The sudo command allows an administrator to set up a configuration file called /etc/sudoers and define specific commands that particular users are permitted to execute under an assumed identity.
The sudo command is like su in many ways but has some important additional capabilities. The administrator can configure sudo to allow an ordinary user to execute commands as a different user (usually the superuser) in a controlled way. In particular, a user may be restricted to one or more specific commands and no others. Another important difference is that the use of sudo does not require access to the superuser’s password. Authenticating using sudo requires the user’s own password. Let’s say, for example, that sudo has been configured to allow us to run a fictitious backup program called backup_script, which requires superuser privileges. With sudo it would be done like this:
$ sudo backup_script Password: System Backup Starting...
After entering the command, we are prompted for our password (not the superuser’s), and once the authentication is complete, the specified command is carried out.
sudo V/s su
One important difference between su and sudo is that sudo does not start a new shell, nor does it load another user’s environment. This means that commands do not need to be quoted any differently than they would be without using sudo. Note that this behavior can be overridden by specifying various options. Note, too, that sudo can be used to start an interactive superuser session (much like su -) by specifying the -i option. See the sudo man page for details.
To see what privileges are granted by sudo, use the -l option to list them.
$ sudo -l User me may run the following commands on this host: (ALL) ALL
sudo Command Examples
1. To list the present sudo status for the user:
# sudo -l # sudo -U santosh -l (for specific user)
2. To long list the output:
# sudo –U santosh -ll
3. To remove users cached credentials:
# sudo -k
4. To get a file listing of an unreadable directory:
# sudo ls /usr/local/protected
5. To view system logs only accessible to root and users in the adm group:
# sudo -g adm view /var/log/syslog
6. To shut down a machine:
# sudo shutdown -r +15 "quick reboot"
7. To run the command in background:
# sudo -b mount /dev/cdrom /DVD
8. To run the command as another user:
# sudo –u oracle /xyz/abc.sh
9. To execute the given command by setting the primary group to the given group:
# sudo –g DBA /xyz/abc.sh
10. To validate the user credentials:
# sudo –v ### updates his cached credentials, like if password has been changed.
If you are allowed, sudo executes the command as the superuser. Authorized users of sudo and the commands they are permitted to execute are listed in the sudo configuration file, /etc/sudoers. If an unauthorized user attempts to run a command, sudo will inform an administrator via email. By default, it will send the message to the root account. Users attempting to run commands are prompted for their passwords. Once authenticated, sudo sets a timestamp for the user. For five minutes from the timestamp, the user may execute further commands without being prompted for her password. This grace period may be overridden by settings in the /etc/sudoers file. Also see /etc/sudoers for configuration examples.