The SuperUser usually known as root in Unix-like systems, it is the first user created at the installation of the Linux system. It has all the privileges in the Linux system.
Sudo gives us safe elevated privileges when we want to run important commands. It might be THE most used and powerful command among Ubuntu users, as it has become the preferred method in that distribution.
Don’t always login as root.
Login as root on system boot is not safe. It may damage some system files making it unable to run Linux properly.
su (“substitute user or switch user“) use to log into the superuser account in the CommandLine Interface (CLI). If no username is specified, su defaults to becoming the superuser (root). The optional argument “-” (a dash) may be used to provide an environment similar to what the user would expect had the user logged in directly. You can use the argument “–” (double dash) to separate su options from the arguments supplied to the shell. The user will be prompted for a password, if appropriate.
sudo (“superuser do“) allows a user with proper permissions to execute a command as another user and returns back to the currently logged in account, such as the superuser. This package mainly is for running commands as root at a time but also supports running it as another user if any provided. By default, sudo requires that users authenticate themselves with a password. This is the user’s password, not the root password itself.
Checking if SUDO is already installed
In most Linux Distributions, SUDO comes pre-installed.
dpkg -s sudo
rpm -qa | grep sudo
If SUDO is not installed in your system, you can install it using this:
apt-get install sudo
yum install sudo
Give user a root privilege
I have a user admin and want to give root privilege. Just add the user admin to the sudo group.
gpasswd -a admin sudo
gpasswd -a admin wheel
The user admin will now be able to use full root permission with sudo because it has been added to the sudo group. In CentOS, the group name for sudo users is wheel.
SUDO configuration files are located at /etc/sudoers and /etc/sudoers.d. Use visudo which is a package for editing sudoers file so when you have a syntax error, it will tell you other than just ignoring the configuration and you face a permission problem in your system.
admin ALL=(ALL:ALL) ALL
1st ALL – Applies to all hosts
2nd ALL – Can run command as all user
3rd ALL – Can run command as all group
4th ALL – Can run all commands
admin can run any command as root as long as he provides his password.
Adding a Group
You can also give same permission to a group. Just add % at the beginning of the rule.
%sshgroup ALL=(ALL:ALL) ALL
more Complex Privileges
SUDO package comes with more advance way of privileging users, a complex way of restricting to commands, users and groups.
You will create an array of users, groups or commands into a variable and they are being reference.
User_Alias: Use to define variable to hold users
Cmnd_Alias: Use to define variables to hold commands
Runas_Alias: Use to define variable to hold list of alias users can run
Host_Alias: Use to define variable of hosts users can run sudo
- Giving user a privilege
User_Alias ADMINGROUP = admin ADMINGROUP ALL = /sbin/shutdown
admin can not run any other command with sudo except shutdown only.
- Specify the file system groups
User_Alias ADMINGROUP = %ftpgroup, admin, %sshgroup
- Allow multiple command
Cmnd_Alias MCOMMAND = /sbin/shutdown, /bin/ls, /sbin/reboot ADMINGROUP ALL = MCOMMAND
Limiting Run as users
Runas_Alias ARUNAS = www-data, apache ADMINGROUP ALL = (ARUNAS) MCOMMAND
Some Tricks with SUDO
make you the root user and load your custom user environment variables.
sudo su -
run command as a user or group.
sudo -u admin ls / sudo -g root ls /
run the command in the background.
run the shell specified with elevated privileges, giving you the # prompt (don’t forget to exit!)
switch to the user admin.
sudo su admin
extend/reset sudo’s automatic authentication timeout, allowing you to continue issuing sudo commands without entering a password.
Kill sudo authentication for the current user. The next sudo command will require a password.
There is no su-undo! Be sure to be safe when you issue your commands.