360
Information Security

Sudo

What Is It?

Substitute User DO is a program that allows the user to temporarily run certain commands on a system with the security privileges of another user. It was first created by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at State University of New York /Buffalo. Today it is maintained by Todd C. Miller.

How did it come about?

We asked Bob Coggeshall about the genesis of sudo, like his software, the answer was refreshingly utilitarian."With the existing super-user access control command, 'su', one would tend to do everything as super-user whether it was necessary or not. Sudo addressed this by (pronounced like 'voodoo') giving sysadmins a convenient way to do something as super-user on a per-command basis."

Where would I use it?

We recommend sudo widely, but can generalise it to 2 situations.

Investing time up front to partition applications, particularly those offering services to the internet at large, makes sense. This usually means dedicating a non-login user-id to each service, and may mean chrooted environments or jails. In an environments like these, judicious use of unix built-in privilege systems can be greatly enhanced by using sudo.

Large server estates can be managed by small sysadmin teams if they are setup consistently. Sudo allows for granular solution to the "many root users" problem which is as old as multiuser environments themselves. Infact its not until recently that many operating systems have implemented granular acls and role based access control, and we have yet to see adoption, whats more every vendor has done RBAC and ACLs differently. Sudo is a cross platform solution to many of these problems.

Why is it so good?

Sudo is one of those utilities that should have been included with every multiuser OS, but somehow got missed.

  • It is cross platform, running on every kind of UNIX, unlike many vendor-authored tools and proprietary extensions. Windows users are not forgotten, as there is now a version for their systems "sudowin".
  • It is unobtrusive when you want it to be and "the right kind of obtrusive" when you don?t.
  • Its small, just a few thousand lines, so has very few bugs.
  • Sudo enables so many other good practices, chroot environments, role based access control, better use of groups.
  • Sudo provides an audit trail.

Who uses it?

A quick google search on usenet news groups and mailing archives will reveal that sudo is almost ubiquitous.

Where do I start?

http://linsec.ca/syshardening/sudo.php