Sudo on FreeBSD

While FreeBSD does not install sudo as part of the base system, you can easily install it yourself. If you do not need anything more than basic functionality, you can install the binary package using the pkg command. Most users belong to this group. If you need advanced functionality, like Python support, you will have to compile sudo yourself from ports.

Are you surprised by the mention of basic and advanced functionality for sudo? If yes, read my article about what is new in sudo 1.9. Besides there are lots of lesser-known features in sudo 1.8 as well. You will learn that sudo is more than just a prefix for administrative commands.

Pkg

Installing sudo on FreeBSD is as simple as:

pkg install sudo

Depending on your Internet connection, you should have sudo up and running on your system in a few seconds.

First steps

By default, sudo on FreeBSD comes with a rather restrictive sudoers file. Only the root user is allowed to use sudo. Anyone else receives a loud warning:

czanik@fb122:~ $ sudo -s
czanik is not in the sudoers file.  This incident will be reported.
czanik@fb122:~ $

Edit the sudoers file and uncomment the following line in the configuration:

# %wheel ALL=(ALL) ALL

Once you uncomment and saved the configuration, you are ready for another test. Login with a user, which is a member of the wheel group and try again:

czanik@fb122:~ $ id
uid=1001(czanik) gid=0(wheel) groups=0(wheel)
czanik@fb122:~ $ sudo id
Password:
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
czanik@fb122:~ $

Compiling sudo

Many of the advanced features of sudo are only available when you compile it yourself from ports as they require extra dependencies, like LDAP or Python. And some features are disabled by default, because while they are popular, they are also controversial, like my favorite feature: insults :-)

To compile sudo, change to the /usr/ports/security/sudo/ directory. As a first step, choose which features to enable:

make config

This shows a menu, where on first run, you can see the default settings used to compile the sudo package. When you use pre-compiled binaries provided by the FreeBSD project, they use these settings. Some notable settings not enabled by default include insults, LDAP, Python and Kerberos support.

I enabled insults, as that feature is easy to verify, saved the configuration, and then compiled and installed the results:

make install clean

You are now ready to test insults by entering an incorrect password a couple of times:

czanik@fb122:~ $ sudo -s
Password:
I've seen penguins that can type better than that.
Password:
You type like i drive.
Password:
sudo: 3 incorrect password attempts
czanik@fb122:~ $

As you can see, there is nothing really harmful here. It is sysadmin humor and I love it. But some people find it offensive, so it is disabled by default. Of course, insults is not the most useful sudo feature, but it is definitely fun and easy to test.

If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.