| sudo | |
|---|---|
.png){kind=logo} | |
 The sudo command in a terminal | |
| Original authors | Robert Coggeshall, Cliff Spencer |
| Developer | Todd C. Miller |
| Initial release | c. 1980[1] |
| Stable release | |
| Written in | C |
| Operating system | Unix-like |
| Type | Privilege authorization |
| License | ISC-style[3] |
| Website | www |
| Repository | |
sudo (/suːduː/ or/ˈsuːdoʊ/[4]) is ashellcommand onUnix-likeoperating systems that enables a user to run a program with the security privileges of another user, by default thesuperuser.[5] It originally stood for "superuser do",[6] as that was all it did, and this remains its most common usage;[7] however, the official Sudo project page lists it as "su 'do'".[8] The current Linux manual pages definesu as "substitute user",[9] making the modern meaning ofsudo "substitute user, do", becausesudo can run a command as other users as well.[10][11]
Unlike the similar commandsu, users must, by default, supply their ownpassword for authentication, rather than the password of the target user. After authentication, and if theconfiguration file (typically/etc/sudoers) permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.
Robert Coggeshall andCliff Spencer wrote the original subsystem around 1980 at the Department of Computer Science atSUNY/Buffalo.[12] Robert Coggeshall brought sudo with him to theUniversity of Colorado Boulder. Between 1986 and 1993, the code and features were substantially modified by the IT staff of theUniversity of Colorado Boulder Computer Science Department and the College of Engineering and Applied Science, including Todd C. Miller.[12] The current version has been publicly maintained byOpenBSD developer Todd C. Miller since 1994,[12] and has been distributed under anISC-style license since 1999.[12]
In November 2009, Thomas Claburn, in response to concerns thatMicrosoft had patented sudo,[13] characterized such suspicions as overblown.[14] Theclaims were narrowly framed to a particularGUI, rather than to the sudo concept.[15]
The logo is a reference to anxkcd strip, where an order for a sandwich is accepted only when preceded withsudo.[16][17]
sudoUnlike forsu, users supply their personal password tosudo (if necessary)[18] rather than that of the superuser or other account. This allows authorized users to exercise altered privileges without compromising the secrecy of the other account's password.[19] Users must be in a certaingroup to use thesudo command, typically either thewheel orsudo group.[20] After authentication, and if the configuration file permits the user access, the system invokes the requested command.sudo retains the user's invocation rights through a grace period (typically 5 minutes) perpseudo terminal, allowing the user to execute several successive commands as the requested user without having to provide a password again.[21]
As a security and auditing feature,sudo may be configured to log each command run. When a user attempts to invokesudo without being listed in the configuration file, an exception indication is presented to the user indicating that the attempt has been recorded. If configured, the root user will be alerted viamail. By default, an entry is recorded in the system.[22]
The/etc/sudoers file contains a list of users or user groups with permission to execute a subset of commands while having the privileges of theroot user or another specified user. The file can be edited by using the commandsudo visudo. Sudo contains several configuration options such as allowing commands to be run assudo without a password, changing which users can usesudo, and changing the message displayed upon entering an incorrect password.[23] Sudo features aneaster egg that can be enabled from the configuration file that will display an insult every time an incorrect password is entered.[24]
In some system distributions,sudo has largely supplanted the default use of a distinct superuser login for administrative tasks, most notably in someLinux distributions as well as Apple'smacOS.[25][26] This allows for more secure logging of admin commands and prevents some exploits.
In association withSELinux,sudo can be used to transition between roles inrole-based access control (RBAC).[27]
visudo is a command-line utility that allows editing the sudo configuration file in a fail-safe manner. It prevents multiple simultaneous edits withlocks and performssanity and syntax checks.
Sudoedit is a program that symlinks to the sudo binary.[28] When sudo is run via its sudoedit alias, sudo behaves as if the -e flag has been passed and allows users to edit files that require additional privileges to write to.[29]
Microsoft released its own tool also calledsudo forWindows in February 2024. Its interface is similar to its Unix counterpart by giving the ability to run elevated commands from an unelevated console session, although its implementation is entirely different.[30] The programrunas provides comparable functionality in Windows, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation.Hamilton C shell also includes truesu andsudo for Windows that can pass all of that state information and start the child either elevated or as another user (or both).[31][32]
Graphical user interfaces exist for sudo – notablygksudo – but are deprecated inDebian and no longer included inUbuntu.[33][34] Other user interfaces are not directly built on sudo, but provide similar temporary privilege elevation for administrative purposes, such aspkexec in Unix-like operating systems,User Account Control inMicrosoft Windows andMac OS X Authorization Services.[35]
doas, available sinceOpenBSD 5.8 (October 2015), has been written in order to replacesudo in theOpenBSD base system, with the latter still being made available as aport.[36]
gosu is a tool similar to sudo that is popular in containers where the terminal may not be fully functional or where there are undesirable effects from running sudo in a containerized environment.[37]
A rewrite of sudo, called sudo-rs, written in theRust programming language, became adopted as the default inUbuntu.[38]
A patent granted to Microsoft (NSDQ: MSFT) has stirred up worry that world's largest software company wants to claim Unix's "sudo" as its own. [...] In short, suspicions about this patent are overblown.
| File system | |
|---|---|
| Processes | |
| User environment | |
| Text processing | |
| Shell builtins | |
| Searching | |
| Documentation | |
| Software development | |
| Miscellaneous | |
