sudo
This subchapter looks at sudo, a UNIX (and Linux) command.
WARNING: Never trust any Terminal/Shell commands you find on the internet. Only run shell commands you understand. In particular, never run anything that includes sudo anywhere in the command line unless you are absolutely certain what the command does. When you run a command line with sudo you are giving permission to have complete (possibly destructive) control of your computer at the root level. And, yes, this advice appies even to this website. Don’t run any commands with sudo unless you know for sure what you are doing.
sudo
The sudo command allows you to run a single command as another user, including at superuser or root level from a normal account. You will be asked for the password before the command will actually run.
This keeps you firmly in a normal account (with less danger of catastrophic failures), while still giving easy access to root or superuser power when really needed.
The sudo program was originally written by Bob Coggeshall and Cliff Spencer in 1980 at the Department of Computer Science at SUNY/Buffalo.
sudo is a concatenation of su (substitute user) and do (perform an action).
To run a single command as superuser or root, type sudo followed by a command.
$ sudo command
You will normally be asked for your password (exceptions listed below).
sudo can be configured to not require a password (very bad idea other than single user personal systems). sudo can also be configured to require the root password (rather than the current user’s password).
On Mac OS X the sudo command will fail if your account has no password.
On Mac OS X the sudo commands password prompt will not display anything (not even bullets or asterisks) while you type your password.
You will not be asked for a password if you use sudo from the root or superuser account. You will not be asked for a password if you use sudo and the target user is the same as the invoking user.
Some systems have a timer set (usually five minutes). You can run additional sudo commands without a password during the time period.
run in root shell
To change to in the root shell, type sudo followed by the option -s. The following warning is from Mac OS X (entered a root shell and then immediately returned to the normal shell). Note the change to the pound sign ( # ) prompt.
$ sudo -s
WARNING: Improper use of the sudo command could lead to data loss
typing when using sudo. Type "man sudo" for more information.
To proceed, enter your password, or type Ctrl-C to abort.
Password:
bash-3.2# exit
$
other users
To run a command as another user, type sudo followed by the option -u followed by the user account name followed by a command.
$ sudo -u username command
To view the home directory of a particular user:
$ sudo -u username ls ~username
edit files as www
To edit a file (this example is for index.html) as user www:
$ sudo -u www vim ~www/htdocs/index.html
which password
On most systems, you will authenticate with your own password rather than with the root or superuser password. The list of users authorized to run sudo are in the file /usr/local/etc/sudoers or /etc/sudoers (on Mac OS X, /private/etc/sudoers). These authorized users are identified in the sudoers file as admin.
The sudoers configuration file offers a wide variety of configuration options, including enabling root commands only from the invoking terminal; not requiring a password for certain commands; requiring a password per user or per group; requiring re-entry of a password every time for particular command lines; never requiring re-entry of a password for a particular command line. The sudoers configuration file can also be set support the passing of arguments or multiple commands and also supports commands with regular expressions.
timeout
sudo can set timeout limits. This is done with the timeout option. This can be configured globally, per user, or per application. The timeout can be retained only per tty or globally per user. The user or application only has root authentication until the timeout occurs.
forgot to use sudo
Sometimes you type a command and forget that you needed to use sudo until you see the error message. You can type sudo !! to run the previous command with root privileges.
$ head /etc/passwd
head: /etc/passwd: Permission denied
$ sudo !!
unreadable directories
To view unreadable directories:
$ sudo ls /usr/local/protected
shutdown
To shutdown a server:
$ sudo -r +15 "quick reboot"
saving system file in vim
The ideal method for editing and saving a system file that can only be saved by the root user is to prepend the vim command with sudo. Then the vim command :w will work because the vim program was launched with root privileges.
$ sudo vim /etc/passwd
$ some editing commands
$ :w
So, what do you do if you start editing the file and then remember that you need root permission to save it? Add !sudo tee % to the vim save command.
$ vim /etc/passwd
$ some editing commands
$ :w !sudo tee %
usage listing
To make a usage listing of the directories in the /home partition (note that this runs the commands in a sub-shell to make the cd and file redirection work):
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
view sudoers configuration
To view the sudoers current configuration settings, type:
$ sudo -ll
editing sudoers file
Run the visudo command line tool to safely edit the sudoers configuration file. You will be presented with the vi editing interface (this can be changed by setting the shell EDITOR environment variable to a different text editor, such as emacs.
Any syntax error in the sudoers configuration file will make sudo stop working globally. Therefore, always use visudo to edit the sudoers file. visudo also provides security locks to prevent multiple simultaneous edits and other possible security problems.
graphic equivalents
The utilities kdesudo (KDE) and gksudo (Gnome) provide a graphic user interface version of sudo (both are based on sudo). Mac OS X Authorization Services provides a graphic user interface with adminstrative privileges (but is not based on the UNIX sudo).
start a shell as root
If you need to do extended work as root, you can start up a root shell from your user account:
$ sudo bash
running commands as root
sudo only works for programs, not for any built-in commands. If you attempt it, you will get an error message stating command not found. The solution is to start a root shell:
$ sudo bash
security
The system can be set up to send a mail to the root informing of unauthorized attempts at using sudo.
The system can be set up to log both successful and unsuccessful attempts to sudo.
Some programs (such as editors) allow a user to run commands via shell escapes, avoiding sudo checks. You can use sudo’s noexec functionality to prevent shell escapes.
sudo never does any validation of the ARGUMENTS passed to a program.
sudo defaults to extensive logging, using the syslogd system log daemon to log all commands issued with sudo into a cnetral host and local host file. This allows a complete audit trail of system access.
A system can be setup so that all machines in a system use the same sudoers file, allowing better central administration of a network.
trace
You can’t sudo strace … (fill in the rest of the command any way you want) because sudo can’t gain its privileges while being traced.
polkit alternative
polkit (formerly PolicyKit) is an alternative control component for system-wide privileges.
other
In June 2009, Ken Milberg named this command as one of the Top 50 universal UNIX commands at this web page Top 50 Universal INIX commands. Note that this web page requires agreeing to be spammed before you can read it.
comments, suggestions, corrections, criticisms
free music player coding example
Coding example: I am making heavily documented and explained open source code for a method to play music for free — almost any song, no subscription fees, no download costs, no advertisements, all completely legal. This is done by building a front-end to YouTube (which checks the copyright permissions for you).
View music player in action: www.musicinpublic.com/.
Create your own copy from the original source code/ (presented for learning programming).
This section is under the category of owning cirticism.
In response to a posting about my article collecting social media, Moderator +Andrew Smith (Technology addict, Web Developer, API guru, futsal and football wannabe, and all round nice guy!, Swordfox Design, arrowtown, new zealand) of the Google+ community Web Developers, Web Designers, Web Coding claims “Quite frankly this is self promotion, and your site is not of great quality. I can see how +Joost SchuurÊ would think this of not high enough a standard.”
Because I no longer have the computer and software to make PDFs, the book is available as an HTML file, which you can convert into a PDF.
Names and logos of various OSs are trademarks of their respective owners.
computers using 
and served using 
.
