The sudo(8) program solves the dilemma of how to allow ordinary users access to certain privileged system resources yet still keep the superuser password secret.
Before granting privileges to a user, the
sudo(8) program checks the configuration file
/etc/sudoers and:
Grants privileges to the user without requiring any password at all.
Grants privileges to the user if, and only if, the user supplies the correct password to prove their identity. Note that this is the password for the user account, not the superuser password.
Deny the access and notify the system administrator of the failed attempt via an email sent to the root account.
Log the command, its arguments, and timestamp into the
/var/log/secure file.
Sudo(8) keeps a log of all activity in the
/var/log/secure file. Thus, there is an audit trail
recording everything done in the name of the system administrator.
The /etc/sudoers file configures the programs that
users can access using sudo(8), along with
whether or not a password will be needed.
The system administrator adds users to this file using the
/usr/sbin/visudo command. Each non-comment line in
the file has two parts:
A username ("reynolds"), or a group name ("%wheel").
A list of machine names where a program may be run, or the keyword
ALL. Following an equal sign
(=), a list of user identities the command may be
run as, enclosed in round brackets (parenthesis); the wildcard
ALL may also appear. Finally, a list of
applications which may be run as the named users; the keyword
ALL is a wildcard.
The following examples should help make this clear:
reynolds ALL=(ALL) ALL
User reynolds can execute any command as any user, but must know the password to the reynolds account.
reynolds ALL=(root) shutdown
User reynolds can execute only command shutdown, but must know the password to the reynolds account.
reynolds ALL=(root) NOPASSWD:
/usr/bin/id
User reynolds can execute only the application
/usr/bin/id; no password will be needed.
Example 4. /etc/sudoers Examples
Once the system administrator has entered the necessary setup into the
/etc/sudoers file, users can safely access
privileged system resources and activities like this:
$ sudo reboot Password:
No awkward quoting on the command line, just prefix the command you want
with the word sudo. If you want to run the
command as a user other than root, just add the
-u username switch:
$ sudo -u reynolds id
There will be a log entry written to the
/var/log/secure file to show who did the deed.
Of course, the sysadmin may have configured sudo(8) not to request a password. In this case, the command is immediately executed although the audit trail entry will still be written.