Documentation< Previous | Contents | Next >
sudo – Execute A Command As Another User
The sudo command is like su in many ways, but has some important additional capabil- ities. The administrator can configure sudo to allow an ordinary user to execute com- mands as a different user (usually the superuser) in a very controlled way. In particular, a user may be restricted to one or more specific commands and no others. Another impor- tant difference is that the use of sudo does not require access to the superuser's pass- word. To authenticate using sudo, the user uses his/her own password. Let's say, for ex- ample, that sudo has been configured to allow us to run a fictitious backup program called “backup_script”, which requires superuser privileges. With sudo it would be done like this:
[me@linuxbox ~]$ sudo backup_script
Password:
System Backup Starting...
[me@linuxbox ~]$ sudo backup_script
Password:
System Backup Starting...
After entering the command, we are prompted for our password (not the superuser's) and once the authentication is complete, the specified command is carried out. One important difference between su and sudo is that sudo does not start a new shell, nor does it load another user's environment. This means that commands do not need to be quoted any dif- ferently than they would be without using sudo. Note that this behavior can be overrid- den by specifying various options. See the sudo man page for details.
To see what privileges are granted by sudo, use the “-l” option to list them:
[me@linuxbox ~]$ sudo -l
User me may run the following commands on this host: (ALL) ALL
[me@linuxbox ~]$ sudo -l
User me may run the following commands on this host: (ALL) ALL
Ubuntu And sudo
One of the recurrent problems for regular users is how to perform certain tasks that require superuser privileges. These tasks include installing and updating soft- ware, editing system configuration files, and accessing devices. In the Windows world, this is often done by giving users administrative privileges. This allows users to perform these tasks. However, it also enables programs executed by the user to have the same abilities. This is desirable in most cases, but it also permits malware (malicious software) such as viruses to have free reign of the computer.
In the Unix world, there has always been a larger division between regular users and administrators, owing to the multiuser heritage of Unix. The approach taken in Unix is to grant superuser privileges only when needed. To do this, the su and sudo commands are commonly used.
Up until a few of years ago, most Linux distributions relied on su for this pur- pose. su didn't require the configuration that sudo required, and having a root account is traditional in Unix. This introduced a problem. Users were tempted to operate as root unnecessarily. In fact, some users operated their systems as the root user exclusively, since it does away with all those annoying “permission de- nied” messages. This is how you reduce the security of a Linux system to that of a Windows system. Not a good idea.
When Ubuntu was introduced, its creators took a different tack. By default, Ubuntu disables logins to the root account (by failing to set a password for the ac- count), and instead uses sudo to grant superuser privileges. The initial user ac- count is granted full access to superuser privileges via sudo and may grant simi- lar powers to subsequent user accounts.