Linux – sudo and su commands, what are they and how to configure them


To totally unlock this section you need to Log-in


Login

NOTE : this article is more applicable to Ubuntu based distributions, but also applicable to most of the popular Linux distributions.

sudo ("superuser do") allows a user with proper permissions to execute a command as another user, such as the superuser, or root user.

The Root User

Both su and sudo are used to run commands with root permissions. The root user is basically equivalent to the administrator user on Windows – the root user has maximum permissions and can do anything to the system. Normal users on Linux run with reduced permissions – for example, they can’t install software or write to system directories.

To do something that requires these permissions, you’ll have to acquire them with su or sudo.

Ubuntu vs. Other Linux Distributions

The su command is the traditional way of acquiring root permissions on Linux. The sudo command has existed for a long time, but Ubuntu was the first popular Linux distribution to go sudo-only by default. When you install Ubuntu, the standard root account is created, but no password is assigned to it.

You can’t log in as root until you assign a password to the root account.

There are several advantages to using sudo instead of su by default. Ubuntu users only have to provide and remember a single password, whereas Fedora and other distributions require you create separate root and user account passwords during installation.

Another advantage is that it discourages users from logging in as the root user – or using su to get a root shell – and keeping the root shell open to do their normal work. Running fewer commands as root increases security and prevents accidental system-wide changes.

Distributions based on Ubuntu, including Linux Mint, also use sudo instead of su by default.

su Vs sudo

su forces you to share your root password to other users whereas sudo makes it possible to execute system commands without root password.

sudo lets you use your own password to execute system commands i.e., delegates system responsibility without root password.

What is sudo?

sudo is a root binary setuid, which executes root commands on behalf of authorized users and the users need to enter their own password to execute system command followed by sudo.

Who can execute sudo?

We can run ‘/usr/sbin/visudo‘ to add/remove the list of users who can execute sudo.

$ sudo /usr/sbin/visudo

A screen shot of /usr/sbin/visudo file, looks something like this:

Linux - sudo and su commands, what are they and how to configure them

Linux - sudo and su commands, what are they and how to configure them

The sudo list looks like the below string, by default:

root ALL=(ALL) ALL

Note: You must be root to edit /usr/sbin/visudo file.

Granting sudo Access

In many situation, System Administrator, specially new to the field finds the string “root ALL=(ALL) ALL” as a template and grants unrestricted access to others which may be potentially very harmful.

Editing /usr/sbin/visudo file to something like the below pattern may really be very dangerous, unless you believe all the listed users completely.

root ALL=(ALL) ALL

adam ALL=(ALL) ALL
tom ALL=(ALL) ALL
mark ALL=(ALL) ALL

Parameters of sudo

A properly configured sudo is very flexible and number of commands that needs to be run may be precisely configured.

The syntax of configured sudo line is:

User_name Machine_name=(Effective_user) command

The above Syntax can be divided into four parts:

User_name: This is the name of ‘sudo‘ user.

Machine_name: This is the host name, in which sudo command is valid. Useful when you have lots of host machines.

(Effective_user): The Effective user that are allowed to execute the commands. This column lets you allows users to execute system commands.

Command: command or a set of commands which user may run.

Some of the situations, and their corresponding sudo line:

Scenario 01

You have a user mark which is a Database Administrator. You are supposed to provide him all the access on Database Server (beta.database_server.com) only, and not on any host.

For the above situation the sudo line can be written as:

mark beta.database_server.com=(ALL) ALL

Scenario 02

You have a user tom which is supposed to execute system command as user other than root on the same Database Server, above explained.

For the above situation the sudo line can be written as:

mark beta.database_server.com=(tom) ALL

Scenario 03

You have a sudo user ‘cat‘ which is supposed to run command dog only.
To implement the above situation, we can write ‘sudo’ as:

mark beta.database_server.com=(cat) dog

Scenario 04

What if the user needs to be granted several commands?
If the number of commands, user is supposed to run is under 10, we can place all the commands alongside, with white space in between them, as shown below:

mark beta.database_server.com=(cat) /usr/bin/command1 /usr/sbin/command2 /usr/sbin/command3 ...

If this list of command varies to the range, where it is literally not possible to type each command manually we need to use aliases. Aliases! Yeah the Linux utility where a long-lengthy command or a list of command can be referred as a small and easy keyword.

A few alias examples, which can be used in place of entry in sudo configuration file.

User_Alias ADMINS=tom,jerry,adam

user_Alias WEBMASTER=henry,mark
WEBMASTERS WEBSERVERS=(www) APACHE
Cmnd_Alias PROC=/bin/kill,/bin/killall, /usr/bin/top

It is possible to specify System Groups, in place of users, that belongs to that group just suffixing % as below:

%apacheadmin WEBSERVERS=(www) APACHE

Scenario 05

How about executing a sudo command without entering password?
We can execute a sudo command without entering password by using ‘NOPASSWD‘ flag.

adam ALL=(ALL) NOPASSWD: PROCS

Here the user adam can execute all the commands aliased under PROCS, without entering password.

sudo provides you a robust and safe environment with loads of flexibility as compared to su.

Moreover sudo configuration is easy. Some Linux distributions have “sudo” enabled by default while most of the distros of today needs you to enable it as a Security Measure.

To add an user (bob) to sudo just run the below command as root.

adduser bob sudo

Return Values

Upon successful execution of a program, the return value from sudo will simply be the return value of the program that was executed.

Otherwise, sudo quits with an exit value of 1 if there is a configuration/permission problem or if sudo cannot execute the given command. In the latter case the error string is printed to stderr.

If sudo cannot stat one or more entries in the user's PATH an error is printed on stderr. (If the directory does not exist or if it is not really a directory, the entry is ignored and no error is printed.) This should not happen under normal circumstances.

The most common reason for stat to return "permission denied" is if you are running an auto-mounter and one of the directories in your PATH is on a machine that is currently unreachable.