sudo Command in Linux with Examples
The sudo (short for Superuser Do) command is one of the most important commands in Linux. It's a prefix you add to other commands to run them with the administrative privileges of another user (by default, the root user).
Secure way to handle administrative tasks. You use sudo because:
- It's Safer: You don't need to log in as the all-powerful
rootuser for simple tasks. You just "borrow" root's power for one command. - It's Auditable: When a user runs a
sudocommand, it's logged in/var/log/auth.log. This creates an audit trail, so you know who ran what command and when. - It's Granular: The system administrator can precisely control which users can run which commands using the
sudoersfile.
Syntax for sudo command:
sudo -V | -h | -l | -v | -k | -K | -s | [ -H ] [-P ] [-S ] [ -b ] | [ -p prompt ] [ -c class|- ] [ -a auth_type ] [-r role ] [-t type ] [ -u username|#uid ] commandsudo vs. su (The Critical Difference)
This is the most important concept to understand.
su(Substitute User):- Goal: To become another user (e.g.,
su -). - Password: Asks for the TARGET USER'S password (e.g., the
rootpassword). - Why it's less secure: It requires sharing the root password, which is a bad practice.
- Goal: To become another user (e.g.,
sudo(Superuser Do):- Goal: To run a command as another user.
- Password: Asks for YOUR OWN password.
- Why it's more secure: It proves you are at the keyboard, and the system checks if you are authorized. The root password is never shared.
Options Available in the sudo Command
| Options | Description | Syntax |
|---|---|---|
| -V | The -V (version) option causes sudo to print the version number and exit. If the invoking user is already root, the -V option will print out a list of the defaults sudo was compiled with. | sudo -V |
| -l | The -l (list) option will print out the commands allowed (and forbidden) the user on the current host. | sudo -l |
| -h or --help | The -h (help) option causes sudo to print a usage message and exit. | sudo -h |
| -v | If, given the -v (validate) option, sudo will update the user's timestamp, prompting for the user's password if necessary. This extends the sudo timeout for another 5 minutes (or as given in sudoers) but does not run a command. This does not give any output. | sudo -v |
| -k | The -k (kill) option to sudo invalidates the user's timestamp. So, the next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a logout file. | sudo -k |
| -K | Similar to the -k option, the -K (sure kill) option is used to remove the user's timestamp entirely. Likewise, this option does not require a password. | sudo -K |
| -b | The -b (background) option tells sudo to run the given command in the background. Note that if you use the -b option you cannot use shell job control to manipulate the process. | sudo -b [command] (replace "command" with the command you want run in the background) |
| -p | the sudo -p prompt command allows you to customize the password prompt that sudo displays when it requests the user's password. By default, sudo will display a generic password prompt that looks like | sudo -p "Enter your password" [command] (replace "command" with the command you want run in the background) |
| -n | The -n option allows sudo to execute a command without prompting for a password. This option is useful when running sudo commands as background jobs or in a shell script. The -n option stands for non-interactive. | sudo -n [command] (replace "command" with the command you want run in the background) |
| -u | The -u option causes sudo to run the specified command as a user other than root. To specify a UID instead of a username, use #uid. | sudo -u [user] [command] (replace "command" with the command you want run in the background) |
| -s | The -s option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in the file passwd. | sudo -s [command] (replace "command" with the command you want run in the background) |
| -H | The -H option sets the HOME environment variable to the home directory of the target user (root by default) as specified in passwd. By default, sudo does not modify HOME. | sudo -H [command] (replace "command" with the command you want run in the background) |
| -S | The -S option causes sudo to read the password from standard input instead of the terminal device. | sudo -S [command] (replace "command" with the command you want run in the background) |
| -a | The -a option causes sudo to use the specified authentication type when validating the user, as allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by adding an "auth-sudo" entry in /etc/login.conf. | sudo -a [auth-type] [command] (replace "command" with the command you want run in the background) |
| -- | The -- flag indicates that sudo should stop processing command line arguments. It is most useful in conjunction with the -s flag. | sudo -- [command] (replace "command" with the command you want run in the background) |
The output of few commands
1. sudo -v (Validate):- This will "validate" your sudo timestamp, resetting the 5-15 minute timer without running a command.
2. -l: The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.
3. -h or --help: The -h (help) option causes sudo to print a usage message and exit.
Environment Variables
These environment variables are used by sudo
| Tag | Description |
|---|---|
| EDITOR | Default editor to use in -e (sudoedit) mode if VISUAL is not set |
| HOME | In -s or -H mode (or if sudo was configured with the --enable-shell-sets-home option), set to homedir of the target user |
| PATH | Set to a sane value if the secure_path sudoers option is set. |
| SHELL | Used to determine shell to run with -s option |
| SUDO_PROMPT | Used as the default password prompt |
| SUDO_COMMAND | Set to the command run by sudo |
| SUDO_USER | Set to the login of the user who invoked sudo |
| SUDO_UID | Set to the uid of the user who invoked sudo |
| SUDO_GID | Set to the gid of the user who invoked sudo |
| SUDO_PS1 | If set, PS1 will be set to its value |
| USER | Set to the target user (root unless the -u option is specified) |
| VISUAL | Default editor to use in -e (sudoedit) mode |
