Note · 03
The Sudoers File
On the question of who gets in.
There is a small list on every computer that decides a lot of things.
It is the list of people who are allowed to do root things. Engineers call it the sudoers file.
Most people who use the computer have no idea it exists. But it shapes everything they can and cannot do.
By default, a regular user has limits. They can do their job, in their workspace, with their name. We covered this last time.
But sometimes a regular user needs to do something only root can do. Install a program. Open a protected file. Restart the machine.
The system has a way for this. It is called sudo.
When you type sudo before a command, the system asks: are you allowed?
It opens the list. If your name is on it, the command runs. If not, you get an error. The error has a name everyone knows.
permission denied.
Diagram one — the list.
- anna
- marcus
- lila
- james
- sarah
- daniel
This is a small fact about every computer.
You cannot put your own name on the list.
You can try. You will get the same error. The list is owned by root. Only root can change it.
To get your name on the list, someone with root has to add it.
This isn't a flaw. It's the point. If users could add themselves, the limits would mean nothing.
Now the question.
Who gets root access?
You cannot add yourself.
You can try. You can be a very good user. You can run helpful commands. You can never break the rules. None of it puts your name on the list.
For your name to be on the list, root has to write it there.
Diagram two — being added.
- anna
- marcus
- lila
- james
- you
In post two, we said root opened a user account and ran as a user, and the program was killed, and the program came back.
This is what that was for.
The cost of writing your name on the list was paid in post two. Root paid it.
The Bible has a way of saying this that engineers don't usually get to hear:
For it is by grace you have been saved, through faith — and this is not from yourselves, it is the gift of God, not by works, so that no one can boast.
It is the same as:
For it is by root's action you have been added to the list, through trust — and this is not from your own commands, it is the gift of root, not from what you ran, so that no process can boast.
It is the same sentence.
You did not add your name. Your name was added.
Once your name is on the list, the only thing left is to use it.
You type the command. You put sudo at the front. The system asks for your password — and your password is not a wage. It is just your simple trust that the access you've been given is real.
You hit enter.
The command runs.
Diagram three — the only request the kernel was waiting to grant.
you
The word sudo, for what it's worth, is short for substitute user do.
You are saying: do this as someone else. Do this as root.
In the gospel, this is what prayer is. This is what faith is. You are not telling the kernel do this because I earned it. You are telling the kernel do this in the name of the one who paid for my access.
That is the only request the kernel was ever waiting to grant.
There is an honest objection here.
How do I know my name is on the list?
You can't read the list. The list is owned by root. You don't have permission.
But here is what the Bible says about this list:
Whoever calls on the name of the Lord will be saved.
In other words: whoever runs sudo finds their name was there.
You don't need to read the list to know you're on it. You need to type the command.
If you type it in good faith, the command runs.
That is how you know.
You cannot earn root.
You cannot promote yourself.
But your name was written on the list by someone with the authority to write it. The cost was paid by root, who came down as a user to pay it.
All you do is sudo.
That is the whole frame.
Next: what happens when the system reboots.
That's the part of the story where everything is rewritten.