. If a user is specified after the -u option, list the privileges for that user rather than the invoking user.

-v, --validate
    Update the user's timestamp file, authenticating the user's password if necessary. This extends the sudo timeout.

-k, --kill-timestamp
    Invalidate the user's timestamp file. This forces the user to re-authenticate on the next sudo invocation.

-K, --remove-timestamp
    Completely remove the user's timestamp file. Similar to -k, but more aggressive.

-b, --background
    Run the given command in the background.

-H, --set-home
    Set the HOME environment variable to match the target user's.

-i, --login
    Simulate initial login, executing the shell specified in the passwd file for the target user.

-s, --shell
    Execute the shell specified by the SHELL environment variable if it is set or the shell specified in /etc/passwd. A command may also be specified.

The sudo command allows permitted users to execute a command as the superuser (root) or another user, as specified in the /etc/sudoers file. It provides a secure way to grant administrative privileges to specific users without sharing the root password.

When a user invokes sudo, the system verifies if the user is authorized to run the specified command based on the rules defined in the sudoers file. If authorized, the command is executed with the privileges of the target user (usually root). Sudo logs all commands executed via it, providing an audit trail for security purposes. It aims to minimize the risk of accidental misuse of root privileges while empowering users to perform necessary administrative tasks. Proper configuration of the sudoers file is critical to ensure system security.

Improper configuration of the /etc/sudoers file can lead to severe security vulnerabilities. Always carefully review and test any changes made to the sudoers file using the visudo command which performs syntax checking.

Sudo uses timestamp files to track when a user last authenticated. After successful authentication, the user doesn't need to enter their password again for a certain period (typically 5 minutes) for subsequent sudo commands. The timeout is configurable. You can force re-authentication using the -k or -K option.

The /etc/sudoers file is the central configuration file for sudo. It defines which users or groups can execute which commands as which users. The visudo command *must* be used to edit this file to ensure syntax validation and prevent corruption.

The sudo command was originally developed by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science, SUNY/Buffalo. It was designed to allow users to run commands as root without logging in as root directly, thus improving system security and accountability. The command has been continuously refined and improved over the years, becoming a standard part of nearly all Unix-like operating systems. Sudo's development focused on providing a secure and auditable mechanism for privilege escalation, balancing security with usability for system administrators.

visudo(8), su(1)