:Sudo

Robert Coggeshall and Cliff Spencer wrote the original subsystem around 1980 at the Department of Computer Science at SUNY/Buffalo. Robert Coggeshall brought sudo with him to the University of Colorado Boulder. Between 1986 and 1993, the code and features were substantially modified by the IT staff of the University of Colorado Boulder Computer Science Department and the College of Engineering and Applied Science, including Todd C. Miller. The current version has been publicly maintained by OpenBSD developer Todd C. Miller since 1994, and has been distributed under an ISC-style license since 1999.

In November 2009 Thomas Claburn, in response to concerns that Microsoft had patented sudo, characterized such suspicions as overblown. The claims were narrowly framed to a particular GUI, rather than to the sudo concept.

The logo is a reference to an xkcd strip, where an order for a sandwich is accepted when preceded with {{code|sudo}}.{{cite web | url=https://xkcd.com/149/ | title=Sandwich | access-date=2022-04-11 | archive-date=2022-04-09 | archive-url=https://web.archive.org/web/20220409063050/https://xkcd.com/149/ | url-status=live }}{{cite web | url=https://www.sudo.ws/about/logo/ | title=Sudo Logo | access-date=2022-04-11 | archive-date=2022-04-27 | archive-url=https://web.archive.org/web/20220427150715/https://www.sudo.ws/about/logo/ | url-status=live }}

File:Sudo warning.svg

Unlike for su, users supply their personal password to {{code|sudo}} (if necessary){{Cite web |date=June 18, 2019 |title=About Unix sudo and su commands |url=https://kb.iu.edu/d/amyi |access-date=September 10, 2022 |website=University Information Technology Services |archive-date=September 10, 2022 |archive-url=https://web.archive.org/web/20220910145149/https://kb.iu.edu/d/amyi |url-status=live }} rather than that of the superuser or other account. This allows authorized users to exercise altered privileges without compromising the secrecy of the other account's password.{{Cite web |last=Wallen |first=Jack |date=2023-05-16 |title=Linux security: What is sudo and why is it so important? |url=https://www.zdnet.com/article/why-sudo-is-so-important-in-linux-and-how-to-use-it/ |access-date=2024-01-23 |website=ZDNET |language=en}} Users must be in a certain group to use the {{code|sudo}} command, typically either the wheel or sudo group.{{Cite web |last=Aleksic |first=Marko |date=2020-08-18 |title=Linux Sudo Command, How to Use With Examples |url=https://phoenixnap.com/kb/linux-sudo-command |access-date=2024-01-23 |website=Knowledge Base by phoenixNAP |language=en-US}} After authentication, and if the configuration file permits the user access, the system invokes the requested command. {{code|sudo}} retains the user's invocation rights through a grace period (typically 5 minutes) per pseudo terminal, allowing the user to execute several successive commands as the requested user without having to provide a password again.{{Cite web |last=Sheldon |first=Robert |date=February 2023 |title=What is the sudo (su 'do') command-line utility? – TechTarget Definition |url=https://www.techtarget.com/searchsecurity/definition/sudo-superuser-do |access-date=2024-01-23 |website=TechTarget Security |language=en}}

As a security and auditing feature, {{code|sudo}} may be configured to log each command run. When a user attempts to invoke {{code|sudo}} without being listed in the configuration file, an exception indication is presented to the user indicating that the attempt has been recorded. If configured, the root user will be alerted via mail. By default, an entry is recorded in the system.[https://www.baeldung.com/linux/sudo-incident-logs Where are sudo Incidents Reported?] {{Webarchive|url=https://web.archive.org/web/20230409210655/https://www.baeldung.com/linux/sudo-incident-logs|date=2023-04-09}} Retrieved April 10, 2023

The /etc/sudoers file contains a list of users or user groups with permission to execute a subset of commands while having the privileges of the root user or another specified user. The file can be edited by using the command sudo visudo. Sudo contains several configuration options such as allowing commands to be run as {{code|sudo}} without a password, changing which users can use {{code|sudo}}, and changing the message displayed upon entering an incorrect password.{{Cite web |last=Wallen |first=Jack |date=2010-05-12 |title=Linux 101: Introduction to sudo |url=https://www.linux.com/training-tutorials/linux-101-introduction-sudo/ |access-date=2024-01-23 |website=Linux.com |language=en-US}} Sudo features an easter egg that can be enabled from the configuration file that will display an insult every time an incorrect password is entered.{{Cite web |last=Kili |first=Aaron |date=2017-01-12 |title=Let Sudo Insult You When You Enter Incorrect Password |url=https://www.tecmint.com/sudo-insult-when-enter-wrong-password/ |access-date=2024-01-23 |website=www.tecmint.com |language=en-US}}

In some system distributions, {{code|sudo}} has largely supplanted the default use of a distinct superuser login for administrative tasks, most notably in some Linux distributions as well as Apple's macOS. This allows for more secure logging of admin commands and prevents some exploits.

{{main|Role-based access control}}

In association with SELinux, {{code|sudo}} can be used to transition between roles in role-based access control (RBAC).{{cite web|title=SELinux Lockdown Part Five: SELinux RBAC|url=http://selinux-mac.blogspot.com.au/2009/06/selinux-lockdown-part-five-selinux-rbac.html|access-date=2012-11-17|archive-date=2013-05-11|archive-url=https://web.archive.org/web/20130511065723/http://selinux-mac.blogspot.com.au/2009/06/selinux-lockdown-part-five-selinux-rbac.html|url-status=live}}

visudo is a command-line utility that allows editing the sudo configuration file in a fail-safe manner. It prevents multiple simultaneous edits with locks and performs sanity and syntax checks.

Sudoedit is a program that symlinks to the sudo binary.{{Cite web|first=Jonathan|last=Bennett|date=2021-01-29|title=This Week In Security: Sudo, Database Breaches, And Ransomware|url=https://hackaday.com/2021/01/29/this-week-in-security-sudo-database-breaches-and-ransomware/|access-date=2021-05-24|website=Hackaday|language=en-US|archive-date=2021-06-21|archive-url=https://web.archive.org/web/20210621050109/https://hackaday.com/2021/01/29/this-week-in-security-sudo-database-breaches-and-ransomware/|url-status=live}} When sudo is run via its sudoedit alias, sudo behaves as if the -e flag has been passed and allows users to edit files that require additional privileges to write to.{{Cite web|title=sudoedit(8) - Linux manual page|url=https://man7.org/linux/man-pages/man8/sudoedit.8.html|access-date=2021-05-24|website=man7.org|archive-date=2021-05-24|archive-url=https://web.archive.org/web/20210524193317/https://man7.org/linux/man-pages/man8/sudoedit.8.html|url-status=live}}

Microsoft released its own version of {{code|sudo}} for Windows in February 2024. It functions similarly to its Unix counterpart by giving the ability to run elevated commands from an unelevated console session.{{Cite web |last=Adoumie |first=Jordi |date=2024-02-07 |title=Introducing Sudo for Windows! |url=https://devblogs.microsoft.com/commandline/introducing-sudo-for-windows/ |access-date=2024-02-08 |website=Windows Command Line |language=en-US}} The program runas provides comparable functionality in Windows, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation. Hamilton C shell also includes true {{code|su}} and {{code|sudo}} for Windows that can pass all of that state information and start the child either elevated or as another user (or both).{{cite web |title=su |url=http://hamiltonlabs.com/UserGuide/Utilities/su.htm |url-status=live |archive-url=https://web.archive.org/web/20150717034225/http://hamiltonlabs.com/UserGuide/Utilities/su.htm |archive-date=July 17, 2015 |access-date=August 17, 2015 |publisher=Hamilton Laboratories}}{{cite web |title=Predefined aliases: sudo |url=http://hamiltonlabs.com/UserGuide/52-PredefinedAliases.htm#sudo |url-status=live |archive-url=https://web.archive.org/web/20150826052938/http://hamiltonlabs.com/UserGuide/52-PredefinedAliases.htm#sudo |archive-date=August 26, 2015 |access-date=August 17, 2015 |publisher=Hamilton Laboratories}}

Graphical user interfaces exist for sudo – notably gksudo – but are deprecated in Debian and no longer included in Ubuntu.{{cite web |url=https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618 |title=Remove gksu from Ubuntu |last=Bicha |first=Jeremy |date=December 30, 2017 |publisher=Canonical, which owns Launchpad |access-date=January 10, 2020 |archive-date=May 5, 2020 |archive-url=https://web.archive.org/web/20200505225540/https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618 |url-status=live }}{{cite web |url=https://packages.ubuntu.com/bionic/allpackages |title=Software Packages in "bionic" |author= |date= |publisher=Canonical |access-date=January 10, 2020 |archive-date=October 18, 2019 |archive-url=https://web.archive.org/web/20191018054647/https://packages.ubuntu.com/bionic/allpackages |url-status=live }} Other user interfaces are not directly built on sudo, but provide similar temporary privilege elevation for administrative purposes, such as pkexec in Unix-like operating systems, User Account Control in Microsoft Windows and Mac OS X Authorization Services.

doas, available since OpenBSD 5.8 (October 2015), has been written in order to replace {{code|sudo}} in the OpenBSD base system, with the latter still being made available as a port.{{cite web

| url = http://ports.su/security/sudo

| title = sudo-1.8.26 – execute a command as another user

| work = OpenBSD ports

| date = 2018-11-16

| access-date = 2019-02-26

| archive-date = 2019-02-27

| archive-url = https://web.archive.org/web/20190227060200/http://ports.su/security/sudo

| url-status = live

}}

gosu is a tool similar to sudo that is popular in containers where the terminal may not be fully functional or where there are undesirable effects from running sudo in a containerized environment.{{cite web | url=https://github.com/tianon/gosu |title=gosu|website=GitHub }}

{{Portal|Free and open-source software}}

• chroot
• doas
• runas
• Comparison of privilege authorization features

{{reflist|1=30em|refs=

{{cite news | first = Noam | last = Cohen | work = The New York Times | title = This Is Funny Only if You Know Unix | url = https://www.nytimes.com/2008/05/26/business/media/26link.html | date = May 26, 2008 | access-date = April 9, 2012 | archive-date = January 22, 2018 | archive-url = https://web.archive.org/web/20180122165833/http://www.nytimes.com/2008/05/26/business/media/26link.html | url-status = live}}

{{cite web | url = https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html | title = Introduction to Authorization Services Programming Guide | publisher = developer.apple.com | access-date = 2022-05-27 | archive-date = 2022-05-28 | archive-url = https://web.archive.org/web/20220528003210/https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html | url-status = live}}

{{cite web | url = http://www.macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html | archive-url= https://web.archive.org/web/20121015045622/http://macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html | archive-date = 2012-10-15 | url-status = dead | title = Top Ten Mac OS X Tips for Unix Geeks | publisher = MacDevCenter.com | access-date = 2022-05-27}}

{{cite web |url = https://help.ubuntu.com/community/RootSudo |title = RootSudo |work = Community Ubuntu Documentation |publisher = help.ubuntu.com |date = 2011-11-08 |access-date = 2011-11-17 |archive-date = 2011-11-05 |archive-url = https://web.archive.org/web/20111105004600/https://help.ubuntu.com/community/RootSudo |url-status = live}}

{{cite web |author = Todd C. Miller |url = http://www.sudo.ws/sudo/license.html |title = Sudo License |publisher = sudo.ws |date = 2011-06-17 |access-date = 2011-11-17 |archive-date = 2015-07-31 |archive-url = https://web.archive.org/web/20150731135949/http://www.sudo.ws/sudo/license.html |url-status = live}}

{{cite web | url = http://sudo.ws/sudo/troubleshooting.html | title = Troubleshooting tips and FAQ for Sudo | author = Miller, Todd C | access-date = 2009-11-20 | archive-date = 2021-11-27 | archive-url = https://web.archive.org/web/20211127153002/https://www.sudo.ws/sudo/troubleshooting.html | url-status = live}}

{{cite web | url = https://www.sudo.ws/history.html | title = A Brief History of Sudo | author = Miller, Todd C | access-date = 2021-02-08 | archive-date = 2021-01-27 | archive-url = https://web.archive.org/web/20210127114014/https://www.sudo.ws/history.html | url-status = live}}

{{cite web | url = http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command | archive-url= https://web.archive.org/web/20140701234003/http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command | archive-date = 2014-07-01 | url-status= dead | title = Microsoft has Patented "sudo." Yes, the Command | last = Lilly | first = Paul | access-date = 2009-11-13}}

{{cite web |url = https://www.darkreading.com/analytics/does-new-microsoft-patent-infringe-on-unix-program-sudo- |title = Does New Microsoft Patent Infringe On Unix Program Sudo? Some in the open source community suspicious of Microsoft's intent |date = 2009-11-16 |work = Dark Reading |access-date = 2022-05-27 |quote = A patent granted to Microsoft (NSDQ: MSFT) has stirred up worry that world's largest software company wants to claim Unix's "sudo" as its own. [...] In short, suspicions about this patent are overblown. |archive-date = 2022-08-20 |archive-url = https://web.archive.org/web/20220820031048/https://www.darkreading.com/analytics/does-new-microsoft-patent-infringe-on-unix-program-sudo- |url-status = live}}

{{cite news | last = Eaton | first = Nick | url = http://blog.seattlepi.com/microsoft/2009/11/12/did-microsoft-just-sneakily-patent-an-open-source-tool/ | archive-url= https://web.archive.org/web/20210620170544/http://blog.seattlepi.com/microsoft/2009/11/12/did-microsoft-just-sneakily-patent-an-open-source-tool/ | archive-date = 2021-06-20 | url-status = dead | title = Did Microsoft just sneakily patent an open-source tool? | publisher = seattlepi.com | date = November 12, 2009 | access-date = April 24, 2011}}

}}

• {{Official website}}

{{Unix commands}}

{{OpenBSD}}

Category:Computer security software

Category:System administration

Category:Unix user management and support-related utilities

Category:Software using the ISC license