Shell command: sudo

Options

`-A`	`--askpass`	use a helper program for password prompting
`-b`	`--background`	run command in the background
`-B`	`--bell`	ring bell when prompting
`-C`	`--close-from=num`	close all file descriptors `>= num`
`-D`	`--chdir=directory`	change the working directory before running command
`-E`	`--preserve-env`	preserve user environment when running command
	`--preserve-env=list`	preserve specific environment variables
`-e`	`--edit`	edit files instead of running a command
`-g`	`--group=group`	run command as the specified group name or ID
`-H`	`--set-home`	set `HOME` variable to target user's home directory
`-h`	`--help`	display help message and exit
`-h`	`--host=host`	run command on host (if supported by plugin)
`-i`	`--login`	run login shell as the target user; a command may also be specified
`-K`	`--remove-timestamp`	remove timestamp file completely
`-k`	`--reset-timestamp`	invalidate timestamp file
`-l`	`--list`	list user's privileges or check a specific command; use twice for longer format
`-n`	`--non-interactive`	non-interactive mode, no prompts are used
`-P`	`--preserve-groups`	preserve group vector instead of setting to target's
`-p`	`--prompt=prompt`	use the specified password prompt
`-R`	`--chroot=directory`	change the root directory before running command
`-r`	`--role=role`	create SELinux security context with specified role
`-S`	`--stdin`	read password from standard input
`-s`	`--shell`	run shell as the target user; a command may also be specified
`-t`	`--type=type`	create SELinux security context with specified type
`-T`	`--command-timeout=timeout`	terminate command after the specified time limit
`-U`	`--other-user=user`	in list mode, display privileges for user
`-u`	`--user=user`	run command (or edit file) as specified user name or ID
`-V`	`--version`	display version information and exit
`-v`	`--validate`	update user's timestamp without running a command
	`--`	stop processing command line arguments

Run a command as a specific user

In order to run a command as a different user than the target user, the -u flag must be specified:

sudo -u fred ls ~fred

Print allowed/forbidden commands

What am I allowed to do?

sudo -l

Together with -U username, -l queries another user's permissions. To use -U, the ALL privilege is needed (or being root).

sudo -l -U fred

Not entering passwords

In order for the user fred not to have to enter a password when executing sudo, the following line can be added to the sudoers file:

fred ALL=(ALL) NOPASSWD:ALL

Alternatively, a user can create a little shell script that echoes his password:

#!/bin/sh
echo SecretGarden

He then has to store the path to this shell script in the environment variable SUDO_ASKPASS:

export SUDO_ASKPASS=~/bin/password

When he then executes sudo with the -A option, sudo will execute the shell script and take the password from this shell script:

sudo -A do-something.sh

USERNAME is not in the sudoers file. This incident will be reported

Only users listed in /etc/sudoers are allowed to run sudo. If a user that is not listed in this file tries to run sudo, sudo will print the error message USERNAME is not in the sudoers file. This incident will be reported.

Sometimes, /etc/sudoers specifies specific groups whose members are allowed to execute sudo, for example a group named sudo or wheel.

If this is the case, a user can be added to such a group:

# usermod -aG sudo rene

If the user that was added to the sudo group does not want to log out and log in again, he should do:

$ newgrp sudo

Redirection

The following example creates the file /tmp/xyz. Because the redirection is executed with the privileges of the user executing sudo, it will belong to this user (and not to root as maybe expected):

sudo echo foo > /tmp/xyz

In order to create the file so that it belongs to root, the following command might be used:

sudo sh -c "echo foo > /tmp/xyz"

See also using tee in combination with sudo.

Sessions

A sudo session might be recorded and then later replayed with sudoreplay.