sudo

summary

This subchapter looks at sudo, a UNIX (and Linux) command.

WARNING: Never trust any Terminal/Shell commands you find on the internet. Only run shell commands you understand. In particular, never run anything that includes sudo anywhere in the command line unless you are absolutely certain what the command does. When you run a command line with sudo you are giving permission to have complete (possibly destructive) control of your computer at the root level. And, yes, this advice applies even to this website. Don’t run any commands with sudo unless you know for sure what you are doing.

Google

sudo

This subchapter looks at sudo, a UNIX (and Linux) command.

WARNING: Never trust any Terminal/Shell commands you find on the internet. Only run shell commands you understand. In particular, never run anything that includes sudo anywhere in the command line unless you are absolutely certain what the command does. When you run a command line with sudo you are giving permission to have complete (possibly destructive) control of your computer at the root level. And, yes, this advice appies even to this website. Don’t run any commands with sudo unless you know for sure what you are doing.

sudo

The sudo command allows you to run a single command as another user, including at superuser or root level from a normal account. You will be asked for the password before the command will actually run.

This keeps you firmly in a normal account (with less danger of catastrophic failures), while still giving easy access to root or superuser power when really needed.

The sudo program was originally written by Bob Coggeshall and Cliff Spencer in 1980 at the Department of Computer Science at SUNY/Buffalo.

sudo is a concatenation of su (substitute user) and do (perform an action).

To run a single command as superuser or root, type sudo followed by a command.

$ sudo command

You will normally be asked for your password (exceptions listed below).

sudo can be configured to not require a password (very bad idea other than single user personal systems). sudo can also be configured to require the root password (rather than the current user’s password).

On Mac OS X the sudo command will fail if your account has no password.

On Mac OS X the sudo commands password prompt will not display anything (not even bullets or asterisks) while you type your password.

You will not be asked for a password if you use sudo from the root or superuser account. You will not be asked for a password if you use sudo and the target user is the same as the invoking user.

Some systems have a timer set (usually five minutes). You can run additional sudo commands without a password during the time period.

run in root shell

To change to in the root shell, type sudo followed by the option -s. The following warning is from Mac OS X (entered a root shell and then immediately returned to the normal shell). Note the change to the pound sign ( # ) prompt.

$ sudo -s

WARNING: Improper use of the sudo command could lead to data loss
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
bash-3.2# exit
$

other users

To run a command as another user, type sudo followed by the option -u followed by the user account name followed by a command.

$ sudo -u username command

To view the home directory of a particular user:

$ sudo -u username ls ~username

edit files as www

To edit a file (this example is for index.html) as user www:

$ sudo -u www vim ~www/htdocs/index.html

which password

On most systems, you will authenticate with your own password rather than with the root or superuser password. The list of users authorized to run sudo are in the file /usr/local/etc/sudoers or /etc/sudoers (on Mac OS X, /private/etc/sudoers). These authorized users are identified in the sudoers file as admin.

The sudoers configuration file offers a wide variety of configuration options, including enabling root commands only from the invoking terminal; not requiring a password for certain commands; requiring a password per user or per group; requiring re-entry of a password every time for particular command lines; never requiring re-entry of a password for a particular command line. The sudoers configuration file can also be set support the passing of arguments or multiple commands and also supports commands with regular expressions.

timeout

sudo can set timeout limits. This is done with the timeout option. This can be configured globally, per user, or per application. The timeout can be retained only per tty or globally per user. The user or application only has root authentication until the timeout occurs.

forgot to use sudo

Sometimes you type a command and forget that you needed to use sudo until you see the error message. You can type sudo !! to run the previous command with root privileges.

$ head /etc/passwd
head: /etc/passwd: Permission denied
$ sudo !!

unreadable directories

To view unreadable directories:

$ sudo ls /usr/local/protected

shutdown

To shutdown a server:

$ sudo -r +15 "quick reboot"

saving system file in vim

The ideal method for editing and saving a system file that can only be saved by the root user is to prepend the vim command with sudo. Then the vim command :w will work because the vim program was launched with root privileges.

$ sudo vim /etc/passwd
$ some editing commands
$ :w

So, what do you do if you start editing the file and then remember that you need root permission to save it? Add !sudo tee % to the vim save command.

$ vim /etc/passwd
$ some editing commands
$ :w !sudo tee %

usage listing

To make a usage listing of the directories in the /home partition (note that this runs the commands in a sub-shell to make the cd and file redirection work):

$ sudo sh -c "cd /home ; du -s * | sort -rn> USAGE"

view sudoers configuration

To view the sudoers current configuration settings, type:

$ sudo -ll

editing sudoers file

Run the visudo command line tool to safely edit the sudoers configuration file. You will be presented with the vi editing interface (this can be changed by setting the shell EDITOR environment variable to a different text editor, such as emacs.

Any syntax error in the sudoers configuration file will make sudo stop working globally. Therefore, always use visudo to edit the sudoers file. visudo also provides security locks to prevent multiple simultaneous edits and other possible security problems.

graphic equivalents

The utilities kdesudo (KDE) and gksudo (Gnome) provide a graphic user interface version of sudo (both are based on sudo). Mac OS X Authorization Services provides a graphic user interface with adminstrative privileges (but is not based on the UNIX sudo).

start a shell as root

If you need to do extended work as root, you can start up a root shell from your user account:

$ sudo bash

running commands as root

sudo only works for programs, not for any built-in commands. If you attempt it, you will get an error message stating command not found. The solution is to start a root shell:

$ sudo bash

security

The system can be set up to send a mail to the root informing of unauthorized attempts at using sudo.

The system can be set up to log both successful and unsuccessful attempts to sudo.

Some programs (such as editors) allow a user to run commands via shell escapes, avoiding sudo checks. You can use sudo’s noexec functionality to prevent shell escapes.

sudo never does any validation of the ARGUMENTS passed to a program.

sudo defaults to extensive logging, using the syslogd system log daemon to log all commands issued with sudo into a cnetral host and local host file. This allows a complete audit trail of system access.

A system can be setup so that all machines in a system use the same sudoers file, allowing better central administration of a network.

trace

You can’t sudo strace … (fill in the rest of the command any way you want) because sudo can’t gain its privileges while being traced.

polkit alternative

polkit (formerly PolicyKit) is an alternative control component for system-wide privileges.

other

In June 2009, Ken Milberg named this command as one of the Top 50 universal UNIX commands at this web page Top 50 Universal INIX commands. Note that this web page requires agreeing to be spammed before you can read it.

---

Google