{"id":8929,"date":"2016-11-25T23:05:28","date_gmt":"2016-11-25T14:05:28","guid":{"rendered":"https:\/\/www.skyarch.net\/blog\/?p=8929"},"modified":"2016-11-25T23:05:28","modified_gmt":"2016-11-25T14:05:28","slug":"how-superuser-works-and-its-permissions","status":"publish","type":"post","link":"https:\/\/www.skyarch.net\/blog\/how-superuser-works-and-its-permissions\/","title":{"rendered":"How SuperUser works and its permissions?"},"content":{"rendered":"

The SuperUser usually known as root in Unix-like systems, it is the first user created at the installation of the Linux system. It has all the privileges in the Linux system.
\nSudo gives us safe elevated privileges when we want to run important commands. It might be THE most used and powerful command among Ubuntu users, as it has become the preferred method in that distribution.<\/p>\n

Don't always login as root.<\/h3>\n

Login as root on system boot is not safe. It may damage some system files making it unable to run Linux properly.<\/p>\n

SU<\/h3>\n

su<\/strong> (\"substitute user or switch user<\/em>\") use to log into the superuser account in the CommandLine Interface (CLI). If no username is specified, su defaults to becoming the superuser (root). The optional argument \"-\" (a dash) may be used to provide an environment similar to what the user would expect had the user logged in directly. You can use the argument \"--\" (double dash) to separate su options from the arguments supplied to the shell. The user will be prompted for a password, if appropriate.<\/p>\n

SUDO<\/h3>\n

sudo<\/strong> (\"superuser do<\/em>\") allows a user with proper permissions to execute a command as another user and returns back to the currently logged in account, such as the superuser. This package mainly is for running commands as root at a time but also supports running it as another user if any provided. By default, sudo requires that users authenticate themselves with a password. This is the user's password, not the root password itself.<\/p>\n

Checking if SUDO is already installed<\/h3>\n

In most Linux Distributions, SUDO comes pre-installed.<\/p>\n

Debian\/Ubuntu:<\/p>\n

\r\ndpkg -s sudo\r\n<\/pre>\n
Red Hat\/CentOS:<\/p>\n
\r\nrpm -qa | grep sudo\r\n<\/pre>\n
Installing SUDO<\/h3>\n
If SUDO is not installed in your system, you can install it using this:<\/p>\n
Debian\/Ubuntu:<\/p>\n
\r\napt-get install sudo\r\n<\/pre>\n
Red Hat\/CentOS:<\/p>\n
\r\nyum install sudo\r\n<\/pre>\n
Give user a root privilege<\/h3>\n
I have a user admin<\/strong> and want to give root privilege. Just add the user admin to the sudo group.<\/p>\n
Debian\/Ubuntu:<\/p>\n
\r\ngpasswd -a admin sudo\r\n<\/pre>\n
Red Hat\/CentOS:<\/p>\n
\r\ngpasswd -a admin wheel\r\n<\/pre>\n
The user admin<\/strong> will now be able to use full root permission with sudo because it has been added to the sudo group. In CentOS, the group name for sudo users is wheel.<\/p>\n
Configuring SUDO<\/h3>\n
SUDO configuration files are located at \/etc\/sudoers<\/strong> and \/etc\/sudoers.d<\/strong>. Use visudo<\/strong> which is a package for editing sudoers file so when you have a syntax error, it will tell you other than just ignoring the configuration and you face a permission problem in your system.<\/p>\n
\r\nadmin ALL=(ALL:ALL) ALL\r\n<\/pre>\n
1st ALL - Applies to all hosts<\/em>
\n2nd ALL \u2013 Can run command as all user<\/em>
\n3rd ALL \u2013 Can run command as all group<\/em>
\n4th ALL \u2013 Can run all commands<\/em><\/p>\n
admin<\/strong> can run any command as root as long as he provides his password.<\/p>\n
Adding a Group<\/h3>\n
You can also give same permission to a group. Just add %<\/strong> at the beginning of the rule.<\/p>\n
\r\n%sshgroup ALL=(ALL:ALL) ALL\r\n<\/pre>\n
more Complex Privileges<\/h3>\n
SUDO package comes with more advance way of privileging users, a complex way of restricting to commands, users and groups.
\nYou will create an array of users, groups or commands into a variable and they are being reference.<\/p>\n
User_Alias: Use to define variable to hold users<\/em>
\nCmnd_Alias: Use to define variables to hold commands<\/em>
\nRunas_Alias: Use to define variable to hold list of alias users can run<\/em>
\nHost_Alias: Use to define variable of hosts users can run sudo<\/em><\/p>\n
    \n
  • Giving user a privilege\n
    \r\nUser_Alias ADMINGROUP = admin\r\nADMINGROUP ALL = \/sbin\/shutdown\r\n<\/pre>\n<\/li>\n<\/ul>\n
    admin<\/strong> can not run any other command with sudo except shutdown only.<\/p>\n
      \n
    • Specify the file system groups\n
      \r\nUser_Alias ADMINGROUP = %ftpgroup, admin, %sshgroup\r\n<\/pre>\n<\/p>\n<\/li>\n
    • Allow multiple command\n
      \r\nCmnd_Alias MCOMMAND = \/sbin\/shutdown, \/bin\/ls, \/sbin\/reboot\r\nADMINGROUP ALL = MCOMMAND \r\n<\/pre>\n<\/p>\n<\/li>\n
    • \n
      Limiting Run as users<\/p>\n
      \r\nRunas_Alias ARUNAS = www-data, apache\r\nADMINGROUP ALL = (ARUNAS) MCOMMAND\r\n<\/pre>\n<\/p>\n<\/li>\n<\/ul>\n
      Some Tricks with SUDO<\/h3>\n
        \n
      • \n
        make you the root user and load your custom user environment variables.<\/p>\n
        \r\nsudo su -\r\n<\/pre>\n<\/p>\n<\/li>\n
      • \n
        run command as a user or group.<\/p>\n
        \r\nsudo -u admin ls \/\r\nsudo -g root ls \/\r\n<\/pre>\n<\/p>\n<\/li>\n
      • \n
        run the command in the background. <\/p>\n
        \r\nsudo \u2013b\r\n<\/pre>\n<\/p>\n<\/li>\n
      • \n
        run the shell specified with elevated privileges, giving you the # prompt (don\u2019t forget to exit!)<\/p>\n
        \r\nsudo \u2013s\r\n<\/pre>\n<\/p>\n<\/li>\n
      • \n
        switch to the user admin.<\/p>\n
        \r\nsudo su admin\r\n<\/pre>\n<\/p>\n<\/li>\n
      • \n
        extend\/reset sudo's automatic authentication timeout, allowing you to continue issuing sudo commands without entering a password.<\/p>\n
        \r\nsudo -v\r\n<\/pre>\n<\/p>\n<\/li>\n
      • \n
        Kill<\/em><\/strong> sudo authentication for the current user. The next sudo command will require a password.<\/p>\n
        \r\nsudo -k\r\n<\/pre>\n<\/p>\n<\/li>\n<\/ul>\n
        There is no su-undo<\/strong>! Be sure to be safe when you issue your commands.<\/p>\n","protected":false},"excerpt":{"rendered":"
        The SuperUser usually known as root in Unix-like systems, it is the first user created at the installation of …<\/p>\n","protected":false},"author":1,"featured_media":5279,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_locale":"ja","_original_post":"8713","footnotes":""},"categories":[29],"tags":[],"class_list":{"0":"post-8929","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-linux","8":"ja"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/posts\/8929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/comments?post=8929"}],"version-history":[{"count":1,"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/posts\/8929\/revisions"}],"predecessor-version":[{"id":8930,"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/posts\/8929\/revisions\/8930"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/media\/5279"}],"wp:attachment":[{"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/media?parent=8929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/categories?post=8929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.skyarch.net\/blog\/wp-json\/wp\/v2\/tags?post=8929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}