Solaris

sudo is a software package, which allows to permit certain commands to be executed by certain users under a different user id (usually root).

Normally every process inherits all the rights (including the user id) from its father process. At the top of this chain is the login shell of the user originating the process. Example: you log on to a machine as user "foo". The system starts your login shell, which will run under your user id - foo. Now you start some program, say, ls. The father process of this ls is your login shell, therefore the ls runs with your user id too. If *you* (that is: your user id) are not allowed to read a directories contents this instance of ls won't be allowed too. If root would invoke the same ls to list this directory it would work, because root (and hence all processes started by root) is allowed to do that.

Sometimes it would be nice to allow users something which under normal circumstances only root is allowed. For instance: there is a directory where some people can write to. We appoint one of them to take care that anything superfluous in there is deleted to keep it clean. We have to give this person the power to even delete files which do not belong to him, just as root could do. We still would not want to give this person the same rights in other places, just in this directory.

To achieve this (and similar things) sudo was designed. It will grant a certain user root power for a certain command. "Command" in this case includes a specific command including even a certain set of options. For instance you can allow a user to issue an "ls -a" with root power but still forbid "ls -i" - that is, he can issue "ls -i", but only so with his own rights, not with the rights of root.

The operation is controlled by a file /etc/sudoers, which you will have to customize to your needs. There are four logical parts to it, three declarative ones and the rights definition itself:

Hosts: a list of hostnames
commands: a list of commands
users: a list of users
rights definitions

All the rights definitions in the file take the form of: allow user-group x the execution of command-list y on all hosts of the host-list z. The various lists are defined by declaration and can contain one or more entry, so to entitle one user with the right to execute one command on one host just create a user-list with the user as the single element, then a command-list with the command as single element, a host-list with the host as single element and finally bind these three together by creating the rights definition that allow the group to execute command-list on all hosts in host-list.

For further information consult the man page of sudo or the various how-tos floating around on the internet.

bakunin