12
$ ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 136808 Jul  4  2017 /usr/bin/sudo

so sudo is runnable by any user, and any user who runs sudo will have root as the effective user ID of the process because the set-user-id bit of /usr/bin/sudo is set.

From https://unix.stackexchange.com/a/11287/674

the most visible difference between sudo and su is that sudo requires the user's password and su requires root's password.

  1. Which user's password does sudo asks for? Is it the user represented by the real user ID of the process?

    If yes, doesn't any user can gain the superuser privilege by running sudo and then providing their own password? Can Linux restrict that on some users?

  2. Is it correct thatsudo asks for the password after execve() starts to execute main() of /usr/bin/sudo?

    Since the euid of the process has been changed to root (because the set-user-id bit of /usr/bin/sudo is set), what is the point of sudo asking for password later?

Thanks.

I have read https://unix.stackexchange.com/a/80350/674, but it doesn't answer the questions above.

Tim
  • 101,790

4 Answers4

23

  1. In its most common configuration, sudo asks for the password of the user running sudo (as you say, the user corresponding to the process’ real user id). The point of sudo is to grant extra privileges to specific users (as determined by the configuration in sudoers), without those users having to provide any other authentication than their own. However, sudo does check that the user running sudo really is who they claim to be, and it does that by asking for their password (or whatever authentication mechanism is set up for sudo, usually using PAM — so this could involve a fingerprint, or two-factor authentication etc.).

    sudo doesn’t necessarily grant the right to become root, it can grant a variety of privileges. Any user allowed to become root by sudoers can do so using only their own authentication; but a user not allowed to, can’t (at least, not by using sudo). This isn’t enforced by Linux itself, but by sudo (and its authentication setup).

  2. sudo does indeed ask for the password after it’s started running; it can’t do otherwise (i.e. it can’t do anything before it starts running). The point of sudo asking for the password, even though it’s root, is to verify the running user’s identity (in its typical configuration).

Stephen Kitt
  • 434,908
13

sudo usually asks for the password of the user running it, though this can be configured:

Unlike su(1), when sudoers requires authentication, it validates the invoking user's credentials, not the target user's (or root's) credentials. This can be changed via the rootpw, targetpw and runaspw flags, described later.

Setting rootpw has sudo always ask for root's password, targetpw asks for the password of the user sudo will eventually run the program as, and runaspw asks for the password of the user set in runas_default.

A sudo binary set up like that can indeed be started with root privilege by any user. Assuming sudo doesn't have any bugs with its authentication code, that in itself won't matter much.

Somewhat similarly, any process can also execute code in kernel mode, by calling any system call, say open(). (that's not the same as userspace code as root.) As long as the kernel doesn't have bugs, they won't be able to run arbitrary code, though.

ilkkachu
  • 138,973
8

From the first line(s) of man sudo:

DESCRIPTION
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy.

So:

  1. The invoking user's real (not effective) user ID is used ...

  2. Yes, any (permitted) user can gain the superuser (or other) additional privilege(s) by running sudo and then providing the (configured) authentication required. Both permitted and configured are set in sudoers file(s).

  3. Can Linux restrict that on some users?
    Yes, it can, but it doesn't. Linux is set to allow the sudo binary to make the decision based on the set of rules (security policy) inside the sudo program and inside the file /etc/sudoers. Usually, other files (also/instead) may be used.

From man setresuid:

DESCRIPTION
setresuid() sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process.

  1. The only way to gain superuser permissions granted by the kernel is to run a program suid. It can not be otherwise. It is the way Linux has selected to grant superuser permissions.

  2. After the kernel has loaded an executable that can not be modified by any other user (file and directory owned by root and writable only by root) the executable itself (sudo) authenticates the user by asking for its password (or something else as configured) and decides if and which permissions to grant.

0

Additional to other good answers about sudo:

su allows you to effectively become a different user. On my own computer I don't run as an administrator for everyday use -- which means, among other things, I can't (directly) use sudo. If I do want to use sudo, I can use su to "become" the Administrator user, and then in that role use sudo. In that situation I end up entering the Admin account's password twice -- once when I run su, and once when I run sudo.

Stephen R
  • 109
  • 2