When you are elevating your privileges on a UNIX do you:

I posted this poll because I was curious how many people know what `sudo` actually does.

It seems many think it is distinctly different than `su`.

`sudo` and `su` are effectively the same tool. They are both setuid binaries that allow you to change your effective uid from whatever it is now, to something else.

Using either tool, you can switch to another user, and that other user may also be root.

So why do we need sudo if we have su?

Well, su is very basic. You can 'Switch Users' (su). That's basically all there is to it. You can switch users, and invoke a shell. You can switch users and execute a command. You can pass some arguments to maybe inherit the environment or set $HOME appropriately. But thats basically it for su(1).

sudo is 'Switch User and Do'. You can still do all of the same things that you can with su, but you can also build a ACL that specifies what users, commands, and arguments a user is allowed to invoke.

The /etc/sudoers file is described using Extended Backus-Naur Form (EBNF) rules. Most people just add their user with a glob. Something like this:

`miah ALL=(ALL:ALL) ALL`

But you can go MUCH MUCH more complex. I'm going to use some examples from the man page.

A /etc/sudoers example from the man page:

The user tcm may run commands that access a modem device file with the dialer group:

`tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
/usr/local/bin/minicom`

Another /etc/sudoers example from the man page:

The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin/.

`
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot

operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/`

I've had to trim a bit from these to fit in the mastodon post length, so refer to sudoers(5) for more details.

The point being, that you can create a curated list of commands, arguments, and users that can be used through sudo. Its not just a tool to 'give me a root shell', its a tool to give users limited access to commands.

This can be extremely powerful if you need to let users who don't really know UNIX into a system to execute some commands with more privilege.

Of course the sudoers file also allows you to bind to LDAP too, so you can actually store the entire ruleset in a single location to be used by all of your systems without any 'configuration management'.

LDAP gives you some other features that typically come with configuration management too, like auditability of who made changes and when, as well as the ability to store diffs as changes and go through an approval process.

Everybody hates LDAP for reasons.. But its fine. Its good actually!

This reminds me of one time we were given vi access to a specific file via sudoers, and we very much abused the crap out of this by escaping into a shell in vim.

RE: https://hachyderm.io/@miah/112955642467835465

@alpha @miah Same 🤣

@swindsor It’s entirely possible it was on the same project at different points in time 😆