What does sudo mean and do?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












"Can someone tell me what sudo means?" I am learning Linux. I googled but can someone kind of give me a Windows comparison I think this will help me a little. I know su means switch user. sudo is being another user, but how and why? Why can't you just give yourself permissions under your user name?










share|improve this question



















  • 1




    In windows, if you don't have admin rights, you need to provide name and password for an account that does as well. You can of course give yourself permission under your user name, it is just not smart to do so, as any program that your run can then modify anything you have permission for. That is one of the reasons why Windows has been unsafe for so long.
    – Anthon
    Oct 2 '17 at 3:08










  • @KnowledgeBeyondMe: What is it with the subject of the question? Please change it to something meaningful.
    – harish.venkat
    Oct 2 '17 at 3:33










  • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
    – KnowledgeBeyondMe
    Oct 2 '17 at 14:02














up vote
0
down vote

favorite












"Can someone tell me what sudo means?" I am learning Linux. I googled but can someone kind of give me a Windows comparison I think this will help me a little. I know su means switch user. sudo is being another user, but how and why? Why can't you just give yourself permissions under your user name?










share|improve this question



















  • 1




    In windows, if you don't have admin rights, you need to provide name and password for an account that does as well. You can of course give yourself permission under your user name, it is just not smart to do so, as any program that your run can then modify anything you have permission for. That is one of the reasons why Windows has been unsafe for so long.
    – Anthon
    Oct 2 '17 at 3:08










  • @KnowledgeBeyondMe: What is it with the subject of the question? Please change it to something meaningful.
    – harish.venkat
    Oct 2 '17 at 3:33










  • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
    – KnowledgeBeyondMe
    Oct 2 '17 at 14:02












up vote
0
down vote

favorite









up vote
0
down vote

favorite











"Can someone tell me what sudo means?" I am learning Linux. I googled but can someone kind of give me a Windows comparison I think this will help me a little. I know su means switch user. sudo is being another user, but how and why? Why can't you just give yourself permissions under your user name?










share|improve this question















"Can someone tell me what sudo means?" I am learning Linux. I googled but can someone kind of give me a Windows comparison I think this will help me a little. I know su means switch user. sudo is being another user, but how and why? Why can't you just give yourself permissions under your user name?







centos sudo






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 2 '17 at 14:53









dessert

1,013321




1,013321










asked Oct 2 '17 at 2:56









KnowledgeBeyondMe

111




111







  • 1




    In windows, if you don't have admin rights, you need to provide name and password for an account that does as well. You can of course give yourself permission under your user name, it is just not smart to do so, as any program that your run can then modify anything you have permission for. That is one of the reasons why Windows has been unsafe for so long.
    – Anthon
    Oct 2 '17 at 3:08










  • @KnowledgeBeyondMe: What is it with the subject of the question? Please change it to something meaningful.
    – harish.venkat
    Oct 2 '17 at 3:33










  • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
    – KnowledgeBeyondMe
    Oct 2 '17 at 14:02












  • 1




    In windows, if you don't have admin rights, you need to provide name and password for an account that does as well. You can of course give yourself permission under your user name, it is just not smart to do so, as any program that your run can then modify anything you have permission for. That is one of the reasons why Windows has been unsafe for so long.
    – Anthon
    Oct 2 '17 at 3:08










  • @KnowledgeBeyondMe: What is it with the subject of the question? Please change it to something meaningful.
    – harish.venkat
    Oct 2 '17 at 3:33










  • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
    – KnowledgeBeyondMe
    Oct 2 '17 at 14:02







1




1




In windows, if you don't have admin rights, you need to provide name and password for an account that does as well. You can of course give yourself permission under your user name, it is just not smart to do so, as any program that your run can then modify anything you have permission for. That is one of the reasons why Windows has been unsafe for so long.
– Anthon
Oct 2 '17 at 3:08




In windows, if you don't have admin rights, you need to provide name and password for an account that does as well. You can of course give yourself permission under your user name, it is just not smart to do so, as any program that your run can then modify anything you have permission for. That is one of the reasons why Windows has been unsafe for so long.
– Anthon
Oct 2 '17 at 3:08












@KnowledgeBeyondMe: What is it with the subject of the question? Please change it to something meaningful.
– harish.venkat
Oct 2 '17 at 3:33




@KnowledgeBeyondMe: What is it with the subject of the question? Please change it to something meaningful.
– harish.venkat
Oct 2 '17 at 3:33












ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
– KnowledgeBeyondMe
Oct 2 '17 at 14:02




ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
– KnowledgeBeyondMe
Oct 2 '17 at 14:02










5 Answers
5






active

oldest

votes

















up vote
2
down vote













sudo allows you run a program as the root super user. Using it instead of su,



  1. you do not need to know the root password because it asks for your password,

  2. you know explicitly what commands will run as the root and which others as you. If you use su, you got a shell and can run inadvertently some (dangerous) programs, and

  3. all your actions are logged into the auth.log file. Actions in a shell, such as one initiated by su are not usually logged.


Why can't you just give yourself permissions under your user name?




For security reasons, the root account is seldom used for day to day purposes. Usually, all the users, including administrators, use a "normal" user and only execute commands as root when it is needed. This may prevent (1) unauthorized access to files of other users, (2) not-logged root actions and (3) problems caused by executing "dangerous" programs.



There is an analogy in Wikipedia you can consider:



  • Using a root account is rather like being Superman; an administrator's regular user is more like Clark Kent. Clark Kent becomes Superman for only as long as necessary, in order to save people. He then reverts to his "disguise". Root access should be used in the same fashion. The Clark Kent disguise doesn't really restrict him though, as he is still able to use his super powers. This is analogous to using the sudo program.





share|improve this answer




















  • Using sudo is rather like being Goofy until you eat a super peanut which turns you into Super Goof. Your super powers wear off after a timeout (default 15 minutes), after which you are prompted for a new peanut... er, your password.
    – Johan Myréen
    Oct 2 '17 at 6:18










  • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
    – KnowledgeBeyondMe
    Oct 2 '17 at 14:02










  • @KnowledgeBeyondMe Everyone has the potential to be an admin, but you still have to be authorised by being listed in /etc/sudoers. There are some other advantages of sudo over su, but the main point of sudo is that you authenticate using your own password. Shared passwords are bad.
    – Johan Myréen
    Oct 4 '17 at 6:48










  • You must authorize people, including them into the /etc/sudoers or using other techniques, to run sudo. Usually, you do not authorize all the people, just system administrators.
    – Jaime
    Oct 4 '17 at 9:53

















up vote
1
down vote













In early versions of Unix the most common scenario was to be logged in through a terminal without a windowing system. The su command (substitute user) was a convenient way to change your current permissions without logging out. Remember, without a windowing system logging out meant stopping whatever you had running.



Using su to become root has some annoying issues. People occasionally would forget to exit the session and accidentally run commands as root. Changing the administrative password was complicated by the fact that you needed to distribute it to everyone who needed it. Most systems didn't log every command so it was difficult to tell who'd done what as root. And so on.



sudo addressed those issues by letting people run one single command as root. It provides better auditing and control while being a bit more convenient for one off commands.






share|improve this answer



























    up vote
    1
    down vote













    ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.






    share|improve this answer
















    • 1




      sudo is a utility, not a user name. Someone still have to give you the right to use sudo. The right may be restricted to the use of particular commands, or for using sudo to assume particular other user identities. sudo may be used to switch to other roles than just root.
      – Kusalananda
      Oct 2 '17 at 14:08










    • oh so it s like Active Directory Organizational groups? You have your own user name with privileges but if you are given permissions you can access privies of a specialized org. The ORG in this sense would be the SUDO utility?
      – KnowledgeBeyondMe
      Oct 2 '17 at 16:20










    • Not knowing what an "Active Directory" is, I can't say yes or no to that with certainty.
      – Kusalananda
      Oct 2 '17 at 16:22










    • Control mechanism for rights and roles in windows.
      – KnowledgeBeyondMe
      Oct 2 '17 at 16:23










    • No, sudo is not a group or a user account. -- In Windows, Active Directory and LDAP you can define user groups. In Linux, you can define user groups too. For instance, your linux usually has an admin group. Each user may belong to a primary group and multiple secondary groups. -- You can authorize the sudo to all the members of a group. If you check the /etc/sudoers, the authorized groups have a % prefix.
      – Jaime
      Oct 4 '17 at 10:00


















    up vote
    1
    down vote













    By default on most Unices, the "administrator" account, root, is to be used only sparingly. There are only two levels of administrator, or "super user", rights on a normal Unix system: You either have full control of everything, or you don't.



    "Full control" includes circumventing most permission checks and to utterly mess up the system by a simple mis-typing. As an ordinary user, you can at most delete your own files only.



    The older su utility is used together with the root password to assume the root identity, but may also be used to assume other users identities, or to execute single commands as them, given that you belong to the correct user group and know their passwords.



    su is commonly used by the root user (on some Unix system) to start daemons (service processes) that need to run under particular user identities to protect them from accessing areas that they shouldn't have access to (typically web servers, SSH server and the like). This may be done in startup scripts as the system is booting.



    su is more seldom used interactively (on the command line).



    The sudo utility requires a bit more configuration as it allows a user to execute commands as another user by using their own password (which means that a root password, for example, does not need to be shared), and it also allows for fine grained control of who is allowed to do exactly what. One could, for example give a single user, or a whole group of users, the ability to mount a certain disk, but not to unmount it or to mount any other disks, or to install software using specific commands etc. Again, the sudo utility allows for assuming other user's identities (not just root) for interactive sessions, or for executing single commands (if the configuration has been set up this way by some other person with root permissions).



    Typically, one would run single commands using sudo (hence the name "superuser do"):



    $ sudo apt-get install vim


    or



    $ sudo shutdown -ph now


    Using sudo in this way is prefered to using sudo -s and work with an interactive root shell, because the commands that you execute are logged. one may later retrace the actions in the log file to see where (and who) did something, either for debugging or for auditing.



    If you find yourself typing away at an interactive root prompt for an extended period of time, then you should reconsider what you're doing and if that really requires root privileges.



    As an example, the only time that I bring up an interactive root prompt is when adding an ordinary user for myself on a freshly installed machine, or when I really have some serious issues that prevents me from even logging in as an ordinary user.




    OpenBSD (since release 5.8) has a utility called doas which replaces sudo in the default system installation. It was developed when it became clear that sudo had become too complex to fit the goals laid out by the developers of OpenBSD. Its use is similar to that of sudo, but configuring it is easier.






    share|improve this answer





























      up vote
      0
      down vote













      sudo allows you to run a program as a different user (including root) based on a configurable, predefined set of rules.



      On a Unix/POSIX/Linux system root is god. The root user is also singular.



      In many environments there are multiple admins who might require full root access, but there can be also be individuals who require access to do some specific function usually reserved for root; DBAs need to stop and start DB services, edit DB config fules, network administrators need to configure network devices and routes, security administrators need to manage certificates and configure firewalls.



      By constraining what commands a person can run, sudo applies the principle of least privilege - users don't get access they don't need. But its not just constraining the binaries users run. Many admin tasks are carried out from the command line - and the paramters passed to that command can also be constrained by sudo (or captured in a shell script with access provided by sudo) hence it is possible to restrict the data / devices that these specialized admins can access.




      Why can't you just give yourself permissions under your user name?




      1) this would be bad.



      • I have often had access to the root account on systems - but I aways set up a named account to use for login, and only 'su' or 'sudo' when I want to explitily invoke my super powers. In addition to avoiding silly mistakes, my named account provides a sandbox for any misbehaving components.


      • what if there are 5 people who need the privileged access, do I grant it to each and every one? What about 20? what about 200?


      2) this would be difficult



      • it's not the Unix security model. Sure you could change the permissions on some executables (see earlier note about parameters). But if you're security conscious, you apply patches regularly - which can undermine a customized permissions model (sudo OTOH maintains its permissions independently of the commands themselves).





      share|improve this answer




















      • ahhh, this is why Linux is a bit more difficult to attack. Less people with rights. The attacker would have to find the right person with the right rights. per se.
        – KnowledgeBeyondMe
        Oct 2 '17 at 16:22










      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f395548%2fwhat-does-sudo-mean-and-do%23new-answer', 'question_page');

      );

      Post as a guest






























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      2
      down vote













      sudo allows you run a program as the root super user. Using it instead of su,



      1. you do not need to know the root password because it asks for your password,

      2. you know explicitly what commands will run as the root and which others as you. If you use su, you got a shell and can run inadvertently some (dangerous) programs, and

      3. all your actions are logged into the auth.log file. Actions in a shell, such as one initiated by su are not usually logged.


      Why can't you just give yourself permissions under your user name?




      For security reasons, the root account is seldom used for day to day purposes. Usually, all the users, including administrators, use a "normal" user and only execute commands as root when it is needed. This may prevent (1) unauthorized access to files of other users, (2) not-logged root actions and (3) problems caused by executing "dangerous" programs.



      There is an analogy in Wikipedia you can consider:



      • Using a root account is rather like being Superman; an administrator's regular user is more like Clark Kent. Clark Kent becomes Superman for only as long as necessary, in order to save people. He then reverts to his "disguise". Root access should be used in the same fashion. The Clark Kent disguise doesn't really restrict him though, as he is still able to use his super powers. This is analogous to using the sudo program.





      share|improve this answer




















      • Using sudo is rather like being Goofy until you eat a super peanut which turns you into Super Goof. Your super powers wear off after a timeout (default 15 minutes), after which you are prompted for a new peanut... er, your password.
        – Johan Myréen
        Oct 2 '17 at 6:18










      • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
        – KnowledgeBeyondMe
        Oct 2 '17 at 14:02










      • @KnowledgeBeyondMe Everyone has the potential to be an admin, but you still have to be authorised by being listed in /etc/sudoers. There are some other advantages of sudo over su, but the main point of sudo is that you authenticate using your own password. Shared passwords are bad.
        – Johan Myréen
        Oct 4 '17 at 6:48










      • You must authorize people, including them into the /etc/sudoers or using other techniques, to run sudo. Usually, you do not authorize all the people, just system administrators.
        – Jaime
        Oct 4 '17 at 9:53














      up vote
      2
      down vote













      sudo allows you run a program as the root super user. Using it instead of su,



      1. you do not need to know the root password because it asks for your password,

      2. you know explicitly what commands will run as the root and which others as you. If you use su, you got a shell and can run inadvertently some (dangerous) programs, and

      3. all your actions are logged into the auth.log file. Actions in a shell, such as one initiated by su are not usually logged.


      Why can't you just give yourself permissions under your user name?




      For security reasons, the root account is seldom used for day to day purposes. Usually, all the users, including administrators, use a "normal" user and only execute commands as root when it is needed. This may prevent (1) unauthorized access to files of other users, (2) not-logged root actions and (3) problems caused by executing "dangerous" programs.



      There is an analogy in Wikipedia you can consider:



      • Using a root account is rather like being Superman; an administrator's regular user is more like Clark Kent. Clark Kent becomes Superman for only as long as necessary, in order to save people. He then reverts to his "disguise". Root access should be used in the same fashion. The Clark Kent disguise doesn't really restrict him though, as he is still able to use his super powers. This is analogous to using the sudo program.





      share|improve this answer




















      • Using sudo is rather like being Goofy until you eat a super peanut which turns you into Super Goof. Your super powers wear off after a timeout (default 15 minutes), after which you are prompted for a new peanut... er, your password.
        – Johan Myréen
        Oct 2 '17 at 6:18










      • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
        – KnowledgeBeyondMe
        Oct 2 '17 at 14:02










      • @KnowledgeBeyondMe Everyone has the potential to be an admin, but you still have to be authorised by being listed in /etc/sudoers. There are some other advantages of sudo over su, but the main point of sudo is that you authenticate using your own password. Shared passwords are bad.
        – Johan Myréen
        Oct 4 '17 at 6:48










      • You must authorize people, including them into the /etc/sudoers or using other techniques, to run sudo. Usually, you do not authorize all the people, just system administrators.
        – Jaime
        Oct 4 '17 at 9:53












      up vote
      2
      down vote










      up vote
      2
      down vote









      sudo allows you run a program as the root super user. Using it instead of su,



      1. you do not need to know the root password because it asks for your password,

      2. you know explicitly what commands will run as the root and which others as you. If you use su, you got a shell and can run inadvertently some (dangerous) programs, and

      3. all your actions are logged into the auth.log file. Actions in a shell, such as one initiated by su are not usually logged.


      Why can't you just give yourself permissions under your user name?




      For security reasons, the root account is seldom used for day to day purposes. Usually, all the users, including administrators, use a "normal" user and only execute commands as root when it is needed. This may prevent (1) unauthorized access to files of other users, (2) not-logged root actions and (3) problems caused by executing "dangerous" programs.



      There is an analogy in Wikipedia you can consider:



      • Using a root account is rather like being Superman; an administrator's regular user is more like Clark Kent. Clark Kent becomes Superman for only as long as necessary, in order to save people. He then reverts to his "disguise". Root access should be used in the same fashion. The Clark Kent disguise doesn't really restrict him though, as he is still able to use his super powers. This is analogous to using the sudo program.





      share|improve this answer












      sudo allows you run a program as the root super user. Using it instead of su,



      1. you do not need to know the root password because it asks for your password,

      2. you know explicitly what commands will run as the root and which others as you. If you use su, you got a shell and can run inadvertently some (dangerous) programs, and

      3. all your actions are logged into the auth.log file. Actions in a shell, such as one initiated by su are not usually logged.


      Why can't you just give yourself permissions under your user name?




      For security reasons, the root account is seldom used for day to day purposes. Usually, all the users, including administrators, use a "normal" user and only execute commands as root when it is needed. This may prevent (1) unauthorized access to files of other users, (2) not-logged root actions and (3) problems caused by executing "dangerous" programs.



      There is an analogy in Wikipedia you can consider:



      • Using a root account is rather like being Superman; an administrator's regular user is more like Clark Kent. Clark Kent becomes Superman for only as long as necessary, in order to save people. He then reverts to his "disguise". Root access should be used in the same fashion. The Clark Kent disguise doesn't really restrict him though, as he is still able to use his super powers. This is analogous to using the sudo program.






      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Oct 2 '17 at 3:31









      Jaime

      23115




      23115











      • Using sudo is rather like being Goofy until you eat a super peanut which turns you into Super Goof. Your super powers wear off after a timeout (default 15 minutes), after which you are prompted for a new peanut... er, your password.
        – Johan Myréen
        Oct 2 '17 at 6:18










      • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
        – KnowledgeBeyondMe
        Oct 2 '17 at 14:02










      • @KnowledgeBeyondMe Everyone has the potential to be an admin, but you still have to be authorised by being listed in /etc/sudoers. There are some other advantages of sudo over su, but the main point of sudo is that you authenticate using your own password. Shared passwords are bad.
        – Johan Myréen
        Oct 4 '17 at 6:48










      • You must authorize people, including them into the /etc/sudoers or using other techniques, to run sudo. Usually, you do not authorize all the people, just system administrators.
        – Jaime
        Oct 4 '17 at 9:53
















      • Using sudo is rather like being Goofy until you eat a super peanut which turns you into Super Goof. Your super powers wear off after a timeout (default 15 minutes), after which you are prompted for a new peanut... er, your password.
        – Johan Myréen
        Oct 2 '17 at 6:18










      • ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
        – KnowledgeBeyondMe
        Oct 2 '17 at 14:02










      • @KnowledgeBeyondMe Everyone has the potential to be an admin, but you still have to be authorised by being listed in /etc/sudoers. There are some other advantages of sudo over su, but the main point of sudo is that you authenticate using your own password. Shared passwords are bad.
        – Johan Myréen
        Oct 4 '17 at 6:48










      • You must authorize people, including them into the /etc/sudoers or using other techniques, to run sudo. Usually, you do not authorize all the people, just system administrators.
        – Jaime
        Oct 4 '17 at 9:53















      Using sudo is rather like being Goofy until you eat a super peanut which turns you into Super Goof. Your super powers wear off after a timeout (default 15 minutes), after which you are prompted for a new peanut... er, your password.
      – Johan Myréen
      Oct 2 '17 at 6:18




      Using sudo is rather like being Goofy until you eat a super peanut which turns you into Super Goof. Your super powers wear off after a timeout (default 15 minutes), after which you are prompted for a new peanut... er, your password.
      – Johan Myréen
      Oct 2 '17 at 6:18












      ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
      – KnowledgeBeyondMe
      Oct 2 '17 at 14:02




      ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.
      – KnowledgeBeyondMe
      Oct 2 '17 at 14:02












      @KnowledgeBeyondMe Everyone has the potential to be an admin, but you still have to be authorised by being listed in /etc/sudoers. There are some other advantages of sudo over su, but the main point of sudo is that you authenticate using your own password. Shared passwords are bad.
      – Johan Myréen
      Oct 4 '17 at 6:48




      @KnowledgeBeyondMe Everyone has the potential to be an admin, but you still have to be authorised by being listed in /etc/sudoers. There are some other advantages of sudo over su, but the main point of sudo is that you authenticate using your own password. Shared passwords are bad.
      – Johan Myréen
      Oct 4 '17 at 6:48












      You must authorize people, including them into the /etc/sudoers or using other techniques, to run sudo. Usually, you do not authorize all the people, just system administrators.
      – Jaime
      Oct 4 '17 at 9:53




      You must authorize people, including them into the /etc/sudoers or using other techniques, to run sudo. Usually, you do not authorize all the people, just system administrators.
      – Jaime
      Oct 4 '17 at 9:53












      up vote
      1
      down vote













      In early versions of Unix the most common scenario was to be logged in through a terminal without a windowing system. The su command (substitute user) was a convenient way to change your current permissions without logging out. Remember, without a windowing system logging out meant stopping whatever you had running.



      Using su to become root has some annoying issues. People occasionally would forget to exit the session and accidentally run commands as root. Changing the administrative password was complicated by the fact that you needed to distribute it to everyone who needed it. Most systems didn't log every command so it was difficult to tell who'd done what as root. And so on.



      sudo addressed those issues by letting people run one single command as root. It provides better auditing and control while being a bit more convenient for one off commands.






      share|improve this answer
























        up vote
        1
        down vote













        In early versions of Unix the most common scenario was to be logged in through a terminal without a windowing system. The su command (substitute user) was a convenient way to change your current permissions without logging out. Remember, without a windowing system logging out meant stopping whatever you had running.



        Using su to become root has some annoying issues. People occasionally would forget to exit the session and accidentally run commands as root. Changing the administrative password was complicated by the fact that you needed to distribute it to everyone who needed it. Most systems didn't log every command so it was difficult to tell who'd done what as root. And so on.



        sudo addressed those issues by letting people run one single command as root. It provides better auditing and control while being a bit more convenient for one off commands.






        share|improve this answer






















          up vote
          1
          down vote










          up vote
          1
          down vote









          In early versions of Unix the most common scenario was to be logged in through a terminal without a windowing system. The su command (substitute user) was a convenient way to change your current permissions without logging out. Remember, without a windowing system logging out meant stopping whatever you had running.



          Using su to become root has some annoying issues. People occasionally would forget to exit the session and accidentally run commands as root. Changing the administrative password was complicated by the fact that you needed to distribute it to everyone who needed it. Most systems didn't log every command so it was difficult to tell who'd done what as root. And so on.



          sudo addressed those issues by letting people run one single command as root. It provides better auditing and control while being a bit more convenient for one off commands.






          share|improve this answer












          In early versions of Unix the most common scenario was to be logged in through a terminal without a windowing system. The su command (substitute user) was a convenient way to change your current permissions without logging out. Remember, without a windowing system logging out meant stopping whatever you had running.



          Using su to become root has some annoying issues. People occasionally would forget to exit the session and accidentally run commands as root. Changing the administrative password was complicated by the fact that you needed to distribute it to everyone who needed it. Most systems didn't log every command so it was difficult to tell who'd done what as root. And so on.



          sudo addressed those issues by letting people run one single command as root. It provides better auditing and control while being a bit more convenient for one off commands.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Oct 2 '17 at 3:44









          Matthew Gauthier

          40213




          40213




















              up vote
              1
              down vote













              ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.






              share|improve this answer
















              • 1




                sudo is a utility, not a user name. Someone still have to give you the right to use sudo. The right may be restricted to the use of particular commands, or for using sudo to assume particular other user identities. sudo may be used to switch to other roles than just root.
                – Kusalananda
                Oct 2 '17 at 14:08










              • oh so it s like Active Directory Organizational groups? You have your own user name with privileges but if you are given permissions you can access privies of a specialized org. The ORG in this sense would be the SUDO utility?
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:20










              • Not knowing what an "Active Directory" is, I can't say yes or no to that with certainty.
                – Kusalananda
                Oct 2 '17 at 16:22










              • Control mechanism for rights and roles in windows.
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:23










              • No, sudo is not a group or a user account. -- In Windows, Active Directory and LDAP you can define user groups. In Linux, you can define user groups too. For instance, your linux usually has an admin group. Each user may belong to a primary group and multiple secondary groups. -- You can authorize the sudo to all the members of a group. If you check the /etc/sudoers, the authorized groups have a % prefix.
                – Jaime
                Oct 4 '17 at 10:00















              up vote
              1
              down vote













              ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.






              share|improve this answer
















              • 1




                sudo is a utility, not a user name. Someone still have to give you the right to use sudo. The right may be restricted to the use of particular commands, or for using sudo to assume particular other user identities. sudo may be used to switch to other roles than just root.
                – Kusalananda
                Oct 2 '17 at 14:08










              • oh so it s like Active Directory Organizational groups? You have your own user name with privileges but if you are given permissions you can access privies of a specialized org. The ORG in this sense would be the SUDO utility?
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:20










              • Not knowing what an "Active Directory" is, I can't say yes or no to that with certainty.
                – Kusalananda
                Oct 2 '17 at 16:22










              • Control mechanism for rights and roles in windows.
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:23










              • No, sudo is not a group or a user account. -- In Windows, Active Directory and LDAP you can define user groups. In Linux, you can define user groups too. For instance, your linux usually has an admin group. Each user may belong to a primary group and multiple secondary groups. -- You can authorize the sudo to all the members of a group. If you check the /etc/sudoers, the authorized groups have a % prefix.
                – Jaime
                Oct 4 '17 at 10:00













              up vote
              1
              down vote










              up vote
              1
              down vote









              ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.






              share|improve this answer












              ok, so let me see if I understand this. Instead of people having admin accounts everyone has the potential to be an admin by using the sudo username. However, by using that sudo user name your actions will be logged back to you because its kind like a hell off your actual username acct. If this is so, I really like that. It saves tons of time. You don't have to wait for someone with privies to come over to you to add software and printers and such.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Oct 2 '17 at 14:03









              KnowledgeBeyondMe

              111




              111







              • 1




                sudo is a utility, not a user name. Someone still have to give you the right to use sudo. The right may be restricted to the use of particular commands, or for using sudo to assume particular other user identities. sudo may be used to switch to other roles than just root.
                – Kusalananda
                Oct 2 '17 at 14:08










              • oh so it s like Active Directory Organizational groups? You have your own user name with privileges but if you are given permissions you can access privies of a specialized org. The ORG in this sense would be the SUDO utility?
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:20










              • Not knowing what an "Active Directory" is, I can't say yes or no to that with certainty.
                – Kusalananda
                Oct 2 '17 at 16:22










              • Control mechanism for rights and roles in windows.
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:23










              • No, sudo is not a group or a user account. -- In Windows, Active Directory and LDAP you can define user groups. In Linux, you can define user groups too. For instance, your linux usually has an admin group. Each user may belong to a primary group and multiple secondary groups. -- You can authorize the sudo to all the members of a group. If you check the /etc/sudoers, the authorized groups have a % prefix.
                – Jaime
                Oct 4 '17 at 10:00













              • 1




                sudo is a utility, not a user name. Someone still have to give you the right to use sudo. The right may be restricted to the use of particular commands, or for using sudo to assume particular other user identities. sudo may be used to switch to other roles than just root.
                – Kusalananda
                Oct 2 '17 at 14:08










              • oh so it s like Active Directory Organizational groups? You have your own user name with privileges but if you are given permissions you can access privies of a specialized org. The ORG in this sense would be the SUDO utility?
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:20










              • Not knowing what an "Active Directory" is, I can't say yes or no to that with certainty.
                – Kusalananda
                Oct 2 '17 at 16:22










              • Control mechanism for rights and roles in windows.
                – KnowledgeBeyondMe
                Oct 2 '17 at 16:23










              • No, sudo is not a group or a user account. -- In Windows, Active Directory and LDAP you can define user groups. In Linux, you can define user groups too. For instance, your linux usually has an admin group. Each user may belong to a primary group and multiple secondary groups. -- You can authorize the sudo to all the members of a group. If you check the /etc/sudoers, the authorized groups have a % prefix.
                – Jaime
                Oct 4 '17 at 10:00








              1




              1




              sudo is a utility, not a user name. Someone still have to give you the right to use sudo. The right may be restricted to the use of particular commands, or for using sudo to assume particular other user identities. sudo may be used to switch to other roles than just root.
              – Kusalananda
              Oct 2 '17 at 14:08




              sudo is a utility, not a user name. Someone still have to give you the right to use sudo. The right may be restricted to the use of particular commands, or for using sudo to assume particular other user identities. sudo may be used to switch to other roles than just root.
              – Kusalananda
              Oct 2 '17 at 14:08












              oh so it s like Active Directory Organizational groups? You have your own user name with privileges but if you are given permissions you can access privies of a specialized org. The ORG in this sense would be the SUDO utility?
              – KnowledgeBeyondMe
              Oct 2 '17 at 16:20




              oh so it s like Active Directory Organizational groups? You have your own user name with privileges but if you are given permissions you can access privies of a specialized org. The ORG in this sense would be the SUDO utility?
              – KnowledgeBeyondMe
              Oct 2 '17 at 16:20












              Not knowing what an "Active Directory" is, I can't say yes or no to that with certainty.
              – Kusalananda
              Oct 2 '17 at 16:22




              Not knowing what an "Active Directory" is, I can't say yes or no to that with certainty.
              – Kusalananda
              Oct 2 '17 at 16:22












              Control mechanism for rights and roles in windows.
              – KnowledgeBeyondMe
              Oct 2 '17 at 16:23




              Control mechanism for rights and roles in windows.
              – KnowledgeBeyondMe
              Oct 2 '17 at 16:23












              No, sudo is not a group or a user account. -- In Windows, Active Directory and LDAP you can define user groups. In Linux, you can define user groups too. For instance, your linux usually has an admin group. Each user may belong to a primary group and multiple secondary groups. -- You can authorize the sudo to all the members of a group. If you check the /etc/sudoers, the authorized groups have a % prefix.
              – Jaime
              Oct 4 '17 at 10:00





              No, sudo is not a group or a user account. -- In Windows, Active Directory and LDAP you can define user groups. In Linux, you can define user groups too. For instance, your linux usually has an admin group. Each user may belong to a primary group and multiple secondary groups. -- You can authorize the sudo to all the members of a group. If you check the /etc/sudoers, the authorized groups have a % prefix.
              – Jaime
              Oct 4 '17 at 10:00











              up vote
              1
              down vote













              By default on most Unices, the "administrator" account, root, is to be used only sparingly. There are only two levels of administrator, or "super user", rights on a normal Unix system: You either have full control of everything, or you don't.



              "Full control" includes circumventing most permission checks and to utterly mess up the system by a simple mis-typing. As an ordinary user, you can at most delete your own files only.



              The older su utility is used together with the root password to assume the root identity, but may also be used to assume other users identities, or to execute single commands as them, given that you belong to the correct user group and know their passwords.



              su is commonly used by the root user (on some Unix system) to start daemons (service processes) that need to run under particular user identities to protect them from accessing areas that they shouldn't have access to (typically web servers, SSH server and the like). This may be done in startup scripts as the system is booting.



              su is more seldom used interactively (on the command line).



              The sudo utility requires a bit more configuration as it allows a user to execute commands as another user by using their own password (which means that a root password, for example, does not need to be shared), and it also allows for fine grained control of who is allowed to do exactly what. One could, for example give a single user, or a whole group of users, the ability to mount a certain disk, but not to unmount it or to mount any other disks, or to install software using specific commands etc. Again, the sudo utility allows for assuming other user's identities (not just root) for interactive sessions, or for executing single commands (if the configuration has been set up this way by some other person with root permissions).



              Typically, one would run single commands using sudo (hence the name "superuser do"):



              $ sudo apt-get install vim


              or



              $ sudo shutdown -ph now


              Using sudo in this way is prefered to using sudo -s and work with an interactive root shell, because the commands that you execute are logged. one may later retrace the actions in the log file to see where (and who) did something, either for debugging or for auditing.



              If you find yourself typing away at an interactive root prompt for an extended period of time, then you should reconsider what you're doing and if that really requires root privileges.



              As an example, the only time that I bring up an interactive root prompt is when adding an ordinary user for myself on a freshly installed machine, or when I really have some serious issues that prevents me from even logging in as an ordinary user.




              OpenBSD (since release 5.8) has a utility called doas which replaces sudo in the default system installation. It was developed when it became clear that sudo had become too complex to fit the goals laid out by the developers of OpenBSD. Its use is similar to that of sudo, but configuring it is easier.






              share|improve this answer


























                up vote
                1
                down vote













                By default on most Unices, the "administrator" account, root, is to be used only sparingly. There are only two levels of administrator, or "super user", rights on a normal Unix system: You either have full control of everything, or you don't.



                "Full control" includes circumventing most permission checks and to utterly mess up the system by a simple mis-typing. As an ordinary user, you can at most delete your own files only.



                The older su utility is used together with the root password to assume the root identity, but may also be used to assume other users identities, or to execute single commands as them, given that you belong to the correct user group and know their passwords.



                su is commonly used by the root user (on some Unix system) to start daemons (service processes) that need to run under particular user identities to protect them from accessing areas that they shouldn't have access to (typically web servers, SSH server and the like). This may be done in startup scripts as the system is booting.



                su is more seldom used interactively (on the command line).



                The sudo utility requires a bit more configuration as it allows a user to execute commands as another user by using their own password (which means that a root password, for example, does not need to be shared), and it also allows for fine grained control of who is allowed to do exactly what. One could, for example give a single user, or a whole group of users, the ability to mount a certain disk, but not to unmount it or to mount any other disks, or to install software using specific commands etc. Again, the sudo utility allows for assuming other user's identities (not just root) for interactive sessions, or for executing single commands (if the configuration has been set up this way by some other person with root permissions).



                Typically, one would run single commands using sudo (hence the name "superuser do"):



                $ sudo apt-get install vim


                or



                $ sudo shutdown -ph now


                Using sudo in this way is prefered to using sudo -s and work with an interactive root shell, because the commands that you execute are logged. one may later retrace the actions in the log file to see where (and who) did something, either for debugging or for auditing.



                If you find yourself typing away at an interactive root prompt for an extended period of time, then you should reconsider what you're doing and if that really requires root privileges.



                As an example, the only time that I bring up an interactive root prompt is when adding an ordinary user for myself on a freshly installed machine, or when I really have some serious issues that prevents me from even logging in as an ordinary user.




                OpenBSD (since release 5.8) has a utility called doas which replaces sudo in the default system installation. It was developed when it became clear that sudo had become too complex to fit the goals laid out by the developers of OpenBSD. Its use is similar to that of sudo, but configuring it is easier.






                share|improve this answer
























                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  By default on most Unices, the "administrator" account, root, is to be used only sparingly. There are only two levels of administrator, or "super user", rights on a normal Unix system: You either have full control of everything, or you don't.



                  "Full control" includes circumventing most permission checks and to utterly mess up the system by a simple mis-typing. As an ordinary user, you can at most delete your own files only.



                  The older su utility is used together with the root password to assume the root identity, but may also be used to assume other users identities, or to execute single commands as them, given that you belong to the correct user group and know their passwords.



                  su is commonly used by the root user (on some Unix system) to start daemons (service processes) that need to run under particular user identities to protect them from accessing areas that they shouldn't have access to (typically web servers, SSH server and the like). This may be done in startup scripts as the system is booting.



                  su is more seldom used interactively (on the command line).



                  The sudo utility requires a bit more configuration as it allows a user to execute commands as another user by using their own password (which means that a root password, for example, does not need to be shared), and it also allows for fine grained control of who is allowed to do exactly what. One could, for example give a single user, or a whole group of users, the ability to mount a certain disk, but not to unmount it or to mount any other disks, or to install software using specific commands etc. Again, the sudo utility allows for assuming other user's identities (not just root) for interactive sessions, or for executing single commands (if the configuration has been set up this way by some other person with root permissions).



                  Typically, one would run single commands using sudo (hence the name "superuser do"):



                  $ sudo apt-get install vim


                  or



                  $ sudo shutdown -ph now


                  Using sudo in this way is prefered to using sudo -s and work with an interactive root shell, because the commands that you execute are logged. one may later retrace the actions in the log file to see where (and who) did something, either for debugging or for auditing.



                  If you find yourself typing away at an interactive root prompt for an extended period of time, then you should reconsider what you're doing and if that really requires root privileges.



                  As an example, the only time that I bring up an interactive root prompt is when adding an ordinary user for myself on a freshly installed machine, or when I really have some serious issues that prevents me from even logging in as an ordinary user.




                  OpenBSD (since release 5.8) has a utility called doas which replaces sudo in the default system installation. It was developed when it became clear that sudo had become too complex to fit the goals laid out by the developers of OpenBSD. Its use is similar to that of sudo, but configuring it is easier.






                  share|improve this answer














                  By default on most Unices, the "administrator" account, root, is to be used only sparingly. There are only two levels of administrator, or "super user", rights on a normal Unix system: You either have full control of everything, or you don't.



                  "Full control" includes circumventing most permission checks and to utterly mess up the system by a simple mis-typing. As an ordinary user, you can at most delete your own files only.



                  The older su utility is used together with the root password to assume the root identity, but may also be used to assume other users identities, or to execute single commands as them, given that you belong to the correct user group and know their passwords.



                  su is commonly used by the root user (on some Unix system) to start daemons (service processes) that need to run under particular user identities to protect them from accessing areas that they shouldn't have access to (typically web servers, SSH server and the like). This may be done in startup scripts as the system is booting.



                  su is more seldom used interactively (on the command line).



                  The sudo utility requires a bit more configuration as it allows a user to execute commands as another user by using their own password (which means that a root password, for example, does not need to be shared), and it also allows for fine grained control of who is allowed to do exactly what. One could, for example give a single user, or a whole group of users, the ability to mount a certain disk, but not to unmount it or to mount any other disks, or to install software using specific commands etc. Again, the sudo utility allows for assuming other user's identities (not just root) for interactive sessions, or for executing single commands (if the configuration has been set up this way by some other person with root permissions).



                  Typically, one would run single commands using sudo (hence the name "superuser do"):



                  $ sudo apt-get install vim


                  or



                  $ sudo shutdown -ph now


                  Using sudo in this way is prefered to using sudo -s and work with an interactive root shell, because the commands that you execute are logged. one may later retrace the actions in the log file to see where (and who) did something, either for debugging or for auditing.



                  If you find yourself typing away at an interactive root prompt for an extended period of time, then you should reconsider what you're doing and if that really requires root privileges.



                  As an example, the only time that I bring up an interactive root prompt is when adding an ordinary user for myself on a freshly installed machine, or when I really have some serious issues that prevents me from even logging in as an ordinary user.




                  OpenBSD (since release 5.8) has a utility called doas which replaces sudo in the default system installation. It was developed when it became clear that sudo had become too complex to fit the goals laid out by the developers of OpenBSD. Its use is similar to that of sudo, but configuring it is easier.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Oct 2 '17 at 14:43

























                  answered Oct 2 '17 at 14:24









                  Kusalananda

                  105k14209326




                  105k14209326




















                      up vote
                      0
                      down vote













                      sudo allows you to run a program as a different user (including root) based on a configurable, predefined set of rules.



                      On a Unix/POSIX/Linux system root is god. The root user is also singular.



                      In many environments there are multiple admins who might require full root access, but there can be also be individuals who require access to do some specific function usually reserved for root; DBAs need to stop and start DB services, edit DB config fules, network administrators need to configure network devices and routes, security administrators need to manage certificates and configure firewalls.



                      By constraining what commands a person can run, sudo applies the principle of least privilege - users don't get access they don't need. But its not just constraining the binaries users run. Many admin tasks are carried out from the command line - and the paramters passed to that command can also be constrained by sudo (or captured in a shell script with access provided by sudo) hence it is possible to restrict the data / devices that these specialized admins can access.




                      Why can't you just give yourself permissions under your user name?




                      1) this would be bad.



                      • I have often had access to the root account on systems - but I aways set up a named account to use for login, and only 'su' or 'sudo' when I want to explitily invoke my super powers. In addition to avoiding silly mistakes, my named account provides a sandbox for any misbehaving components.


                      • what if there are 5 people who need the privileged access, do I grant it to each and every one? What about 20? what about 200?


                      2) this would be difficult



                      • it's not the Unix security model. Sure you could change the permissions on some executables (see earlier note about parameters). But if you're security conscious, you apply patches regularly - which can undermine a customized permissions model (sudo OTOH maintains its permissions independently of the commands themselves).





                      share|improve this answer




















                      • ahhh, this is why Linux is a bit more difficult to attack. Less people with rights. The attacker would have to find the right person with the right rights. per se.
                        – KnowledgeBeyondMe
                        Oct 2 '17 at 16:22














                      up vote
                      0
                      down vote













                      sudo allows you to run a program as a different user (including root) based on a configurable, predefined set of rules.



                      On a Unix/POSIX/Linux system root is god. The root user is also singular.



                      In many environments there are multiple admins who might require full root access, but there can be also be individuals who require access to do some specific function usually reserved for root; DBAs need to stop and start DB services, edit DB config fules, network administrators need to configure network devices and routes, security administrators need to manage certificates and configure firewalls.



                      By constraining what commands a person can run, sudo applies the principle of least privilege - users don't get access they don't need. But its not just constraining the binaries users run. Many admin tasks are carried out from the command line - and the paramters passed to that command can also be constrained by sudo (or captured in a shell script with access provided by sudo) hence it is possible to restrict the data / devices that these specialized admins can access.




                      Why can't you just give yourself permissions under your user name?




                      1) this would be bad.



                      • I have often had access to the root account on systems - but I aways set up a named account to use for login, and only 'su' or 'sudo' when I want to explitily invoke my super powers. In addition to avoiding silly mistakes, my named account provides a sandbox for any misbehaving components.


                      • what if there are 5 people who need the privileged access, do I grant it to each and every one? What about 20? what about 200?


                      2) this would be difficult



                      • it's not the Unix security model. Sure you could change the permissions on some executables (see earlier note about parameters). But if you're security conscious, you apply patches regularly - which can undermine a customized permissions model (sudo OTOH maintains its permissions independently of the commands themselves).





                      share|improve this answer




















                      • ahhh, this is why Linux is a bit more difficult to attack. Less people with rights. The attacker would have to find the right person with the right rights. per se.
                        – KnowledgeBeyondMe
                        Oct 2 '17 at 16:22












                      up vote
                      0
                      down vote










                      up vote
                      0
                      down vote









                      sudo allows you to run a program as a different user (including root) based on a configurable, predefined set of rules.



                      On a Unix/POSIX/Linux system root is god. The root user is also singular.



                      In many environments there are multiple admins who might require full root access, but there can be also be individuals who require access to do some specific function usually reserved for root; DBAs need to stop and start DB services, edit DB config fules, network administrators need to configure network devices and routes, security administrators need to manage certificates and configure firewalls.



                      By constraining what commands a person can run, sudo applies the principle of least privilege - users don't get access they don't need. But its not just constraining the binaries users run. Many admin tasks are carried out from the command line - and the paramters passed to that command can also be constrained by sudo (or captured in a shell script with access provided by sudo) hence it is possible to restrict the data / devices that these specialized admins can access.




                      Why can't you just give yourself permissions under your user name?




                      1) this would be bad.



                      • I have often had access to the root account on systems - but I aways set up a named account to use for login, and only 'su' or 'sudo' when I want to explitily invoke my super powers. In addition to avoiding silly mistakes, my named account provides a sandbox for any misbehaving components.


                      • what if there are 5 people who need the privileged access, do I grant it to each and every one? What about 20? what about 200?


                      2) this would be difficult



                      • it's not the Unix security model. Sure you could change the permissions on some executables (see earlier note about parameters). But if you're security conscious, you apply patches regularly - which can undermine a customized permissions model (sudo OTOH maintains its permissions independently of the commands themselves).





                      share|improve this answer












                      sudo allows you to run a program as a different user (including root) based on a configurable, predefined set of rules.



                      On a Unix/POSIX/Linux system root is god. The root user is also singular.



                      In many environments there are multiple admins who might require full root access, but there can be also be individuals who require access to do some specific function usually reserved for root; DBAs need to stop and start DB services, edit DB config fules, network administrators need to configure network devices and routes, security administrators need to manage certificates and configure firewalls.



                      By constraining what commands a person can run, sudo applies the principle of least privilege - users don't get access they don't need. But its not just constraining the binaries users run. Many admin tasks are carried out from the command line - and the paramters passed to that command can also be constrained by sudo (or captured in a shell script with access provided by sudo) hence it is possible to restrict the data / devices that these specialized admins can access.




                      Why can't you just give yourself permissions under your user name?




                      1) this would be bad.



                      • I have often had access to the root account on systems - but I aways set up a named account to use for login, and only 'su' or 'sudo' when I want to explitily invoke my super powers. In addition to avoiding silly mistakes, my named account provides a sandbox for any misbehaving components.


                      • what if there are 5 people who need the privileged access, do I grant it to each and every one? What about 20? what about 200?


                      2) this would be difficult



                      • it's not the Unix security model. Sure you could change the permissions on some executables (see earlier note about parameters). But if you're security conscious, you apply patches regularly - which can undermine a customized permissions model (sudo OTOH maintains its permissions independently of the commands themselves).






                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Oct 2 '17 at 15:01









                      symcbean

                      2,24911121




                      2,24911121











                      • ahhh, this is why Linux is a bit more difficult to attack. Less people with rights. The attacker would have to find the right person with the right rights. per se.
                        – KnowledgeBeyondMe
                        Oct 2 '17 at 16:22
















                      • ahhh, this is why Linux is a bit more difficult to attack. Less people with rights. The attacker would have to find the right person with the right rights. per se.
                        – KnowledgeBeyondMe
                        Oct 2 '17 at 16:22















                      ahhh, this is why Linux is a bit more difficult to attack. Less people with rights. The attacker would have to find the right person with the right rights. per se.
                      – KnowledgeBeyondMe
                      Oct 2 '17 at 16:22




                      ahhh, this is why Linux is a bit more difficult to attack. Less people with rights. The attacker would have to find the right person with the right rights. per se.
                      – KnowledgeBeyondMe
                      Oct 2 '17 at 16:22

















                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f395548%2fwhat-does-sudo-mean-and-do%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?