In this article we discuss both the sudo and su commands in Linux both of which deal with assigning privileges to user so that they can execute certain commands.
Table of contents.
- The sudoers file.
- Password timeouts.
- sudo commands.
- su commands.
sudo command allows a user with proper permissions to execute commands as root user with administrative privileges.
su command allows a user to execute commands with another user's privileges.
With it we can switch accounts without logging off from the current session.
sudo grants a one time access where while su grants unlimited access.
The syntax for the sudo command is as follows,
sudo [OPTION] COMMAND
The basic form without any options is as follows,
When the above command is executed sudo check the sudoers file to check whether the user invoking the command has rights.
The syntax for su command is as follows,
su [OPTIONS] [USERNAME [ARGUMENTS...]]
Commonly used options with su include,
- -c, --command COMMAND, to run a specific command as a specified user.
- -l, --login USERNAME, to run a login script so as to change to a specific user.
- -s, --shell SHELL, to specify a different shell.
- -p, --preserve-environment, for preserving the current shell environment.
The sudoers file.
This file is located at /etc/sudoer. To edit it we use the visudo command.
Members of the sudo group which is defined in the sudoers file have administrative rights and are able to execute any command as the root user.
To add a user to this group we write,
usermod -aG sudo username
We can also limit the programs a user can execute as sudo by editing this file.
To allow a user john to only execute chmod command as sudo, we edit the file as follows,
Then add the line,
john = ALL=/bin/mkdir
To allow john to execute sudo command without a password prompt by editing the file as follows,
john ALL=(ALL) NOPASSWD: ALL
After entering the password when sudo is invoked, by default the timeout is set to 5 minutes before any other sudo user command requires a password again.
We can change this by editing the sudoers file as follows,
Changing the default timeout,
To change timeout for a user, we write,
Sudo will now have to wait 10 minutes before prompting for a password again.
Tasks such as editing important files, updating the system, rebooting the system require elevated privileges.
A normal user cannot reboot a system and therefore for this the user needs to elevate his/her privileges by using sudo,
We can also run a command as another user provided we have root privileges,
sudo -u john rm -rf Documents
The above command deleted the Documents directory as a user john.
To check if a certain user is a sudo user we use the -l and U options as follows,
sudo -l -U john
To invoke it we write,
after which we are prompted to enter a password, when the password is authenticated, the current user will have elevated privileges and can now run commands as root without ever being prompted for a password again which means from this point we should be careful what commands we execute since there is no going back.
We can use the whoami command to view the current user.
To switch the logged-in user to another user john we write,
su -l john
We can also run commands as a different user by writing,
su -c rm -rf ~/Documents john
The above command switches to user to john and deletes the Documents directory.
To change the shell, we use the -s option,
su -s /usr/bin/zsh
The command changes the current shell to Z shell.
sudo command gives a user elevated privileges to execute commands, it can allow users to run only specified commands with root privileges.
su allows one to temporarily become another user and execute commands as the user, by default one switches to the root user.
Sudo is a better way and it is safer than su(switch user) which switches a user, assuming we switch to a root user using the su, when we are in the super user mode, any command we execute will be preformed with elevated privileges, there is no stopping a command and no password prompt, this can be dangerous especially when we forget to switch back. sudo offers us the chance to enter a password before a command is executed.
- Execute man su or man sudo for their manual pages.
- Execute su --help or sudo --help.