How SuperUser works and its permissions?

The SuperUser usually known as root in Unix-like systems, it is the first user created at the installation of the Linux system. It has all the privileges in the Linux system.
Sudo gives us safe elevated privileges when we want to run important commands. It might be THE most used and powerful command among Ubuntu users, as it has become the preferred method in that distribution.

Don’t always login as root.

Login as root on system boot is not safe. It may damage some system files making it unable to run Linux properly.

SU

su (“substitute user or switch user“) use to log into the superuser account in the CommandLine Interface (CLI). If no username is specified, su defaults to becoming the superuser (root). The optional argument “-” (a dash) may be used to provide an environment similar to what the user would expect had the user logged in directly. You can use the argument “–” (double dash) to separate su options from the arguments supplied to the shell. The user will be prompted for a password, if appropriate.

SUDO

sudo (“superuser do“) allows a user with proper permissions to execute a command as another user and returns back to the currently logged in account, such as the superuser. This package mainly is for running commands as root at a time but also supports running it as another user if any provided. By default, sudo requires that users authenticate themselves with a password. This is the user’s password, not the root password itself.

Checking if SUDO is already installed

In most Linux Distributions, SUDO comes pre-installed.

Debian/Ubuntu:

dpkg -s sudo

Red Hat/CentOS:

rpm -qa | grep sudo

Installing SUDO

If SUDO is not installed in your system, you can install it using this:

Debian/Ubuntu:

apt-get install sudo

Red Hat/CentOS:

yum install sudo

Give user a root privilege

I have a user admin and want to give root privilege. Just add the user admin to the sudo group.

Debian/Ubuntu:

gpasswd -a admin sudo

Red Hat/CentOS:

gpasswd -a admin wheel

The user admin will now be able to use full root permission with sudo because it has been added to the sudo group. In CentOS, the group name for sudo users is wheel.

Configuring SUDO

SUDO configuration files are located at /etc/sudoers and /etc/sudoers.d. Use visudo which is a package for editing sudoers file so when you have a syntax error, it will tell you other than just ignoring the configuration and you face a permission problem in your system.

admin ALL=(ALL:ALL) ALL

1st ALL – Applies to all hosts
2nd ALL – Can run command as all user
3rd ALL – Can run command as all group
4th ALL – Can run all commands

admin can run any command as root as long as he provides his password.

Adding a Group

You can also give same permission to a group. Just add % at the beginning of the rule.

%sshgroup ALL=(ALL:ALL) ALL

more Complex Privileges

SUDO package comes with more advance way of privileging users, a complex way of restricting to commands, users and groups.
You will create an array of users, groups or commands into a variable and they are being reference.

User_Alias: Use to define variable to hold users
Cmnd_Alias: Use to define variables to hold commands
Runas_Alias: Use to define variable to hold list of alias users can run
Host_Alias: Use to define variable of hosts users can run sudo

• Giving user a privilege

  User_Alias ADMINGROUP = admin
  ADMINGROUP ALL = /sbin/shutdown
  

admin can not run any other command with sudo except shutdown only.

• Specify the file system groups

  User_Alias ADMINGROUP = %ftpgroup, admin, %sshgroup
  

• Allow multiple command

  Cmnd_Alias MCOMMAND = /sbin/shutdown, /bin/ls, /sbin/reboot
  ADMINGROUP ALL = MCOMMAND 
  

• Limiting Run as users

  Runas_Alias ARUNAS = www-data, apache
  ADMINGROUP ALL = (ARUNAS) MCOMMAND
  

Some Tricks with SUDO

• make you the root user and load your custom user environment variables.

  sudo su -
  

• run command as a user or group.

  sudo -u admin ls /
  sudo -g root ls /
  

• run the command in the background.

  sudo –b
  

• run the shell specified with elevated privileges, giving you the # prompt (don’t forget to exit!)

  sudo –s
  

• switch to the user admin.

  sudo su admin
  

• extend/reset sudo’s automatic authentication timeout, allowing you to continue issuing sudo commands without entering a password.

  sudo -v
  

• Kill sudo authentication for the current user. The next sudo command will require a password.

  sudo -k
  

There is no su-undo! Be sure to be safe when you issue your commands.