How does sudo work?
 

After making sure the user is allowed to use sudo, it manages to run a program as root. But if sudo can run a program as root without a password, why can't other programs?

SUDO is a special tool, which allows users in the 'sudoers' list to be able to run programs with some or all super user (typically root) priveleges. It doesn't act on programs directly, but rather acts to elevate users priveleges, to allow the user to run stuff. Programs cannot be added to the 'sudoers' list, only users.

Can you give a specific example of what you want to know? Is there a particular program you are inquiring about?

I just looked at random at Synaptic (ubuntu's package manager). The only user who can execute it is root. Apparently, the sudo command gives specified users root powers for just one action. The users that can use sudo are listed in /etc/sudoers.

So, you can either have root powers for all actions bu using su, or for ONE action using sudo.

Sudo
 

What does this mean? In context, I mean, the SUDO binary on my system is SUID-executable, as in rws--x--x meaning anyone could execute it, no?
I don't use SUDO anyways, but would like to clarify this for myself, and the OP. :)

Yes, my sudo is the same....

I was referring to the Synaptic binary--it can only be run by root. (But also can be run by sudo)

I agree on not using sudo. It only comes up when using Ubuntu and the silly no-root-user thing.

Some other programs can. The relevant attribute is setuid. This is an attribute on an executable file which determines whether the program runs with the calling user's permissions or with the exectuable file's owner's permissions.

Most executables are owned by root; if the setuid bit is set, then this executable runs with root permissions. Otherwise, the exectuable runs with the permissions of the calling user.

This feature is useful for writing a shell script to do some particular task with a different user's files. For example, you might want to let a user run a database maintenance script, but you don't want to give him unrestricted access to the database.

Shell scripts do not respect the suid bit (not on Linux or most *nix systems out there -- there are rare exceptions but you should never expect that behavior). It's a security thing because of how shell scripts are actually executed on the system.

If you absolutely must run a shell script with a different user ID (and using sudo or su is out of the question) then you will need to write an executable wrapper which you can setuid... and whose sole function would be to call the shell script.

If you are interested in knowing why this is the case, a simple google for suid shell scripts and security should give you plenty to read.

Ahh. Klever! So a non-root user can't execute their own sudo program, because they can't 'chown root' it.