How does the OS know that a command needs sudo

permissionssudo

When you run an executable, sometimes the OS will deny your
permission to. For example running make install with the prefix
being a system path will need sudo, while with the prefix being a
non-system path will not be asked for sudo. How does the OS decide
that running an executable would require more privilege than a user
has, even before the program does something?
Sometimes, running a program will not be denied permission, but the
program will be able to do more things if it is run with sudo. For
example, when running du on some system directory, only with
sudo it will be able to access some directory. Why does the OS not
deny permission of running such a program, or friendly notify more privilege is preferred, before the program can run?
Is it true that whenever sudo works, su will also work, and
whenever su works, sudo will also work? or with su, a user can do
more than with sudo? How does the OS decide when sudo works, and
when su is needed?

Best Answer

Sometimes the "Permission denied" message is due to filesystem permissions denying you write access, for example. The executable/tool simply checks if it the filesystem grants you enough permissions to do what you're about to do and throws an error if it's denied by the filesystem. Other times, the tool itself will check your user ID before allowing you to continue using it.
When you run a program with sudo you are running it under some other user's name. If that user is "able to do more things" than your user and the sudo configuration allows you to do these things on the other user's behalf then yes, sudo will allow you to do more things. This is not necessary, though. If you just tack sudo on at the beginning of the command line, you're actually sudoing as root, so typically you're able to do more things than a mere mortal.
Most definitely not. To use sudo you need to supply your own user password and then you're allowed to do some things on the target user's behalf. To use su, you need the target user's password and if you have it, you become that target user as far as the system is concerned and can do anything that user can do.

See also

Why is the 'sudo' password different than the 'su root' password

Related Solutions

Cron Sudo – Why Cron Fails to Run Sudo Commands in Scripts

Sudo has some special options in it's permissions file, one of which allows a restriction on it's usage to shells that are are running inside a TTY, which cron is not.

Some distros including the Amazon Linux AMI have this enabled by default. The /etc/sudoers file will look something like this:

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw

If you had captured output to STDERR at the level of the shell script rather than the sudo command itself, you would have seem a message something like this:

sorry, you must have a tty to run sudo

The solution is to allow sudo to execute in non TTY environments either by removing or commenting out these options:

#Defaults    requiretty
#Defaults   !visiblepw

sudo – How to Make `sudo` Preserve $PATH

You can always do:

sudo env "PATH=$PATH" godi_console

As a security measure on Debian, /etc/sudoers has the secure_path option set to a safe value.

Note that:

sudo "PATH=$PATH" godi_console

Where sudo treats leading arguments containing = characters as environment variable assignments by itself, would also work at running godi_console with your $PATH (as opposed to the secure_path) in its environment, but would not affect sudo's search path for executable, so wouldn't help sudo in finding that godi_console.

Best Answer

Related Solutions

Cron Sudo – Why Cron Fails to Run Sudo Commands in Scripts

sudo – How to Make `sudo` Preserve $PATH

Related Question