From FreeBSDwiki
Jump to: navigation, search

sudo allows a user to run a program or perform a task without having to login as root directly or even knowing the root password. sudo works by authenticating the user (with the user's password) against the /usr/local/etc/sudoers file that gives specific rights to run sudo. Note that you have to use visudo to edit /etc/sudoers, and that you have to do it as root; you can't do it any other way. Apple's Mac OS X, based on the BSD Darwin kernel, has the root user disabled by default, and the only way to get root-level access to commands on the OS X command line (in a terminal or from the command-line console,) is by using sudo.

Good side of sudo

It limits access to the root password, while still enabling administrative functions.

Very configurable, allows you to specify which groups or specific users have access to specific files or functions

Bad side of sudo

Difficult to configure correctly (or rather, really easy to misconfigure if you're not sure of what you're doing).


1. You can use the -u flag to set a user to run as. (e.g.: sudo -u named /usr/local/sbin/rndc reload)

2. sudo is a setuid binary. Be careful what you set as sudo-able; if you let sudo run interactive commands (e.g., shells, editors, compilers/interpreters), users will be able to exploit this to inconspiciously run arbitrary commands as root. Similarly, make very certain that users don't have write permissions on any file they are allowed to use sudo to run. For more information on how to limit sudo, see Configuring_sudo.

Personal tools