Interview: Inventing The Unix “sudo” Command

It was just one of these nights. We were sitting at the O’Neil’s San Mateo Pub, taking a break after a long day at the Maker Faire. Hackaday was hosting an informal drink-up and a steady stream of colorful characters has just started flowing in. That’s when we met [Robert Coggeshall].

XKCD comic #149
[xkcd, 149]
It started off as a normal discussion – he runs Small Batch Assembly and does a lot of interesting things in the maker space. Then he brought up a fascinating detail – “Oh, did you know I also co-invented sudo back in the 80’s?”

If you ever did as much as touch a Unix system, you’ll know this is a big deal. What came as an even bigger surprise was that something like sudo had to be “invented” in the first place. When thinking about the base Unix toolkit, there is always this feeling that it all emerged from some primordial soup of ideas deep inside of Bell Labs, brought to life by the infinite wisdom of [Ken Thompson] and the rest of the gang. Turns out that wasn’t always the case. We couldn’t miss asking [Bob] for an interview, and he told us how it all came about…

The Hack

[youtube=https://www.youtube.com/watch?v=LaAwl3HN5ds&w=580]

The story itself is a fairly common one – it starts with a problem and ends with a hack. [Bob] and his colleague [Cliff Spencer] were working at SUNY/Buffalo at the time, and [Bob] was in charge of administration of their Unix infrastructure. Since Unix was a multiuser system from the very beginnings, being a sysadmin meant executing a lot of commands as a superuser. The standard way of doing so was using the “su” command, which enabled user to switch to a superuser mode. While this generally did the trick, it opened a lot of opportunities for human error – it was just too easy to forget you’re in a “root” mode and end up causing inadvertent damage to the system. [Bob] and [Cliff] thought of a better way – instead of constantly switching, why not simply create a tool that enables executing individual commands as a superuser, without changing the actual user id in the shell. They quickly whipped up a hack that combined two standard Posix system calls – setuid() and execvp() in order to achieve such functionality. The command was named “sudo“, short for superuser-do ([Bob] insists that correct pronunciation is /ˈsuːduː/, not /ˈsuːdoʊ/).

Going Open Source

After proving to be an indispensable tool in the sysadmin arsenal at SUNY, sudo slowly began to make its way into other research groups and was formally “open sourced” in 1985. In those days Open Source was not yet all the rage (Richard Stallman had just come out with his GNU Manifesto the same year), so the act of “open sourcing” essentially meant posting the source code on the Usenet. And on December 15th, 1985 that’s what they did. [Bob] helped us track down the original message posted to the net.sources group.

There be trolls

Another fascinating historical artifact that can be found in the thread following the original post is an early example of the Internet Troll species:

--
isn't this the same as saying:
su -f root -c "some commands here"

why reinvent the wheel? plus this doens't have to be recompiled when
there is a new root passwd.

i find that most unix programs get written again and again and again,
when the one you wanted was already there in the first place.

tom
--

Though it is true that sudo didn’t invent anything fundamentally new, it did something better – it provided an efficient solution to a real problem. And because [Bob] and [Cliff] cared enough to share it with the world, other people happily adopted it and continued to improve. Today sudo counts 9944 lines of code (up from 153 lines in the original release) and is maintained by [Todd C. Miller]. Over 30 years in age, it still continues to receive code contributions and regularly issues new releases.

114 thoughts on “Interview: Inventing The Unix “sudo” Command

  1. “[Bob] insists that correct pronunciation is /ˈsuːduː/, not /ˈsuːdoʊ/”

    Seriously ? This crap again ? This is on the same level as “nerd vs geek”, and the only people who give a toss about it don’t belong in either group.

    Nitpicking about the pronunciation of a command is ridiculous.

    Aside from that, an interesting interview. :)

    1. I think the pronunciation is fairly obvious… anyone pronouncing it with the same ending as Pseudo is trippin’

      sudo actually makes less sense know than the 80’s since we have more things to remind us of if the console we are interacting with is root or not… (window titles, color consoles etc.. )

      1. The intent isn’t just to remind you that you are performing operations as root, but to act as a gate keeper to determine who can do what as root. It is far easier to remove a person from the sudoers file than to change the root password and notify 30 people of the change. Just because Tim needs the ability to execute shutdown / reboot commands on the financials server doesn’t mean he should have the ability to impersonate Jill and use her credentials to change his wages in the payroll database…

          1. Apparently you do not understand what sudo does and how to properly configure it.

            A properly configured sudoers file will allow you to not only control WHO can user it, but also WHAT they can do. This is why su and sudo are NOT the same thing anymore (maybe back in 1985 they kinda were, but that is no longer the case and has been for some time).

            You don’t simply say “these people can use sudo and can do anything root does.”

            Though you can, it’s poor practice. You can group people and limit the commands they can run so that someone cannot simply run “sudo bash” and poof they become full superuser.

          2. Or just “sudo su”, like so many command line tutorials around the web insist on, even though it really only makes sense on distros like Ubuntu that have the root account disabled by default.

          3. I’m replying to the replies to this, not to your post. But the reply button on those replies is absent.

            The thing is that privileged commands are usually privileged for a reason. Once you have the permission to run one command as root, it is usually trivial to leverage that permission to full root access.

            This is partly because the commands you’ll be having permission for are (apparently) not setuid-root. So they are not scanned for “the usual suspects”.

            A slightly “too trivial” example that everybody will understand: Suppose we want to allow Jill to edit /etc/resolv.conf because she does networking stuff. So you allow jill to run sudo vi /etc/resolv.conf. You specify the argument to “vi” so she wont “sudo vi /etc/passwd” to change her UID into the number 0. But once in vi /etc/resolv.conf she can :e /etc/passwd and read/modify/write the passwd file. All functionality builtin, no bugs required. Just published behaviour.

      1. I was shocked to realize that I actually have been pronouncing it the way the creator intended all this time. I don’t usually do that; for example, I pronounce SATA as “ess ay tee ay” (i.e. spelled out), instead of “SAT-ah” like most people in the tech world. “SAT-ah” just sounds silly to my ears, much like “scuzzy” for SCSI did back in the day.

          1. @Tom, I skull your comment.

            Cool interview. Seems obvious now that you would want a sudo command and Microsoft even tried to get on board (kinda) with UAC. Still, it’s this type of “invention” that causes a paradigm shift. When I learned Linux, I always set up sudoers and use sudo rather than su.

          2. We didn’t (AFAIK) have it on the System V, Honeywell Bull mini we had in the early 90s at college. Wyse 60 serial terminals, oooh! So I dunno how popular it was and why our system didn’t have it. The students spent half our time hacking the thing and finding out interesting stuff to do, so sure we’d have seen it under “su” in the ls -la.

          3. Oh, I see I mentioned that the other day, pardon me. Doesn’t take much excuse to get me going on about those terminals tho, they were LOVELY! Stil want one to run off a serial port now. On Ebay they’re not cheap.

            Ironically you can get the “thin client” stuff Wyse (and everyone else) made later in the 1990s / 2000s, for almost giveaway prices. $30 or so for a “thin client” from the stupid “let’s push thin clients on everbody (but make sure they run Intel and Windows)” fad of a few years ago. Real, proper 8-bit serial terminals still go for well over $100.

  2. Hmm, was hoping that this article may give me some idea of “why” but even after 20 years of using only Linux that still evades me. Perhaps never using it is my problem.

    1. “While this generally did the trick, it opened a lot of opportunities for human error – it was just too easy to forget you’re in a “root” mode and end up causing inadvertent damage to the system.”

      I believe that answers your question. :P

      1. Sadly no. What does more damage, configuring under root and giving no one the password, letting users do what they need to and if they can’t they ask you or giving them the ability to run commands that they shoudn’t?

        Sudo is installed by default on all distributions that I know so removing it is just another thing you have to do before you can let Billy Moron loose on the machine.

        1. What distributions let any user run sudo by default? None that I’ve used, excluding the first/only account created by default in ubuntu. All subsequent users are blocked from sudo.

          1. But that one is enough if you are sticking a one user system on a laptop for someone and I would think that is the most common system installed by the masses. I am sure I am wrong here, because I cannot believe so many people use it and think it is good. I tend to believe that if you f*** up then you are to blame and if I do something stupid as the root user then I will accept the consequences, there is nothing quite like giving yourself several days extra work for teaching you to be careful. :)

          2. I think the idea is, that an admin, which nowadays since desktop Unix (ie Linux) has arrived, is often the sole user, can spend most of his time in user mode. Even if you own the machine, spending all day as root means you can make bigger mistakes, while not giving any real advantages.

            So the single user can spend all day as a user, where his machine is protected from many mistakes he might make, or anything that’s invaded his user account. But since he’s the sole user he also needs to tweak and administrate things. Instead of making him log out and back in again, for just one or two jobs, he can use sudo. Sudo checks he’s allowed to use it, and does whatever important system job while the guy can still stay in his nice safe user account all day.

            Unix wasn’t designed, CMIIW, to be used in root mode all day. The root account is only for adminning the system, not normal user-type tasks. Sudo’s just a shortcut. The sort of thing that starts off as a shell-script and ends up growing into a system tool.

            Personally we didn’t have it on the Unix I learned on, with Wyse green-screen terminals and all, and we didn’t miss it. If you’ve no need for it on your system you can always delete it. But security-wise, being able to isolate specific tasks to root-land, is much safer than spending all day there exposing the system to bugs and threats, running your ordinary software as root needlessly.

            Which is a problem Microsoft eventually got around to looking at. Maybe they’ll have a go at doing it properly some version number / year / Spanish word / version number in the future.

        2. That’s what the sudoers file is for. Usually only users in an admin-group can use sudo. Regular users cannot. So if you setup a computer for your friend Billy Moron, jsut make sure he is a regular, unprivileged user.

        3. “billy moron” can’t run programs they shouldn’t if they don’t have the root password. that’s the point. sudo requires you to enter the root password to run programs with root permissions.

          1. No – if you had the root password you could login as root…or su to root.

            Sudo provides the setting to allow certain users access to run certain commands with root permissions. The password sudo asks you for is your password, not the root password.

    2. I never understood it either. The only time I ever use it is to do this once on systems that don’t have a root password by default:

      sudo passwd

      From then on, I just use su. I cannot think of any time that I’ve wanted to run exactly one command as root.

    3. The problem is that you are looking at the wrong problem:
      – Your problem is manage a system with only one user: you. You have the root password, you can do anything, can blow up the system, and nobody cares.
      – His problem is how to manage a system with N users (where N > 10, probably N > 100), and make sure that some authorized users could run a few privileged commands, without giving the root password for all of them. Changing the root password would need to tell the password to every trusted user. If someone changes the password and forgets it, everyone is locked out unless there’s a backdoor somewhere, and backdoors are a terrible thing to plant on a system.

      I am a sysadmin, and we have LOTS of users. Some of them are devs, they create a poorly designed and poorly tested application on our servers, and the server crawls like a crippled tortoise. This happens a lot because they tested on an environment with only one user (the dev), and thinks it will behave the same once a hundred thousand users connect at the same time.

      su -c asks for the root password, the master key. sudo asks for the user password, the ordinary key, and only trusted users can run trusted commands.

      If you think sudo is useless, you are thinking just like my devs…

  3. >the thread following the original post is an early example of the Internet Troll species:

    Pointing out valid information has only been “trolling” since the “don’t be rude to me or I’ll tell my dad on you” generation of cry babies have taken over the internet.

    1. I agree with cantldo. It’s not trolling if you are asking a legitimate question, which that was.

      (OK, a confession. I just read the article and didn’t watch the video. But…) The clearest benefit to me of sudo is that you don’t have to give out a single root password to N entitled people. Each uses his/her own password with sudo. The whole world of superuser password management gets simplified by an order of magnitude. That obviously doesn’t matter much for a single-user system, but it goes up an N**2 for shops with many admins.

      1. Of course, now every user that is allowed to use sudo essentially becomes a superuser, and needs to have his personal password managed as if it was a superuser password.

        1. Yes, but only because that’s how everyone should treat their own password(s) anyway.

          If, using your (implied) logic, there are varying degrees of acceptable password management which depend on how much access an account garners the beholder, then I would have to say *No*, as sudoers could have varied access and would only be considered “superusers” for the allowed commands associated with their individual account.

        2. And if someone transfers to a department that no longer needs superuser access, you can just remove them from the list of people that can sudo.

          Were you handing out the root password to everyone, you’d have to update the password, tell everyone that needs to know, and either hope the removed person doesn’t ask someone for the new password or very publicly broadcast to everyone that so-and-so no longer has access to the system’s superuser. And hope the person they ask remembers they no longer have that access.

          (also misclicked report comment, meant to reply)

          1. If you can’t trust a person, it is very dangerous to give them sudo access in the first place, as they can use it to create a back door for themselves later.

        3. Sudo can be configured to give a user full root privileges, (which is the default for the first user created in Ubuntu).

          However, it is designed to allow restricted access to specific commands.

          For example, one of my devs has access to Mount as rsu, but no other commands.

    2. @cantido
      I like that you pretend this is some kind of new development and not an age-old problem with managing people. Like, if you can’t think of a single historical case of some powerful individual who doomed him/herself buy building a hug-box of yes-men then I don’t know what to tell you.

    3. TRUE!!! Any critial comment these days gets twisted to trolling by whiney asses these days.Your work will be judged by others should it see the light of day, and god forbid someone might know something you don’t and maybe a better way of doing something. But if tyou don’t word things for a 4 year old who just lost their puppy, look out! you’ll get labled a troll and tossed under a bridge somewhere.

  4. “It’s the same as typing a longer command” <- by people that prefer to type more, rather than less, I guess.

    I suppose the most basic functionality could be done as a bash alias.

      1. Sure, those commands don’t differ much in typing effort but they require different passwords to make happen. If you are the main user and root, it probably doesn’t matter one bit. I administer systems with multiple non-privileged users and a couple of privileged ones. It is MUCH nicer and easier to manage to use sudo and not have a single root password passing through multiple hands. As for Billy Moron, when I set up a system for friends or family that first, default privileged user is set up for me (to handle sysadmin tasks that they will INEVITABLY come to ask about). The last step in my setup is to make a non-privileged account for the person I’m building the system for. If they get to understand their system, I can simply add them to /etc/sudoers later.

      2. but it’s not the same – users don’t require the root password, and they can be restricted to running only certain commands with root priveleges, not all commands.

        Furthermore the sudo logs this access and commands run – with su, you’d only have the ‘login’ logged.

        1. That’s true. But even with the quotes they would be the same length and that’s the point I was making. If the length of stuff you have to type is the only reason sudo exists then it would be pretty pointless.

          1. I’m still not convinced your point is valid, given the line shown in the article. But hey, if you’re going to congratulate yourself without bothering to respond to questions, there you go.

      1. Well, if that’s true then there are a lot of people who say a lot of things “wrong.”

        Generally, however, any pronunciation that is adopted by a large percentage of people that use the word ends up being considered correct. I think by that estimation, either pronunciation would be considered correct.

        He himself states that he doesn’t care how people pronounce it. He just says ‘SOO-doo’ himself.

        Personally, I generally tend to say ‘SOO-doe’ when I’m pronouncing it phoneticially or ‘ess-yoo-doo’ if I’m referring to its origin. It’s easier to get people to type it correctly that way. Really, if you’re going to say that ‘doe’ is incorrect because it’s from the word “do,” then how is ‘soo’ correct? Like Mr. Coggeshall, though, I don’t have a problem with whichever way people feel like saying it.

      2. No. The rules of grammar and pronunciation are descriptive rather than prescriptive, no matter how much middle school English teachers may protest. The creator is the final authority on how the term they coined was *intended* to be pronounced, but how it’s actually pronounced defines what is correct in general parlance, for better or worse. Understanding this fact is the universal chill pill for language nazis everywhere.

        How I learned to stop worrying and love the sue-dough.

    1. You must use a strange alphabet if “Sudo” comes next to “Jif” , the mis-pronunciation of “Les Miserables” which everyone knows is really pronounced “Miserable Les”should surely come between them in your database.

    2. It’s “su”, as in super, sounds like “sue”. Then “do”, as in “superuser, please do this task for me”. Su-do. It’s obvious, how can anyone get it wrong?

  5. The comment that you claim is a troll is actually responding to the previous programs posted on the thread, e.g. asroot (“recompiled when
    there is a new root passwd”.) Tom Christiansen probably would have recognized the value of sudo over su -f root since sudo doesn’t require root password.

  6. Somehow Unix Greybeards managed for decades not to f**k up their systems using root, then Unoobtu comes along and tells everyone users are too stupid to be trusted.

    Sudo this sudo that sudo everything is about as useful (and ten times as annoying) as all the UAC popups in Windows Vista.

    1. I feel I have to add also that the “if it aint broke don’t fix it” has also disappeared from Linux now and updates seem to add more broken bits and bloat rather than just being about mending stuff. Where do I go next once I get totally peed off with it, that is the hard one to solve. The latest one to annoy me was the Chrome update a few days ago, the mouse now lets go of the side scroll bars if you move too far from the window, that is so irritating. :) Still has a long way to go before it stops being the most usable OS in the world though. :)

    2. Of course for those decades being a Unix Admin meant only being a Unix Admin. Now it means software development, project management, virtualization, clustering, sans, networks, hardening, tunneling, dba, accounting, salesman, and so much more.

      Long past are the days of the lone admin in the basement of some huge building typing away on a model m connected directly to a machine.

      Information tech has grown up. Part of that means accepting that everyone makes mistakes.

  7. Interesting, because in the “old” Unix world (around 1980-1990), there was a command (if I remember correctly, it was an obscure hack picked somewhere that we compiled on our system) doing approximately the same thing, called “…” therefore hidden to a normal “ls” command : it was the time of security by obscurity :)

    1. sure it’s a hack he and his partner in crime hacked the available set of commands for an operating system, and sounds like the command itself was subject to hacking.

  8. SUNY Buffalo is the University at Buffalo (www.buffalo.edu). Buffalo State College is a different place. Bob is talking about the University at Buffalo.

  9. The comment about tom being a Troll is very unfair. He was referring to the force.c program posted in the same thread which requires the encrypted root password be compiled into the program. tom’s comment is completely legitimate in that context.

  10. That’s nice. Did I ever say that Dennis Ritchie grew up in my home town? Because he did. He moved a few miles away but I’d still see him around from time, to time. Now there’s someone famous in the computing world.

  11. In light no one does and most likely can’t know everything there is to know about everything, I’m going to call BS on the notion than pronunciation isn’t important. I grew up in a community where anyone 10 years older than I spoke one of several dialects of German as a second language. That colored their English so much often I was left to figure out WTF they where talking about. I once visited an relative that had a car being repaired by body shop of “Mexicans” for whom English was their second language. The body man was telling my relative he he still had to “black it”, that’s what in sound like to me. As he continue to say that as he continued to speak with my relative, it was clear he meant he needed block sand the work. where a user password becomes a pseudo root password I can see where some came to that pronunciation. In my opinion history is important, so Coggeshall, while it’s beyond his control should have the last word.

    The audio of Bob’s voice was up and down as it played here. Perhaps it was due to inconsistent mic placement, but where I was listening while doing email I wouldn’t noticed. In the age of digital audio surely there’s a way to eliminate the wind noise somehow

      1. Well, based on my experience, it would be pronounced (and sometimes, spelled) the same way. Best ever was an office e-mail which named someone as a “pillow of the community”.

    1. “10 years older than ME”, not “I”. One of the more annoying over-corrections. Almost as bad as calling the eighth letter of the alphabet “haitch”. I’ve been known to break people’s spines for doing that.

    2. pseudo is pronounced “sedo” or “say-doe” in places that sudo is pronounced sue-doe. It’s only “sue due” if a space separates the su do. Same for SCSI being scuzzy and not sexy which would be SXSI or the spanish variant SXCI (not really serious of course).

      1. I’m not seeing any of that. For example: “pseudo |ˈso͞odō|”

        Your suggested pronunciation for sudo doesn’t make sense as it’s not a Japanese word, so it shouldn’t be pronounced like judo.

  12. Like it or not, language is a collective understanding. Words and born and die. Meanings shift over time. A creator of thing only has limited control over it and generally only for a short while.

    The words as we use them today will evolve and no matter how much you battle, if the population insists on using “Literal” for “Figurative” can you even hope to address “sudo?”

    I just felt the need to axs that.

  13. A lot of people don’t realize this, but Sudo is developed by an OpenBSD developer, Todd C. Miller, who is also credited for creating the strlcpy/strlcat API that is widely used today (*BSD, Apple, Android, Linux kernel).

    http://www.courtesan.com/todd/papers/strlcpy.html

    Michael W Lucas has written a book on Sudo that is a good read, he also recently presented at BSDCan 2014′ on Sudo.

    https://www.michaelwlucas.com/nonfiction/sudo-mastery
    http://www.bsdcan.org/2014/schedule/events/456.en.html

      1. Thanks for the link. I’ve read a lot about him, but never actually seen him or heard him speak. Just from that little bit (and what I’ve read), I think I like him. :)

  14. It’s so nice to read a “You’re doing it wrong!” fest, but really, in the end as long as who ever you’re around understands you, you should probably refer to the “when in rome” rule.

    And, as for southerners, the rule is to put an “H” phonetically after the first vowel. So,
    Martha becomes Mahtha, etc. As such, the phrase “yew aint from around hair, is ye?” isn’t talking about a tree known for it’s strength and resilience.

    So, it’s common to be able to tell what someone is saying by context (unless they’re scottish – no one can understand them even other scots!) ; )

    1. ROFL! Anyone else remember Ozzy saying, “rayeeo-own”, over and over to the TV remote?

      He also said something along the lines of, “Peepel say I talkis way ‘cauza alla drugsz, but I’m just Sco-ish, it’sow weall talk.”

  15. 9944 lines of code? Yikes! How complicated can it be to check for the privilege and then pipe the given command as root? I suppose a gander at the source is in order.

  16. sudo was created by people who don’t understand security.
    No, it’s not exactly an accepted unix idiom. And in it’s default form, it’s generally only used by newbies.

  17. OK, I’m persuaded. The problem now moves to the distros. I think that if you are a big user / installer of Linux with multi-user systems then you had better know what you are doing. The same is not true for those of us that prefer Linux and would like more people to make daily use of it. We want to persuade people that it is easy to install and use, is stable and gives no problems.

    It would help the not too experienced people if sudo was not there by default and root password was set at install or a compulsory root access account was set up as well as a user account that didn’t have sudo.

    As it is now you can’t just stick a CD in and install without opening a command window and typing things, this puts so many people off.

    The way it is now you either:
    Install from CD, set root password, delete sudo
    or, more correctly:
    Install from CD, add a new user, edit sudoers to restrict the user using sudo and the first account to do it.

    The first option is a lot quicker and easier, it is safe and secure. In order to force people to do it “properly” the distros need changing on their default installation. This change will not affect the multiuser admins.

Leave a Reply to JohnCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.