I recently installed OpenBSD 4.9 in my computer, so I could learn a little bit about Unix-like operating systems. I added a new user to the system called bruno. Ok. When I use the 'sudo' command, it asks me for a password. So, I enter the password. But it keeps me telling that the password is wrong, even though I'm sure that the password is correct. What am I missing here? I know if add
bruno ALL = (ALL) NOPASSWD: ALL
to the /etc/sudoers file it stops asking for the password, and I can execute the sudo command. What should I do here? What's the most correct/secure option? I'm sorry if it's a trivial question. I couldn't find a good explanation for this issue. I'm not only looking for solutions, but for explanations on how this whole user/permission/password thing works.
Best Answer
This is an illustration of the difference between authentication and authorization.
Sudo is primarily a tool for authorization. Its job is to determine whether you are allowed to execute a command with elevated privileges, and if you are, to execute that command. An entry like
in the
sudoers
file allows the userbruno
to execute any command with any privilege.In order to apply this rule, Sudo needs to know that the user invoking it is indeed
bruno
. In principle, it can rely on the system's authentication mechanism: if you can run commands asbruno
, it means you've already authenticated asbruno
. However, since using Sudo can have major consequences, Sudo requires some extra authentication: you need to type your password again, sometimes. This means that if you've left your console unattended and a passer-by gets to run command asbruno
, they won't be able to use Sudo: they might be able to damage your account, but not the rest of the system.Another advantage of requesting a password is that it alerts you that something unusual is taking place. For example, an application cannot silently call
sudo
: it would need to ask you for your password, and an unexpected password prompt would alert you that something bad is taking place.In practice, asking for a password each and every time you run Sudo would be annoying. Therefore the default behavior is to compromise: ask for a password every few minutes. This way, a passerby or application can cause harm by running
sudo
only if you've done it within the last few minutes.