What does sudo service do?
Short answer
To revoke the 'cached' authentication actions of users on reboot. It's not a daemon, just a script run at boot time.
Extensive answer
By inspecting the init file /etc/init.d/sudo that 'starts the service', you can easily see what it's doing:
case "$1" in
start)
# make sure privileges don't persist across reboots
if [ -d /var/lib/sudo ]
then
find /var/lib/sudo -exec touch -t 198501010000 '{}' \;
fi
;;
stop|reload|restart|force-reload)
;;
*)
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
So, basically, it just touches some files in /var/lib/sudo on start of the system to have it a very old modification timestamp. As a result, the 'cached' granted authentication actions are revoked on the start of the service (which happens at boot).
Some more detail on the /var/lib/sudo directory and those time stamps, please? Well, from the mapage of sudo(8):
[...]
Once a user has been authenticated, a time stamp is updated and the
user may then use sudo without a password for a short period of time
(15 minutes unless overridden in sudoers).
[...]
Since time stamp files live in the file system, they can outlive a
user's login session. As a result, a user may be able to login, run a
command with sudo after authenticating, logout, login again, and run
sudo without authenticating so long as the time stamp file's
modification time is within 15 minutes (or whatever the timeout is set
to in sudoers).
[...]
/var/lib/sudo Directory containing time stamps
The sudo service file exists to make sure that privileges called for don't stay after a reboot. Basically it guarantees that after rebooting, normal users that called for root permissions will stay as normal users.
A detailed explanation about sudo
All of the explanation below is to get all the information for everyone that reads this question and to then explain what the sudo file in the service folder is doing there.
When you install Ubuntu or any other distro that uses sudo the difference between being root and being a user that uses sudo for gaining "root like" privileges (Administrative or super user Privileges) is the following:
As root
- You are not asked for a password for each or all commands you run on a session
- Not all commands you execute will be logged by default
- The system assumes you know what you are doing (Reason why it does not ask for a password each time you execute a command)
- There is no second chance or last minute option if you make a mistake
As sudo
- You are asked for a password for each or all commands you run on a session. For example if you open a terminal and execute a command that needs administrative privileges it will ask the password once for that session until you close the terminal or logout. This varies depending on what command you use and where. It might ask once or multiple times.
- All commands you execute will be logged since you are actually asking for permission to use a super user privileged command.
- The system assumes you e asking for permission temporarily and the administrative right will be lent temporarily (Until you logout, close terminal, etc..)
- You have a last minute option to correct any mistake. This is done in the moment you get asked for the password.
Why was SUDO Created
The creation of SUDO was done because in the past, using root created more problems than solutions. Users had all rights, which meant that if they did some spring cleanup and literally deleted the /usr, /lib and /bin folders (because they thought they did not needed them).. guess what would happen. Many problems in the past were because users did not know the power they had when using root. Basically they had root but did not understand Linux, the file system hierarchy, what files were important, etc.. (Something like having a ferrari and not knowing how to drive... in a highway!)
SUDO is also used by GUI apps (Like Update Manager) when they need temporary administrative privileges to do something. They only need it for a specific amount of commands (Typically 1) and then they go back to the user level privilege. This is to avoid having root privileges all the time and to avoid making a mistake if the user decides to remove some important part of the system.
Additionally it gives a better security because the root user comes disabled by default.
Last, if you have a Desktop PC or Server, you really do not want everyone to be root, nor to have all admin privileges. Very bad idea if your little sister or little brothers starts to wonder what would happen if /boot met DEL key. This is where sudo comes in to decrease the chance something bad happens.
What does Provide limited super user privileges to specific users mean?
sudo user or sudoers actually have a configuration file that tells them how limited or opened the sudo command for a specific user is. The file /etc/sudoers has all information to limit or give access to a sudo user. By default it comes with access to everything, but you can configure or limit this as you wish.
For information on how to use the sudoers file type man sudoers in a terminal. For example the normal format is:
USER HOST = COMMANDS
For example cyrex server1 = /bin/ls will give the user cyrex in the host server1 access to run the ls command.
For example cyrex server1 (root) = /bin/ls will give the user cyrex in the host server1 access to run the ls command as root.
For example cyrex ALL = /bin/ls will give the user cyrex in all hosts access to run the ls command.
For example cyrex ALL = ALL will give the user cyrex in the all hosts access to run all commands.
For example luis ALL=(root) NOPASSWD: /bin/kill, /usr/bin/killall will allow me to run sudo for the kill and killall commands as root without asking for a password.
