Sudo
Encyclopedia : S : SU : SUD : Sudo
- The correct title of this } is }}}. The initial letter is capitalized due to [Naming conventions #Lower case first lettertechnical restrictions].
Contents
Usage
By default and as a security measure, users who invokesudo must supply their own password before running the target program. sudo authenticates users against their own password rather than that of the target user in order to allow the delegation of specific commands to specific users on specific hosts without sharing passwords among them and while mitigating the risk of any unattended terminals. Once authentication has taken place, the system updates a timestamp and the user may then use sudo without a password for a short period of time (five minutes unless overridden in /etc/sudoers).Configuration
Access tosudo is configured with the configuration file /etc/sudoers which lists each user who can run sudo, along with the programs they can run. Configurable defaults and options for the program also appear in /etc/sudoers. Be aware that sudo is very picky about correct syntax in its configuration file and will refuse to work if you make the slightest mistake. (Considering that sudo can grant root privileges, this is not an entirely bad idea, as user-unfriendly as it seems.) Therefore, you should use visudo tool to edit the file, rather than opening it directly. visudo will check your changes for correctness after saving them, and will inform you of any errors, in which case it will offer to reject the changes or re-edit the file.Syntax of the /etc/sudoers file
The /etc/sudoers file contains a list of rules. The syntax of each rule is:
username/group servername = ( run as ) the_command
username - The user for whom this rule is applied group - The group for which this rule is applied run_as - The username with which this command will be run as the_command - The command to be executed.sudo assumes that the sudoers file will be used network wide, and therefore offers the option to specify the names of servers which will be using it. In most cases, the file is used by only one server and the keyword ALL suffices for the server name.
By default the file contains only 1 active rule stating that
root ALL = (ALL) ALLGeneral syntax of the /etc/sudoers file
s1. Comma can be used as a separator. s2. Username can be specified as such. But when specifying group names prefix it with a "%". [ i.e. the user group group1 will be represented as %group1 (because at times both username and groupname can have same values) ] s3. The keyword ALL means all users, all groups, all commands, in whichever part of the rule it is used.Note: Whenever sudo asks for a password enter your password.
Examples
Let us consider 2 non-root users "bala" and "ravi"
1. Grant full access to all commands to the users bala and ravi. [ Not recommended ]
bala,ravi ALL=(ALL)ALLHere observe that comma is used to separate users bala and ravi. (s1)
2. Grant full access to all commands only to a particular group say "group1"
%group1 ALL=(ALL)ALLHere observe that % is used when specifying the group name (s2) and ALL is used (s3)
3. Grant access to the commands "mount,umount,shutdown" to the user bala
bala ALL=/bin/mount,/bin/umount,/sbin/shutdown4. Now consider that "ravi" has created a program "/home/ravi/hi" and that only he has access to the program. But if bala needs to run the program, it can be done as follows.
bala ALL=(ravi) /home/ravi/hiRun the command as
[bala@host.com]$sudo -u ravi /home/ravi/hi5. Consider that Bala wants to run "mount,umount" without specifying the password.
bala ALL= NOPASSWD: /bin/mount,/bin/umount
History
Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo on a VAX-11/750 running 4.1BSD. In 1991 was released under the GNU public license. In 1996 version 1.6, Sudo no longer contains any of the original "Root Group" code and is available with a BSD-style license.Shell logging
sudo does not log commands executed within a shell. For example if a user had permission to access a shell through sudo and executed sudo -s, none of the commands executed within that shell would be logged. In order to log commands within a shell sudo needs to be used with another security tool, i.e. sudosh, which will offer the user a logged shell. sudosh can also be used as a login shell.See also
- su
- sudosh
- setuid
- AIX's sysctl command has sudo-like properties.
- List of Unix programs
External links
- [sudo homepage]
- [How to audit and log user and root shells with sudo via sudosh]
- [sudo tools]
- [a logging root shell]
- [sudo(8) man page] from OpenBSD
- [sudo(8) man page] from linuxmanpages.com
| Unix command line programs ( ) | |||
| File and file system management: | cat | chdir/cd | chmod | chown | chgrp | cp | du | df | fdupes | file | fsck | ln | ls | lsof | mkdir | more | mount | mv | pwd | rcp | rm | rmdir | split | touch | tree | ||
| Process management: | anacron | at | chroot | cron/crontab | kill | nice | ps | sleep | time | timex | top | renice | wait | ||
| User Management/Environment: | env | finger | id | locale | mesg | passwd | su | sudo | uname | uptime | w | who | write | ||
| Text processing: | awk | cut | diff | ex | head | iconv | join | less | more | nkf | paste | sed | sort | tail | tr | uniq | wc | xargs | ||
| Shell programming: | echo | expr | unset | Printing: | lp |
| Communications: inetd | netstat | ping | rlogin | traceroute | Searching: egrep | fgrep | find | grep | strings | Miscellaneous: banner | bc | cal | man | uname | wall | yes | |
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.