Authentication is the process of identifying an account or service, and verifying its right to perform a restricted operation. Mac OS X uses several different methods of authentication, along with separate subsystems. All system utilities tie into directory services to verify credentials.
For example, imagine a server with Open Directory accounts and a FileMaker Pro server for custom databases. Users can authenticate to Application Level Firewall and Secure Shell (SSH) using their Open Directory credentials; however, accessing FileMaker Pro databases will require an entirely different set of credentials. Even if user names are kept the same between systems, each technically has two separate sets of credentials.
Many traditional UNIX administrators are accustomed to logging in as and working with a root account. However, Mac OS X administrators are discouraged from doing so, because root can bypass normal access restrictions in most cases. Root is normally disabled in Mac OS X, but it is still possible to effectively authenticate as a root-level account without using the actual root account. The sudo tool allows granting rights to users and groups to run programs that they may not have access to otherwise. Using sudo, you can grant a user the ability to run one specific program with root privileges, all the way up through gaining a root-level shell to work in.
sudo uses the /etc/sudoers file as a configuration file to determine which accounts can gain elevated privileges. You should always use the visudo program to edit the sudoers file, because the program performs locking and syntax checks upon saving. The general format of sudoers is formulaic. Following is an example of a typical entry in the sudoers file:
%itops ALL = /bin/mkdir, /bin/chmod, /bin/chown
The percent sign (%) indicates that the rule applies to a group (in this case, itops). The ALL designation refers to a machine group, checked by host name. In this case, the group is allowed regardless of the machine name (“all machines”). Finally, the entry specifies the commands that this group can use with the sudo command, to run with root-level privileges. As a member of the itops group, you could create a new directory in a protected area by using sudo and supplying the account password:
$ sudo mkdir /usr/sbin/extras
See the sudoers man page for more ways of granting rights with sudo;