Sudo - a utility to allow restricted root access

Updated for sudo 1.5.9p2

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell. It's features include:

The ability to restrict what commands a user may run on a per-host basis.
Sudo does copious logging of each command, providing a clear audit trail of who did what. When used in tandem with syslogd, the system log daemon, sudo can log all commands to a central host (as well as on the local host). At CU, all admins use sudo in lieu of a root shell to take advantage of this logging.
Sudo uses timestamp files to implement a "ticketing" system. When a user invokes sudo and enters their password, they are granted a ticket for 5 minutes (this timeout is configurable at compile-time). Each subsequent sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard. There is also an easy way for a user to remove their ticket file, useful for placing in a .logout file.
Sudo's configuration file, the sudoers file, is setup in such a way that the same sudoers file may be used on many machines. This allows for central administration while keeping the flexibility to define a user's privileges on a per-host basis. Please see the samples sudoers file below for a real-world example.

To get a good idea of what sudo can do, you really need to take a look at a sample sudoers file.

Current version

Currently the newest (non-BETA) sudo is version 1.5.9p2. The latest beta release is 1.6beta4.
For a full list of changes between versions 1.5.8 and 1.5.9p2 you should consult the CHANGES file that is included with the sudo distribution. A short summary of major changes is also available.

Sudo and the year 2000

Sudo deals with dates in UN*X time format (seconds since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated Universal Time) and thus should not have problems with the year 2000. Note however, that sudo comes with NO WARRANTY.
It is expected that sudo will not be vulnerable to the "year 2038" bug on systems that have 64-bit time_t types. Note that most (if not all) current UN*X implementations have a 32-bit time_t and so will have problems when time_t turns over on January 19, 2038. This is not, however, a sudo bug.

Please do not ask me to sign any papers with respect Y2K compliance. I cannot do so as it would imply a warranty and I cannot be held liable for a free product that I get no money for (and the LICENSE that sudo comes with clearly states that it is not warranteed). Not only that, but because sudo is distributed in source form, it is not possible for me to test for Y2K compliance on every platform even if I wanted to. I'm sorry if this is inconvenient for you.

Supported Platforms

Sudo runs on a wide variety of UN*X platforms. It should run on just about any UN*X variant with a working C compiler. Sudo has been tested on the following platforms. If you compile sudo on another platform (or are able to port it), please send a message to sudo-bugs@courtesan.com.
Please take a look at the latest beta version before undertaking a new port; the work may already be done for you.

Documentation

Html versions of the man pages for sudo, visudo, and the sudoers file are available. Also, please see the README, INSTALL, and TROUBLESHOOTING files.
Alek Komarnitsky has a nice slide show on how to use sudo in a large, heterogeneous environment.

Mailing lists

There are two mailing lists dedicated to sudo. The sudo-announce list is a moderated list that consists solely of new version announcements as well as bug fixes. The sudo-workers list is for people porting, hacking on, or generally improving sudo. It is also where the beta version announcements are sent. This is an unmoderated list. To subscribe to either list, simply send mail to majordomo@cs.colorado.edu with no subject and the following line in the body of the message: "subscribe LISTNAME" where LISTNAME is either sudo-announce or sudo-workers.

Bug Reports

Please report all bugs in sudo as well as new ports to sudo-bugs@courtesan.com. You'll need to include the version of sudo you are using and the OS/hardware combination.

Support

Sudo is supported via sudo-bugs@courtesan.com. I try to respond in a timely manner, but please remember that sudo is free software. The sudo-workers mailing list may also be helpful for someone porting sudo to a new OS.

Development Platforms

The primary development platforms for sudo are OpenBSD 2.5 and OS/MP 4.1C (a variant of SunOS 4.1.3). Sudo is also tested heavily on HP-UX 10.20.

Helping Out

The biggest way people can help is to send in your sudo ports and modifications to sudo-bugs@courtesan.com. It is most helpful if diffs are relative the latest beta release as that eases the pains of integration. I can always use hardware donations if you are a vendor or just have something burning a hole in your closet.

Authors

Many people have worked on sudo over the years, the current version of CU sudo consists of code written primarily by:

Jeff Nieusma
David Hieb
Todd Miller
Chris Jepeway

Todd currently maintains sudo. For more details take a look at the abbreviated HISTORY of sudo.

Availability

Sudo is distributed free of charge in the hope that it will be useful, but with NO WARRANTY. See the GNU General Public License for complete details.

Sudo is currently available via anonymous ftp from the following locations:

ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA)
ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA)
ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA)
coast.cs.purdue.edu:/pub/tools/unix/sudo/ (West Lafayette, Indiana, USA)
ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA)
ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA)
ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA)
ftp.srv.ualberta.ca:/pub/Mirror/sudo/ (Canada)
ftp.umds.ac.uk:/pub/sudo/ (Great Britain)
ftp.iphil.net:/pub/sudo/ (Makati City, Philippines)
ftp.csc.cuhk.edu.hk:/pub/unix/sysadmin/sudo/ (Hong Kong)
ftp.ege.edu.tr:/pub/sudo/ (Turkey)
ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland)
ftp.fan.net.au:/mirrors/sudo/ (Australia)
ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria)
ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia)
ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland)
ftp.lps.ens.fr:/pub/software/sudo/ (France)
ftp.sai.msu.su:/pub/unix/security/ (Russia)
ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden)
ftp.rz.uni-osnabrueck.de/pub/unix/security/sudo/ (Germany)
ftp.win.or.jp:/pub/misc/sudo/ (Japan)
ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan)
ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan)
ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan)
ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan)
ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan)
ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan)
ring.aist.go.jp:/pub/misc/sudo/ (Japan)
ring.etl.go.jp:/pub/misc/sudo/ (Japan)
ring.crl.go.jp:/pub/misc/sudo/ (Japan)
ring.nacsis.ac.jp:/pub/misc/sudo/ (Japan)
ring.saitama-u.ac.jp:/pub/misc/sudo/ (Japan)
ring.iwate-pu.ac.jp:/pub/misc/sudo/ (Japan)
ring.astem.or.jp:/pub/misc/sudo/ (Japan)
ring.exp.fujixerox.co.jp:/pub/misc/sudo/ (Japan)
ring.asahi-net.or.jp:/pub/misc/sudo/ (Japan)
ring.so-net.ne.jp:/pub/misc/sudo/ (Japan)
ring.ip-kyoto.ad.jp:/pub/misc/sudo/ (Japan)
ring.jah.ne.jp:/pub/misc/sudo/ (Japan)

Sudo is also available on the web from the following locations:

http://gd.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
http://ring.aist.go.jp/archives/misc/sudo/ (Japan)
http://ring.etl.go.jp/archives/misc/sudo/ (Japan)
http://ring.crl.go.jp/archives/misc/sudo/ (Japan)
http://ring.nacsis.ac.jp/archives/misc/sudo/ (Japan)
http://ring.saitama-u.ac.jp/archives/misc/sudo/ (Japan)
http://ring.iwate-pu.ac.jp/archives/misc/sudo/ (Japan)
http://ring.astem.or.jp/archives/misc/sudo/ (Japan)
http://ring.exp.fujixerox.co.jp/archives/misc/sudo/ (Japan)
http://ring.asahi-net.or.jp/archives/misc/sudo/ (Japan)
http://ring.so-net.ne.jp/archives/misc/sudo/ (Japan)
http://ring.ip-kyoto.ad.jp/archives/misc/sudo/ (Japan)
http://ring.jah.ne.jp/archives/misc/sudo/ (Japan)

You can now check out your own copy of the sudo developement source tree via anonymous CVS.

Send mail to sudo-bugs@courtesan.com if you wish to mirror sudo so we may include you in the above list. Mirrors should update from ftp.courtesan.com:/pub/sudo/

Binaries may be found at ftp.cs.colorado.edu:/pub/sudo/binaries. You should only use these if you are unable to build sudo yourself. Note that the binary distributions contain binaries only so you should still grab a copy of the normal distribution for documentation and instructions.

Beta versions of sudo may be found at ftp.cs.colorado.edu:/pub/sudo/beta/
If you are interested in running a beta version, please join the sudo-workers mailing list so that you will receive updates on bug fixes and new beta/gamma versions.

Last modified: Apr 2, 1999

Todd C. Miller: Todd.Miller@courtesan.com,

Go back to the Courtesan Consulting Home Page