{{short description|Command on Unix systems to temporarily assume root privileges}} {{Redirect|SUDO|the non-profit organization|Sudan Social Development Organization|other uses|Sudo (disambiguation)}} {{lowercase title|title=sure}} {{Infobox software | name = | title = sudo | logo = Sudo logo (2019).png | logo caption = | logo_size = 137px | logo_alt = | screenshot = Sudo on Linux screenshot.png | caption = The {{code|sudo}} command in a terminal | screenshot_size = | screenshot_alt = | collapsible = | author = Robert Coggeshall, Cliff Spencer | developer = Todd C. Miller | released = {{circa}} 1980<ref>{{cite web|url=https://www.sudo.ws/history.html|title=A Brief History of Sudo|access-date=15 November 2018|first=Todd C.|last=Miller|archive-date=16 November 2018|archive-url=https://web.archive.org/web/20181116043314/https://www.sudo.ws/history.html|url-status=live}}</ref> | discontinued = | latest release version = {{wikidata|property|preferred|edit|Q300883|P348|P548=Q2804309}}<ref name="sudo-version">{{cite web|url=https://www.sudo.ws/news.html|access-date=12 April 2023|title=Sudo News|archive-date=1 December 2021|archive-url=https://web.archive.org/web/20211201213835/https://www.sudo.ws/news.html|url-status=live}}</ref> | latest release date = {{Start date and age|{{wikidata|qualifier|preferred|single|Q300883|P348|P548=Q2804309|P577}}}} | repo = | programming language = C | operating system = Unix-like | platform = | size = | language = | language count = <!-- DO NOT include this parameter unless you know what it does --> | language footnote = | genre = Privilege authorization | license = ISC-style<ref name="todmil7"/> | alexa = | website = {{official URL}} | standard = | AsOf = }}

'''{{code|sudo}}''' ({{IPAc-en|s|uː|d|uː}} or {{IPAc-en|'|s|uː|d|oʊ}}<ref name="todmil8"/>) is a shell command on Unix-like operating systems that enables a user to run a program with the security privileges of another user, by default the superuser.<ref name="nyt080526"/> It originally stood for "superuser do",<ref>{{Cite web|last=By|date=2014-05-28|title=Interview: Inventing The Unix "sudo" Command|url=https://hackaday.com/2014/05/28/interview-inventing-the-unix-sudo-command/|access-date=2022-01-10|website=Hackaday|language=en-US|archive-date=2022-01-10|archive-url=https://web.archive.org/web/20220110231327/https://hackaday.com/2014/05/28/interview-inventing-the-unix-sudo-command/|url-status=live}}</ref> as that was all it did, and this remains its most common usage;<ref>{{Cite web|url=https://pthree.org/2009/12/31/the-meaning-of-su/|title=Aaron Toponce : The Meaning of 'su'|access-date=2015-08-18|archive-date=2023-02-24|archive-url=https://web.archive.org/web/20230224155431/https://pthree.org/2009/12/31/the-meaning-of-su/|url-status=dead}}</ref> however, the official Sudo project page lists it as "su 'do{{'"}}.<ref>{{Cite web|url=https://www.sudo.ws/|title=What is Sudo|access-date=2022-06-07|archive-date=2022-06-03|archive-url=https://web.archive.org/web/20220603193806/https://www.sudo.ws/|url-status=live}}</ref> The current Linux manual pages define {{code|su}} as "substitute user",<ref>{{Cite web|url=https://man7.org/linux/man-pages/man1/su.1.html|title=su(1) Linux manual page|access-date=2022-06-08|archive-date=2022-06-05|archive-url=https://web.archive.org/web/20220605211428/https://man7.org/linux/man-pages/man1/su.1.html|url-status=live}}</ref> making the modern meaning of {{code|sudo}} "substitute user, do", because {{code|sudo}} can run a command as other users as well.<ref>{{cite web |url=https://wiki.archlinux.org/index.php/Sudo |website=wiki.archlinux.org |title=Sudo - ArchWiki |format=MediaWiki |access-date=2015-11-09 |archive-date=2021-04-25 |archive-url=https://web.archive.org/web/20210425201708/https://wiki.archlinux.org/index.php/Sudo |url-status=live }}</ref><ref>Haeder, A.; Schneiter, S. A..; Pessanha, B. G.; Stanger, J. ''LPI Linux Certification in a Nutshell''. O'Reilly Media, 2010. p. 409. {{ISBN|978-0596804879}}.</ref>

Unlike the similar command <code>su</code>, users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file (typically <code>/etc/sudoers</code>) permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.

==History== '''Robert Coggeshall''' and '''Cliff Spencer''' wrote the original subsystem around 1980 at the Department of Computer Science at SUNY/Buffalo.<ref name="grati9"/> Robert Coggeshall brought sudo with him to the University of Colorado Boulder. Between 1986 and 1993, the code and features were substantially modified by the IT staff of the University of Colorado Boulder Computer Science Department and the College of Engineering and Applied Science, including Todd C. Miller.<ref name="grati9" /> The current version has been publicly maintained by OpenBSD developer Todd C. Miller since 1994,<ref name="grati9"/> and has been distributed under an ISC-style license since 1999.<ref name="grati9"/>

In November 2009, Thomas Claburn, in response to concerns that Microsoft had patented sudo,<ref name="maxi10"/> characterized such suspicions as overblown.<ref name="dark11"/> The claims were narrowly framed to a particular GUI, rather than to the sudo concept.<ref name="spi091112"/>

The logo is a reference to an xkcd strip, where an order for a sandwich is accepted only when preceded with {{code|sudo}}.<ref>{{cite web | url=https://xkcd.com/149/ | title=Sandwich | access-date=2022-04-11 | archive-date=2022-04-09 | archive-url=https://web.archive.org/web/20220409063050/https://xkcd.com/149/ | url-status=live }}</ref><ref>{{cite web | url=https://www.sudo.ws/about/logo/ | title=Sudo Logo | access-date=2022-04-11 | archive-date=2022-04-27 | archive-url=https://web.archive.org/web/20220427150715/https://www.sudo.ws/about/logo/ | url-status=live }}</ref>

==Design== thumb|350px|alt=We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: 1: Respect the privacy of others. 2: Think before you type. 3: With great power comes great responsibility. root's password:|Warning when first using {{code|sudo}} Unlike for <code>su</code>, users supply their personal password to {{code|sudo}} (if necessary)<ref name="iu.edu">{{Cite web |date=June 18, 2019 |title=About Unix sudo and su commands |url=https://kb.iu.edu/d/amyi |access-date=September 10, 2022 |website=University Information Technology Services |archive-date=September 10, 2022 |archive-url=https://web.archive.org/web/20220910145149/https://kb.iu.edu/d/amyi |url-status=live }}</ref> rather than that of the superuser or other account. This allows authorized users to exercise altered privileges without compromising the secrecy of the other account's password.<ref>{{Cite web |last=Wallen |first=Jack |date=2023-05-16 |title=Linux security: What is sudo and why is it so important? |url=https://www.zdnet.com/article/why-sudo-is-so-important-in-linux-and-how-to-use-it/ |access-date=2024-01-23 |website=ZDNET |language=en}}</ref> Users must be in a certain group to use the {{code|sudo}} command, typically either the ''wheel'' or ''sudo'' group.<ref>{{Cite web |last=Aleksic |first=Marko |date=2020-08-18 |title=Linux Sudo Command, How to Use With Examples |url=https://phoenixnap.com/kb/linux-sudo-command |access-date=2024-01-23 |website=Knowledge Base by phoenixNAP |language=en-US}}</ref> After authentication, and if the configuration file permits the user access, the system invokes the requested command. {{code|sudo}} retains the user's invocation rights through a grace period (typically 5 minutes) per pseudo terminal, allowing the user to execute several successive commands as the requested user without having to provide a password again.<ref>{{Cite web |last=Sheldon |first=Robert |date=February 2023 |title=What is the sudo (su 'do') command-line utility? – TechTarget Definition |url=https://www.techtarget.com/searchsecurity/definition/sudo-superuser-do |access-date=2024-01-23 |website=TechTarget Security |language=en}}</ref>

As a security and auditing feature, {{code|sudo}} may be configured to log each command run. When a user attempts to invoke {{code|sudo}} without being listed in the configuration file, an exception indication is presented to the user indicating that the attempt has been recorded. If configured, the root user will be alerted via mail. By default, an entry is recorded in the system.<ref>[https://www.baeldung.com/linux/sudo-incident-logs Where are sudo Incidents Reported?] {{Webarchive|url=https://web.archive.org/web/20230409210655/https://www.baeldung.com/linux/sudo-incident-logs|date=2023-04-09}} Retrieved April 10, 2023</ref>

==Configuration== The <code>/etc/sudoers</code> file contains a list of users or user groups with permission to execute a subset of commands while having the privileges of the root user or another specified user. The file can be edited by using the command <code>sudo visudo</code>. Sudo contains several configuration options such as allowing commands to be run as {{code|sudo}} without a password, changing which users can use {{code|sudo}}, and changing the message displayed upon entering an incorrect password.<ref>{{Cite web |last=Wallen |first=Jack |date=2010-05-12 |title=Linux 101: Introduction to sudo |url=https://www.linux.com/training-tutorials/linux-101-introduction-sudo/ |access-date=2024-01-23 |website=Linux.com |language=en-US}}</ref> Sudo features an easter egg that can be enabled from the configuration file that will display an insult every time an incorrect password is entered.<ref>{{Cite web |last=Kili |first=Aaron |date=2017-01-12 |title=Let Sudo Insult You When You Enter Incorrect Password |url=https://www.tecmint.com/sudo-insult-when-enter-wrong-password/ |access-date=2024-01-23 |website=www.tecmint.com |language=en-US}}</ref>

==Impact== In some system distributions, {{code|sudo}} has largely supplanted the default use of a distinct superuser login for administrative tasks, most notably in some Linux distributions as well as Apple's macOS.<ref name="ubunt5"/><ref name="macdv4"/> This allows for more secure logging of admin commands and prevents some exploits.

==RBAC== {{main|Role-based access control}}

In association with SELinux, {{code|sudo}} can be used to transition between roles in role-based access control (RBAC).<ref>{{cite web|title=SELinux Lockdown Part Five: SELinux RBAC|url=http://selinux-mac.blogspot.com.au/2009/06/selinux-lockdown-part-five-selinux-rbac.html|access-date=2012-11-17|archive-date=2013-05-11|archive-url=https://web.archive.org/web/20130511065723/http://selinux-mac.blogspot.com.au/2009/06/selinux-lockdown-part-five-selinux-rbac.html|url-status=live}}</ref>

==Tools and similar programs== ''visudo'' is a command-line utility that allows editing the sudo configuration file in a fail-safe manner. It prevents multiple simultaneous edits with locks and performs sanity and syntax checks.

Sudoedit is a program that symlinks to the sudo binary.<ref>{{Cite web|first=Jonathan|last=Bennett|date=2021-01-29|title=This Week In Security: Sudo, Database Breaches, And Ransomware|url=https://hackaday.com/2021/01/29/this-week-in-security-sudo-database-breaches-and-ransomware/|access-date=2021-05-24|website=Hackaday|language=en-US|archive-date=2021-06-21|archive-url=https://web.archive.org/web/20210621050109/https://hackaday.com/2021/01/29/this-week-in-security-sudo-database-breaches-and-ransomware/|url-status=live}}</ref> When sudo is run via its sudoedit alias, sudo behaves as if the -e flag has been passed and allows users to edit files that require additional privileges to write to.<ref>{{Cite web|title=sudoedit(8) - Linux manual page|url=https://man7.org/linux/man-pages/man8/sudoedit.8.html|access-date=2021-05-24|website=man7.org|archive-date=2021-05-24|archive-url=https://web.archive.org/web/20210524193317/https://man7.org/linux/man-pages/man8/sudoedit.8.html|url-status=live}}</ref>

Microsoft released its own tool also called {{code|sudo}} for Windows in February 2024. Its interface is similar to its Unix counterpart by giving the ability to run elevated commands from an unelevated console session, although its implementation is entirely different.<ref>{{Cite web |last=Adoumie |first=Jordi |date=2024-02-07 |title=Introducing Sudo for Windows! |url=https://devblogs.microsoft.com/commandline/introducing-sudo-for-windows/ |access-date=2024-02-08 |website=Windows Command Line |language=en-US}}</ref> The program runas provides comparable functionality in Windows, but it cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation. Hamilton C shell also includes true {{code|su}} and {{code|sudo}} for Windows that can pass all of that state information and start the child either elevated or as another user (or both).<ref>{{cite web |title=su |url=http://hamiltonlabs.com/UserGuide/Utilities/su.htm |url-status=live |archive-url=https://web.archive.org/web/20150717034225/http://hamiltonlabs.com/UserGuide/Utilities/su.htm |archive-date=July 17, 2015 |access-date=August 17, 2015 |publisher=Hamilton Laboratories}}</ref><ref>{{cite web |title=Predefined aliases: sudo |url=http://hamiltonlabs.com/UserGuide/52-PredefinedAliases.htm#sudo |url-status=live |archive-url=https://web.archive.org/web/20150826052938/http://hamiltonlabs.com/UserGuide/52-PredefinedAliases.htm#sudo |archive-date=August 26, 2015 |access-date=August 17, 2015 |publisher=Hamilton Laboratories}}</ref>

Graphical user interfaces exist for sudo – notably ''gksudo'' – but are deprecated in Debian and no longer included in Ubuntu.<ref>{{cite web |url=https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618 |title=Remove gksu from Ubuntu |last=Bicha |first=Jeremy |date=December 30, 2017 |publisher=Canonical, which owns Launchpad |access-date=January 10, 2020 |archive-date=May 5, 2020 |archive-url=https://web.archive.org/web/20200505225540/https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618 |url-status=live }}</ref><ref>{{cite web |url=https://packages.ubuntu.com/bionic/allpackages |title=Software Packages in "bionic" |author=<!--Not stated--> |date=<!--Not stated--> |publisher=Canonical |access-date=January 10, 2020 |archive-date=October 18, 2019 |archive-url=https://web.archive.org/web/20191018054647/https://packages.ubuntu.com/bionic/allpackages |url-status=live }}</ref> Other user interfaces are not directly built on sudo, but provide similar temporary privilege elevation for administrative purposes, such as pkexec in Unix-like operating systems, User Account Control in Microsoft Windows and Mac OS X Authorization Services.<ref name="apple2"/>

doas, available since OpenBSD 5.8 (October 2015), has been written in order to replace {{code|sudo}} in the OpenBSD base system, with the latter still being made available as a port.<ref>{{cite web | url = http://ports.su/security/sudo | title = sudo-1.8.26 – execute a command as another user | work = OpenBSD ports | date = 2018-11-16 | access-date = 2019-02-26 | archive-date = 2019-02-27 | archive-url = https://web.archive.org/web/20190227060200/http://ports.su/security/sudo | url-status = live }}</ref>

gosu is a tool similar to sudo that is popular in containers where the terminal may not be fully functional or where there are undesirable effects from running sudo in a containerized environment.<ref>{{cite web | url=https://github.com/tianon/gosu |title=gosu|website=GitHub }}</ref>

A rewrite of sudo, called sudo-rs, written in the Rust programming language, became adopted as the default in Ubuntu.<ref>{{cite web|title=Memory-safe sudo to become the default in Ubuntu|url=https://trifectatech.org/blog/memory-safe-sudo-to-become-the-default-in-ubuntu/|date=2025-06-05}}</ref>

==See also== {{Portal|Free and open-source software}} * chroot * doas * runas * Comparison of privilege authorization features

==References== {{reflist|1=30em|refs= <ref name="nyt080526">{{cite news | first = Noam | last = Cohen | work = The New York Times | title = This Is Funny Only if You Know Unix | url = https://www.nytimes.com/2008/05/26/business/media/26link.html | date = May 26, 2008 | access-date = April 9, 2012 | archive-date = January 22, 2018 | archive-url = https://web.archive.org/web/20180122165833/http://www.nytimes.com/2008/05/26/business/media/26link.html | url-status = live}}</ref> <ref name="apple2">{{cite web | url = https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html | title = Introduction to Authorization Services Programming Guide | publisher = developer.apple.com | access-date = 2022-05-27 | archive-date = 2022-05-28 | archive-url = https://web.archive.org/web/20220528003210/https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html | url-status = live}}</ref> <ref name="macdv4">{{cite web | url = http://www.macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html | archive-url= https://web.archive.org/web/20121015045622/http://macdevcenter.com/pub/a/mac/2002/10/22/macforunix.html | archive-date = 2012-10-15 | url-status = dead | title = Top Ten Mac OS X Tips for Unix Geeks | publisher = MacDevCenter.com | access-date = 2022-05-27}}</ref> <ref name="ubunt5">{{cite web |url = https://help.ubuntu.com/community/RootSudo |title = RootSudo |work = Community Ubuntu Documentation |publisher = help.ubuntu.com |date = 2011-11-08 |access-date = 2011-11-17 |archive-date = 2011-11-05 |archive-url = https://web.archive.org/web/20111105004600/https://help.ubuntu.com/community/RootSudo |url-status = live}}</ref> <ref name="todmil7">{{cite web |author = Todd C. Miller |url = http://www.sudo.ws/sudo/license.html |title = Sudo License |publisher = sudo.ws |date = 2011-06-17 |access-date = 2011-11-17 |archive-date = 2015-07-31 |archive-url = https://web.archive.org/web/20150731135949/http://www.sudo.ws/sudo/license.html |url-status = live}}</ref> <ref name="todmil8">{{cite web | url = http://sudo.ws/sudo/troubleshooting.html | title = Troubleshooting tips and FAQ for Sudo | author = Miller, Todd C | access-date = 2009-11-20 | archive-date = 2021-11-27 | archive-url = https://web.archive.org/web/20211127153002/https://www.sudo.ws/sudo/troubleshooting.html | url-status = live}}</ref> <ref name="grati9">{{cite web | url = https://www.sudo.ws/history.html | title = A Brief History of Sudo | author = Miller, Todd C | access-date = 2021-02-08 | archive-date = 2021-01-27 | archive-url = https://web.archive.org/web/20210127114014/https://www.sudo.ws/history.html | url-status = live}}</ref> <ref name="maxi10">{{cite web | url = http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command | archive-url= https://web.archive.org/web/20140701234003/http://www.maximumpc.com/article/news/microsoft_has_patented_sudo_yes_command | archive-date = 2014-07-01 | url-status= dead | title = Microsoft has Patented "sudo." Yes, the Command | last = Lilly | first = Paul | access-date = 2009-11-13}}</ref> <ref name="dark11">{{cite web |url = https://www.darkreading.com/analytics/does-new-microsoft-patent-infringe-on-unix-program-sudo- |title = Does New Microsoft Patent Infringe On Unix Program Sudo? Some in the open source community suspicious of Microsoft's intent |date = 2009-11-16 |work = Dark Reading |access-date = 2022-05-27 |quote = A patent granted to Microsoft (NSDQ: MSFT) has stirred up worry that world's largest software company wants to claim Unix's "sudo" as its own. [...] In short, suspicions about this patent are overblown. |archive-date = 2022-08-20 |archive-url = https://web.archive.org/web/20220820031048/https://www.darkreading.com/analytics/does-new-microsoft-patent-infringe-on-unix-program-sudo- |url-status = live}}</ref> <ref name="spi091112">{{cite news | last = Eaton | first = Nick | url = http://blog.seattlepi.com/microsoft/2009/11/12/did-microsoft-just-sneakily-patent-an-open-source-tool/ | archive-url= https://web.archive.org/web/20210620170544/http://blog.seattlepi.com/microsoft/2009/11/12/did-microsoft-just-sneakily-patent-an-open-source-tool/ | archive-date = 2021-06-20 | url-status = dead | title = Did Microsoft just sneakily patent an open-source tool? | publisher = seattlepi.com | date = November 12, 2009 | access-date = April 24, 2011}}</ref> }}

==External links== * {{Official website}}

{{Unix commands}} {{OpenBSD}}

Category:Computer security software Category:System administration Category:Unix user management and support-related utilities Category:Software using the ISC license