sudo ( or ) is a

program Program, programme, programmer, or programming may refer to: Business and management * Program management, the process of managing several related projects * Time management * Program, a part of planning Arts and entertainment Audio * Progra ...

for

Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

computer

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

s that enables users to run programs with the security privileges of another user, by default the

superuser In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...

. It originally stood for "superuser do", as that was all it did, and it is its most common usage; however, the official Sudo project page lists it as "su 'do'". The current Linux manual pages for su define it as "substitute user", making the correct meaning of sudo "substitute user, do", because sudo can run a command as other users as well. Unlike the similar command '' su'', users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file (typically /etc/sudoers) permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.

History

Robert Coggeshall and Cliff Spencer wrote the original subsystem around 1980 at the Department of Computer Science at SUNY/Buffalo. Robert Coggeshall brought sudo with him to the

University of Colorado Boulder The University of Colorado Boulder (CU Boulder, CU, or Colorado) is a public research university in Boulder, Colorado. Founded in 1876, five months before Colorado became a state, it is the flagship university of the University of Colorado syst ...

. Between 1986 and 1993, the code and features were substantially modified by the IT staff of the

University of Colorado Boulder Computer Science Department The Computer Science Department at the University of Colorado Boulder is an academic department in the College of Engineering and Applied Science focusing on the teaching and research of Computer Science. The department was founded in 1970 and wa ...

and the College of Engineering and Applied Science, including Todd C. Miller. The current version has been publicly maintained by

OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...

developer Todd C. Miller since 1994, and has been distributed under an ISC-style license since 1999. In November 2009 Thomas Claburn, in response to concerns that

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

had patented sudo, characterized such suspicions as overblown. The

claims Claim may refer to: * Claim (legal) * Claim of Right Act 1689 * Claims-based identity * Claim (philosophy) * Land claim * A ''main contention'', see conclusion of law * Patent claim * The assertion of a proposition; see Douglas N. Walton * A righ ...

were narrowly framed to a particular

GUI The GUI ( "UI" by itself is still usually pronounced . or ), graphical user interface, is a form of user interface that allows users to interact with electronic devices through graphical icons and audio indicator such as primary notation, inste ...

, rather than to the sudo concept. The logo is a reference to an XKCD strip.

Design

Unlike the command ''su'', users supply their personal password to sudo (if necessary) rather than that of the superuser or other account. This allows authorized users to exercise altered privileges without compromising the secrecy of the other account's password. After authentication, and if the configuration file permits the user access, the system invokes the requested command. ''sudo'' retains the user's invocation rights through a grace period (typically 5 minutes) per

pseudo terminal In some operating systems, including Unix and Linux, a pseudoterminal, pseudotty, or PTY is a pair of pseudo-device endpoints (files) which establish asynchronous, bidirectional communication ( IPC) channel (with two ports) between two or more pro ...

, allowing the user to execute several successive commands as the requested user without having to provide a password again. As a security and auditing feature, sudo may be configured to log each command run. When a user attempts to invoke sudo without being listed in the configuration file, an exception indication is presented to the user indicating that the attempt has been recorded. The root user will be alerted via mail and an entry is recorded in the system.

Configuration

The /etc/sudoers file contains a list of users or user groups with permission to execute a subset of commands while having the privileges of the

root user In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of th ...

or another specified user. The program may be configured to require a password.

Impact

In some system distributions, sudo has largely supplanted the default use of a distinct superuser login for administrative tasks, most notably in some

Linux distribution A Linux distribution (often abbreviated as distro) is an operating system made from a software collection that includes the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one ...

s as well as Apple's

macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

. This allows for more secure logging of admin commands and prevents some exploits.

RBAC

In association with

SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space t ...

, sudo can be used to transition between roles in role-based access control (RBAC).

Tools and similar programs

''visudo'' is a command-line utility that allows editing the sudo configuration file in a fail-safe manner. It prevents multiple simultaneous edits with locks and performs sanity and syntax checks. Sudoedit is a program that symlinks to the sudo binary. When sudo is run via its sudoedit alias, sudo behaves as if the -e flag has been passed and allows users to edit files that require additional privileges to write to. The program

runas In computing, runas (a compound word, from “run as”) is a command in the Microsoft Windows line of operating systems that allows a user to run specific tools and programs under a different username to the one that was used to logon to a comp ...

provides similar functionality in

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation. A true ''su'' and ''sudo'' for Windows that can pass all of that state information and start the child either elevated or as another user (or both) is included with

Hamilton C shell Hamilton C shell is a clone of the Unix C shell and utilities Early for Microsoft Windows created by Nicole Hamilton at Hamilton Laboratories as a completely original work, not based on any prior code. It was first released on OS/2 on Dece ...

Graphical user interface The GUI ( "UI" by itself is still usually pronounced . or ), graphical user interface, is a form of user interface that allows users to interact with electronic devices through graphical icons and audio indicator such as primary notation, inste ...

s exist for sudo – notably ''gksudo'' – but are deprecated in

Debian Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of D ...

and no longer included in

Ubuntu Ubuntu ( ) is a Linux distribution based on Debian and composed mostly of free and open-source software. Ubuntu is officially released in three editions: ''Desktop'', ''Server'', and ''Core'' for Internet of things devices and robots. All the ...

. Other user interfaces are not directly built on sudo, but provide similar temporary privilege elevation for administrative purposes, such as pkexec in Unix-like operating systems,

User Account Control User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed

and

Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...

Authorization Services.

doas doas (“dedicated openbsd application subexecutor”) is a program to execute commands as another user. The system administrator can configure it to give specified users privileges to execute specified commands. It is free and open-source under ...

, available since

5.8 (October 2015), has been written in order to replace ''sudo'' in the

base system, with the latter still being made available as a

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Ham ...

References

External links

* {{OpenBSD Computer security software System administration Unix user management and support-related utilities Software using the ISC license