Sudo and su in linux

What are the differences between «su», «sudo -s», «sudo -i», «sudo su»?

The -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in passwd(5). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. sudo -i disappear description in manual

Also, do not use su user to login from untrusted shells, but su — user . See unix.stackexchange.com/q/7013/8250

6 Answers 6

The main difference between these commands is in the way they restrict access to their functions.

su (which means «substitute user» or «switch user») — does exactly that, it starts another shell instance with privileges of the target user. To ensure you have the rights to do that, it asks you for the password of the target user. So, to become root, you need to know root password. If there are several users on your machine who need to run commands as root, they all need to know root password — note that it’ll be the same password. If you need to revoke admin permissions from one of the users, you need to change root password and tell it only to those people who need to keep access — messy.

sudo (hmm. what’s the mnemonic? Super-User-DO?) is completely different. It uses a config file (/etc/sudoers) which lists which users have rights to specific actions (run commands as root, etc.) When invoked, it asks for the password of the user who started it — to ensure the person at the terminal is really the same «joe» who’s listed in /etc/sudoers . To revoke admin privileges from a person, you just need to edit the config file (or remove the user from a group which is listed in that config). This results in much cleaner management of privileges.

As a result of this, in many Debian-based systems root user has no password set — i.e. it’s not possible to login as root directly.

Also, /etc/sudoers allows to specify some additional options — i.e. user X is only able to run program Y etc.

The often-used sudo su combination works as follows: first sudo asks you for your password, and, if you’re allowed to do so, invokes the next command ( su ) as a super-user. Because su is invoked by root , it does not require you to enter the target user’s password. So, sudo su allows you to open a shell as another user (including root), if you’re allowed super-user access by the /etc/sudoers file.

Источник

Difference Between su and sudo and How to Configure sudo in Linux

Linux System is much secured than any of its counterpart. One of the way to implement security in Linux is the user management policy and user permission and normal users are not authorized to perform any system operations.

If a normal user needs to perform any system wide changes he needs to use either ‘su‘ or ‘sudo‘ command.

NOTE – This article is more applicable to Ubuntu based distributions, but also applicable to most of the popular Linux distributions.

‘su’ Vs ‘sudo’

‘su‘ forces you to share your root password to other users whereas ‘sudo‘ makes it possible to execute system commands without root password. ‘sudo‘ lets you use your own password to execute system commands i.e., delegates system responsibility without root password.

What is ‘sudo’?

‘sudo‘ is a root binary setuid, which executes root commands on behalf of authorized users and the users need to enter their own password to execute system command followed by ‘sudo‘.

Who can execute ‘sudo’?

We can run ‘/usr/sbin/visudo‘ to add/remove the list of users who can execute ‘sudo‘.

A screen shot of ‘/usr/sbin/visudo‘ file, looks something like this:

The sudo list looks like the below string, by default:

Note: You must be root to edit /usr/sbin/visudo file.

Granting sudo Access

In many situation, System Administrator, specially new to the field finds the string “root ALL=(ALL) ALL” as a template and grants unrestricted access to others which may be potentially very harmful.

Editing ‘/usr/sbin/visudo’ file to something like the below pattern may really be very dangerous, unless you believe all the listed users completely.

root ALL=(ALL) ALL adam ALL=(ALL) ALL tom ALL=(ALL) ALL mark ALL=(ALL) ALL

Parameters of sudo

A properly configured ‘sudo‘ is very flexible and number of commands that needs to be run may be precisely configured.

The Syntax of configured ‘sudo‘ line is:

User_name Machine_name=(Effective_user) command

The above Syntax can be divided into four parts:

1. User_name: This is the name of ‘sudo‘ user.
2. Machine_name: This is the host name, in which ‘sudo‘ command is valid. Useful when you have lots of host machines.
3. (Effective_user): The ‘Effective user’ that are allowed to execute the commands. This column lets you allows users to execute System Commands.
4. Command: command or a set of commands which user may run.

Some of the Situations, and their corresponding ‘sudo‘ line:

Q1. You have a user mark which is a Database Administrator. You are supposed to provide him all the access on Database Server (beta.database_server.com) only, and not on any host.

For the above situation the ‘sudo‘ line can be written as:

mark beta.database_server.com=(ALL) ALL

Q2. You have a user ‘tom‘ which is supposed to execute system command as user other than root on the same Database Server, above Explained.

For the above situation the ‘sudo‘ line can be written as:

mark beta.database_server.com=(tom) ALL

Q3. You have a sudo user ‘cat‘ which is supposed to run command ‘dog‘ only.

To implement the above situation, we can write ‘sudo’ as:

mark beta.database_server.com=(cat) dog

Q4. What if the user needs to be granted several commands?

If the number of commands, user is supposed to run is under 10, we can place all the commands alongside, with white space in between them, as shown below:

mark beta.database_server.com=(cat) /usr/bin/command1 /usr/sbin/command2 /usr/sbin/command3 .

If this list of command varies to the range, where it is literally not possible to type each command manually we need to use aliases. Aliases! Yeah the Linux utility where a long-lengthy command or a list of command can be referred as a small and easy keyword.

A few alias Examples, which can be used in place of entry in ‘sudo‘ configuration file.

User_Alias ADMINS=tom,jerry,adam user_Alias WEBMASTER=henry,mark

WEBMASTERS WEBSERVERS=(www) APACHE Cmnd_Alias PROC=/bin/kill,/bin/killall, /usr/bin/top

It is possible to specify a System Groups, in place of users, that belongs to that group just suffixing ‘%’ as below:

%apacheadmin WEBSERVERS=(www) APACHE

Q5. How about executing a ‘sudo‘ command without entering password?

We can execute a ‘sudo‘ command without entering password by using ‘NOPASSWD‘ flag.

adam ALL=(ALL) NOPASSWD: PROCS

Here the user ‘adam‘ can execute all the commands aliased under “PROCS”, without entering password.

“sudo” provides you a robust and safe environment with loads of flexibility as compared to ‘su‘. Moreover “sudo” configuration is easy. Some Linux distributions have “sudo” enabled by default while most of the distros of today needs you to enable it as a Security Measure.

To add an user (bob) to sudo just run the below command as root.

That’s all for now. I’ll be here again with another Interesting article. Till then stay tuned and connected to Tecmint. Don’t forget to provide us with your valuable feedback in our comment section.

A Passionate GNU/Linux Enthusiast and Software Developer with over a decade in the field of Linux and Open Source technologies.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Related Posts

26 thoughts on “Difference Between su and sudo and How to Configure sudo in Linux”

Hi, Really very nice tutorial, I would like to know if there is a way to exclude some admin to run any configuration in ssh? Reply

Hi Ravi, I am facing one problem with /etc/sudoers or visudo, Actually, While I am adding a user with adduser command and while I am not providing any sudo access but commands are working without password or without any permission error. I am using e.g: Lucky ALL=(Lucky) NOPASSWD: /bin/*, !/bin/rm. and also I am restricting for rm command but rm command is working. Please help me brother and please clarify my doubts. Reply

These comments are based on a multi user environment. In the case of shared computers of truly multi-user systems, sudo makes sense. However for single user systems and administrator use, su makes more sense for a variety of reasons including convenience and environment configuration. I do understand the confusion in this regard, especially with younger users, as Ubuntu started this confusion by misusing sudo to give it a more Windows like admin configuration model for individual admin tasks as it utterly lacks any unified administration interface where you’d give the root password once to enter and configure the system. So for example, as an administrator of my system, I keep a terminal shell open in which I’ve su’d to root and use that shell for all admin tasks. If I wanted to allow other users of the system to have access to network configuration or printer setup, I’d use sudo to allow access to those tools. Reply

Hi Ravi Saive, Good evening. I have a doubt in the below line.
mark beta.database_server.com=(tom) ALL My understanding is ‘mark’ and ‘tom’ both are the sudo users, both users have same (ALL commands )access on beta.database_server.com machine. Is this correct? or any difference is there in between ‘mark’ and ‘tom’ users in terms of privileges on beta.database_server.com machine? Thanks in advance. Thanks Reply

Could you please explain more about Q2, i didn’t quite catch that. As per to the question, user tom which is supposed to execute system command as user other than root on the same database server. mark beta.database_server.com=(tom) ALL Mark — Sudo User
beta.database_server.com — machine name
tom — effective user
ALL — Any command can be executed After login with Mark user, try executing commands it says permission denied. Would you please provide more clarification Reply

Источник