linux - Does sudo really make you root for a little while?

07
2014-07
  • Desmond Hume

    On Linux, in what kind of situations, if any, running a command as a non-root to access a file/folder or create/delete a file/folder using sudo may result in "permission denied" while running the same command as root user would succeed? The user is assumed to be a sudoer, of course.

    Practical example on Ubuntu 12: I've got this directory in / with root:root ownership and drwxr-xr-x permissions and I tried sudo date > file while in it as well as sudo date | tee file but got the same

    -bash: file: Permission denied

    in both cases. Sure enough, there're no problems if I'm root. This is quite frustrating.

    • Answers
  • idupree

    sudo only makes the sudo'ed command run as root. An occasional practical difference is that, in

    sudo echo mem > /sys/power/state

    (which tells the kernel to suspend-to-RAM)

    it doesn't work because the shell you're running in (as an ordinary user) tries to set up the redirection to /sys/power/state, which it does not have write permission to. You can do this successfully by running a sub-shell as root

    sudo sh -c 'echo mem > /sys/power/state'

    or by using a program that opens files itself, such as dd:

    echo mem | sudo dd of=/sys/power/state

    or by getting a root shell first, using e.g. 'su' or 'sudo -s'.

  • Tom Wijsman

    Does sudo really make you root for a while?

    The man page for sudo explains:

    There is no easy way to prevent a user from gaining a root shell if that user is allowed to run arbitrary commands via sudo.

    Thus, if you run sudo something and type in your password; then, if you don't lock your terminal another user will be able to run sudo su - within 5 minutes which will give him access to the root shell, if your sudo allows you to run arbitrary commands. For more on the timeout, I'm going to quote this relevant section from the above man page:

    The sudoers policy caches credentials for 5 minutes, unless overridden in sudoers. By running sudo with the -v option, a user can update the cached credentials without running a command.

    Why do I get permission denied?

    sudo can not tamper with how bash works, which is why it can't deal well with features like file redirection and other features that work outside of the command. To avoid this you will have to ask a root shell to execute the full command, such that it does forward the redirection character to a rooted environment instead of parsing it.

    As shown by the other user, this is as simple as running

    sudo bash -c 'date > file'

    or rewriting it such that you do not need the redirection parameter to be run as root, like so:

    date | sudo tee file

    • Related Question

    linux - CentOS, sudo Doesn't Accept root Password, but Logging in as root Works
  • nicorellius

    I am new to Linux and I have CentOS running on a dual boot system. I was trying to edit a file requiring root permissions, so I used sudo. I typed the root password and it failed. This happened three times, and the process was ended. I then logged in as root (su) and was able to navigate to the file and make changes as root. Am I missing something? How would I edit the sudoers file such that this password would work? Or is there another way to log in to the sudo group to make these changes? How do I set sudo passwords?


    • Related Answers
  • Marnix A. van Ammers

    Sudo expects you to type in your password, not the password of root. And your account needs to be in the sudoers file.