() is a

shell Shell may refer to: Architecture and design * Shell (structure), a thin structure ** Concrete shell, a thin shell of concrete, usually with no interior columns or exterior buttresses Science Biology * Seashell, a hard outer layer of a marine ani ...

command Command may refer to: Computing * Command (computing), a statement in a computer language * command (Unix), a Unix command * COMMAND.COM, the default operating system shell and command-line interpreter for DOS * Command key, a modifier key on A ...

Unix-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

s that enables a user to run a program with the security privileges of another user, by default the

superuser In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the ...

. It originally stood for "superuser do", as that was all it did, and this remains its most common usage; however, the official Sudo project page lists it as "su 'do. The current Linux manual pages define as "substitute user", making the correct meaning of "substitute user, do", because can run a command as other users as well. Unlike the similar command su, users must, by default, supply their own

password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...

for authentication, rather than the password of the target user. After authentication, and if the

configuration file A configuration file, a.k.a. config file, is a computer file, file that stores computer data, data used to configure a software system such as an application software, application, a server (computing), server or an operating system. Some applic ...

(typically /etc/sudoers) permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.

History

Robert Coggeshall and Cliff Spencer wrote the original subsystem around 1980 at the Department of Computer Science at SUNY/Buffalo. Robert Coggeshall brought sudo with him to the

University of Colorado Boulder The University of Colorado Boulder (CU Boulder, CU, or Colorado) is a public research university in Boulder, Colorado, United States. Founded in 1876, five months before Colorado became a state, it is the flagship university of the University o ...

. Between 1986 and 1993, the code and features were substantially modified by the IT staff of the University of Colorado Boulder Computer Science Department and the College of Engineering and Applied Science, including Todd C. Miller. The current version has been publicly maintained by

OpenBSD OpenBSD is a security-focused operating system, security-focused, free software, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by fork (software development), forking NetBSD ...

developer Todd C. Miller since 1994, and has been distributed under an ISC-style license since 1999. In November 2009 Thomas Claburn, in response to concerns that

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

had patented sudo, characterized such suspicions as overblown. The claims were narrowly framed to a particular GUI, rather than to the sudo concept. The logo is a reference to an

xkcd ''xkcd'' is a serial webcomic created in 2005 by American author Randall Munroe. Sometimes styled ''XKCD'', the comic's tagline describes it as "a webcomic of romance, sarcasm, math, and language". Munroe states on the comic's website that the ...

strip, where an order for a sandwich is accepted when preceded with .

Design

Unlike for su, users supply their personal password to (if necessary) rather than that of the superuser or other account. This allows authorized users to exercise altered privileges without compromising the secrecy of the other account's password. Users must be in a certain

group A group is a number of persons or things that are located, gathered, or classed together. Groups of people * Cultural group, a group whose members share the same cultural identity * Ethnic group, a group whose members share the same ethnic iden ...

to use the command, typically either the ''wheel'' or ''sudo'' group. After authentication, and if the configuration file permits the user access, the system invokes the requested command. retains the user's invocation rights through a grace period (typically 5 minutes) per

pseudo terminal In some operating systems, including Unix-like systems, a pseudoterminal, pseudotty, or PTY is a pair of pseudo-device endpoints (files) which establish an asynchronous, Duplex (telecommunications), bidirectional communication (IPC socket, IPC) c ...

, allowing the user to execute several successive commands as the requested user without having to provide a password again. As a security and auditing feature, may be configured to log each command run. When a user attempts to invoke without being listed in the configuration file, an exception indication is presented to the user indicating that the attempt has been recorded. If configured, the root user will be alerted via

mail The mail or post is a system for physically transporting postcards, letter (message), letters, and parcel (package), parcels. A postal service can be private or public, though many governments place restrictions on private systems. Since the mid ...

. By default, an entry is recorded in the system.

Configuration

The /etc/sudoers file contains a list of users or user groups with permission to execute a subset of commands while having the privileges of the

root user In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the ...

or another specified user. The file can be edited by using the command sudo vi sudo. Sudo contains several configuration options such as allowing commands to be run as without a password, changing which users can use , and changing the message displayed upon entering an incorrect password. Sudo features an

easter egg Easter eggs, also called Paschal eggs, are eggs that are decorated for the Christian holiday of Easter, which celebrates the resurrection of Jesus. As such, Easter eggs are commonly used during the season of Eastertide (Easter season). The ...

that can be enabled from the configuration file that will display an insult every time an incorrect password is entered.

Impact

In some system distributions, has largely supplanted the default use of a distinct superuser login for administrative tasks, most notably in some

Linux distribution A Linux distribution, often abbreviated as distro, is an operating system that includes the Linux kernel for its kernel functionality. Although the name does not imply product distribution per se, a distro—if distributed on its own—is oft ...

s as well as Apple's

macOS macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

. This allows for more secure logging of admin commands and prevents some exploits.

RBAC

In association with

SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space too ...

, can be used to transition between roles in

role-based access control In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control, discretion ...

(RBAC).

Tools and similar programs

''visudo'' is a command-line utility that allows editing the sudo configuration file in a fail-safe manner. It prevents multiple simultaneous edits with locks and performs sanity and syntax checks. Sudoedit is a program that symlinks to the sudo binary. When sudo is run via its sudoedit alias, sudo behaves as if the -e flag has been passed and allows users to edit files that require additional privileges to write to. Microsoft released its own tool also called for

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

in February 2024. Its interface is similar to its Unix counterpart by giving the ability to run elevated commands from an unelevated console session, although its implementation is entirely different. The program

runas In computing, runas (a compound word, from “run as”) is a command in the Microsoft Windows line of operating systems that allows a user to run specific tools and programs under a different username to the one that was used to logon to a comp ...

provides comparable functionality in Windows, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation.

Hamilton C shell Hamilton C shell is a Clone (computing), clone of the C shell, Unix C shell and Unix utilities, utilities Early for Microsoft Windows created by Nicole Hamilton at Hamilton Laboratories as a completely original work, not based on any prior cod ...

also includes true and for Windows that can pass all of that state information and start the child either elevated or as another user (or both).

Graphical user interface A graphical user interface, or GUI, is a form of user interface that allows user (computing), users to human–computer interaction, interact with electronic devices through Graphics, graphical icon (computing), icons and visual indicators such ...

s exist for sudo – notably ''gksudo'' – but are deprecated in

Debian Debian () is a free and open-source software, free and open source Linux distribution, developed by the Debian Project, which was established by Ian Murdock in August 1993. Debian is one of the oldest operating systems based on the Linux kerne ...

and no longer included in

Ubuntu Ubuntu ( ) is a Linux distribution based on Debian and composed primarily of free and open-source software. Developed by the British company Canonical (company), Canonical and a community of contributors under a Meritocracy, meritocratic gover ...

. Other user interfaces are not directly built on sudo, but provide similar temporary privilege elevation for administrative purposes, such as pkexec in Unix-like operating systems,

User Account Control User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

and

Mac OS X macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

Authorization Services.

doas doas (“dedicated openbsd application subexecutor”) is a program to execute commands as another user. The system administrator can configure it to give specified users privileges to execute specified commands. It is free and open-source unde ...

, available since

5.8 (October 2015), has been written in order to replace in the

base system, with the latter still being made available as a

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Hamburg, Manch ...

. gosu is a tool similar to sudo that is popular in containers where the terminal may not be fully functional or where there are undesirable effects from running sudo in a containerized environment.

References

External links

* {{OpenBSD Computer security software System administration Unix user management and support-related utilities Software using the ISC license