Friday, 25 July 2008

What's Sudo

Sudo is a means of changing UNIX security from the all or nothing to a structured and granular means of allowing selected tasks to run. This has been replicated in Windows as the "runas" command.

What SUDO does is:

  • To allow an normal user (non-root account) to run individual commands with root privilages - but restricted to only that command.
  • The User still authenticates with their own password - they do not need to have the root password.
  • Separate commands may be given to different users and groups and the privilaged modes of one use do not need to be the same as another.
  • It allows the creation of roles.
  • All commands are logged against the user (not root).
  • Any unauthorised command creates an alert that can be emailed to monitor activity.

There are a list of other similar programs to SUDO at:

http://www.courtesan.com/sudo/other.html

SUDO is still the most widely used program of its type.

To use a command with privilage, the user simply types the command they wish to execute using SUDO. For instance:

"sudo /bin/lsof"

SUDO helps to provide:

  1. Accountability,
  2. Least privilege (through roles), and
  3. termination.

When a users leaves, their access is not set such as a root accoutn and the system can run as normal. Further, a copy of the settings (like a role) makes it simple to move another person into the role of the last user.

Not last, but all for this post, SUDO supports many forms of authentication and can time stampto minimise the number of times that a user needs to enter a password into the system.

No comments: