sudo_root

sudo [options] command
sudo [options] -i
sudo [options] -s

-A
    Use an askpass helper for password prompting.

-b
    Run the command in the background.

-E
    Preserve the user's environment when running the command.

-H
    Set the HOME environment variable to the target user's home directory.

-i
    Run the shell specified by the target user's password file entry as a login shell. This implies -H, -P, -S and -u.

-k
    Invalidate the user's cached credentials. This forces a password prompt on the next sudo command.

-l
    List the commands the user is allowed to run on the current host.

-n
    Non-interactive mode; no password prompt will be given.

-s
    Run the shell specified by the SHELL environment variable if it is set or the shell specified by the target user's password file entry.

-u user
    Run the command as the specified user instead of the default (root).

-v
    Update the user's cached credentials, extending the grace period for another few minutes.

-V
    Display the sudo version and exit.

sudo (superuser do) allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. It provides a secure and auditable way to delegate administrative privileges without sharing the root password directly. When invoked, sudo typically prompts for the user's own password, not the target user's, and caches these credentials for a short period to avoid repeated authentication. The behavior of sudo is meticulously controlled by the /etc/sudoers file, which defines who can run what commands, on which hosts, and as which users. It logs commands and arguments, making it easier to audit system activity, thereby enhancing system security and accountability.

Misconfiguration of the /etc/sudoers file can lead to serious security vulnerabilities, including granting unintended privileges or locking out administrative access. Always use visudo to edit the sudoers file to prevent syntax errors. Using options like -E to preserve the environment should be done cautiously, as it can potentially expose the target user to malicious environment variables.

The behavior and permissions of sudo are controlled by the /etc/sudoers file. This file specifies which users or groups can execute which commands, as which users, on which hosts, and whether a password is required. It is critically important to edit this file only with the visudo command, which performs syntax checking to prevent errors that could render sudo unusable.

Unlike su, which typically requires the target user's password (e.g., root's password), sudo by default prompts for the invoking user's own password. This enhances security as users do not need to know the root password. Once authenticated, sudo caches the credentials for a default period (usually 5 minutes), allowing subsequent sudo commands to be run without re-entering the password.

sudo was originally written by Robert Coggeshall and Cliff Spencer in 1980 at the State University of New York at Buffalo. It was designed to allow users to execute commands with root privileges without directly sharing the root password. Over the decades, it has undergone multiple rewrites and significant feature additions, evolving into a fundamental and widely adopted utility across Unix-like operating systems for secure privilege management.

su(1), visudo(8), pkexec(1), passwd(1), id(1)