Why doesn’t the sudo command need the root password

sudo

I've been using Linux for a while now and whenever I typed sudo I thought I was switching over to the root user for a command.

Apparently this is not true because all I need is my user account's password. I'm guessing since I haven't worked with multiple users I haven't really noticed this in the real world.

I am unsure how Ubuntu sets up my first account. Is there a root user? Am I root? I'm guessing I just created a new user upon installation but it gave me root privileges? Just a little confused here…

So why am I allowed to run root commands with my user's password?

Best Answer

In details it works the following way:

/usr/bin/sudo executable file has setuid bit set, so even when executed by another user, it runs with the file owner's user id (root in that case).
sudo checks in /etc/sudoers file what privileges do you have and whether you are permitted to run the command you are invoking. Saying simply, /etc/sudoers is a file which defines which users can run which commands using sudo mechanism.

That's how that file look on my Ubuntu:
```
# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
```
The third line is what presumably interests you. It lets anybody in the "sudo" group to execute any command as any user.

When Ubuntu sets up the first account during installation it add that account to the "sudo" group. You can check which groups which users belong to with group command.
sudo asks you for a password. Regarding the fact that it needs user's password, not the root's one, that is an excerpt from sudoers manual:

Authentication and logging

The sudoers security policy requires that most users authenticate themselves before they can use sudo. A password is not required if the invoking user is root, if the target user is the same as the invoking user, or if the policy has disabled authentication for the user or command. Unlike su(1), when sudoers requires authentication, it validates the invoking user's credentials, not the target user's (or root's) credentials. This can be changed via the rootpw, targetpw and runaspw flags, described later.

However, in fact, sudo does not need your user password for anything. It ask for it just to ensure that you are really you and to provide you some kind of warning (or chance to stop) before invoking some potentially dangerous command. If you want to turn off password asking, change the sudoers entry to:
```
%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
```
After authentication sudo spawns child process which run the invoked command. The child inherits the root user id from its parent -- the sudo process.

So, answering your questions precisely:

I thought I was switching over to the root user for a command.

You were right. Each command preceded with sudo runs with the root user id.

Is there a root user?

Yes, there is a root user account, separate from your user account created during system installation. However, by default in Ubuntu you are not allowed to login to interactive terminal as root user.

Am I root?

No, you are not a root. You only have privilege to run individual commands as a root, using the sudo mechanism described above.

So why am I allowed to run root commands with my user's password?

You have to enter user's password only due to sudo internal security mechanism. It can be easily turned off. You gain your root powers because of setuid bit of /usr/bin/sudo, not because of any passwords you enter.

Related Solutions

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

I add this to my bash script:

# ask for password up-front.
sudo -v
# Keep-alive: update existing sudo time stamp if set, otherwise do nothing.
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

Found it here:

https://serverfault.com/questions/266039/temporarlly-increasing-sudos-timeout-for-the-duration-of-an-install-script

https://gist.github.com/cowboy/3118588

I use another script to launch my main script and I use a .desktop file to launch that helper script. It's not very straightforward, but it can be made to work 100% GUI. I'm still looking for the perfect solution, but this is doing the trick for now.

What mechanism prevents any user from accessing any other user’s files via root

The major difference between sudo and su is the mechanism used to authenticate. With su the user must know the root password (which should be a closely guarded secret), while with sudo the user uses his/her own password. In order to stop all users causing mayhem, the priviliges discharged by the sudo command can, fortunately, be configured using the /etc/sudoers file.

Both commands run a command as another user, quite often root.

sudo su - works in the example you gave because the user (or a group where the user is a member) is configured in the /etc/sudoers file. That is, they are allowed to use sudo. Armed with this, they use the sudo to temporarily gain root privileges (which is default when no username is provided) and as root start another shell (su -). They now have root access without knowing root's password.

Conversely, if you don't allow the user to use sudo then they won't be able to sudo su -.

Distros generally have a group (often called wheel) whose members are allowed to use sudo to run all commands. Removing them from this group will mean that they cannot use sudo at all by default.

The line in /etc/sudoers that does this is:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

While removing users from this group would make your system more secure, it would also result in you (or other system adminstrators) being required to carry out more administrative tasks on the system on behalf of your users.

A more sensible compromise would configure sudo to give you more fine grained control of who is allowed to use sudo and who isn't, along with which commands they are allowed to use (instead of the default of all commands). For example,

## Allows members of the users group to mount and unmount the
## cdrom as root
%users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

(only useful with the previous %wheel line commented out, or no users in the wheel group).

Presumably, distros don't come with this finer grained configuration as standard as it's impossible to forecast what the admin's requirements are for his/her users and system.

Bottom line is - learn the details of sudo and you can stop sudo su - while allowing other commands that don't give the user root shell access or access to commands that can change other users' files. You should give serious consideration to who you allow to use sudo and to what level.

WARNING: Always use the visudo command to edit the sudoers file as it checks your edits for you and tries to save you from the embarrassing situation where a misconfigured file (due to a syntax error) stops you from using sudo to edit any errors. This is especially true on Debian/Ubuntu and variants where the root account is disabled by default.

Best Answer

Related Solutions

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

What mechanism prevents any user from accessing any other user’s files via root

Related Question