Linux Command Sudo vs SU


The sudo command

sudo – execute a command as another user

sudo -V | -h | -l | -L | -v | -k | -K | -s | [ -H ] [-P ] [-S ] [ -b ] | [ -p prompt ] [ -c class| ] [ -a auth_type ] [ -u username|#uid ] command

DESCRIPTION

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file (the group vector is also initialized when the target user is not root). By default, sudo requires that users authenticate themselves with a password (NOTE: by default this is the user’s password, not the root password). Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5
minutes unless overridden in sudoers).

sudo determines who is an authorized user by consulting the file /etc/sudoers. By giving sudo the -v flag a user can update the time stamp without running a command. The password prompt itself will also time out if the user’s password is not entered within 5
minutes (unless overridden via sudoers).

If a user who is not listed in the sudoers file tries to run a command via sudo, mail is sent to the proper authorities, as defined at configure time or the sudoers file (defaults to root). Note that the mail will not be sent if an unauthorized user tries to run sudo with the -l or -v flags. This allows users to determine for themselves whether or not they are allowed to use sudo.

sudo can log both successful and unsuccessful attempts (as well as errors) to syslog(3), a log file, or both. By default sudo will log via syslog(3) but this is changeable at configure time or via the sudoers file.

 

The su command

The su command stands for "switch user", and allows you to become another user. To use the su command on a per-command basis, enter:

su user -c command

Replace user with the name of the account which you’d like to run the command as, and command with the command you need to run as another user. To switch users before running many commands, enter:

su user

Replace user with the name of the account which you’d like to run the commands as.

The user feature is optional; if you don’t provide a user, the su command defaults to the root account, which in Unix is the system administrator account. In either case, you’ll be prompted for the password associated with the account for which you’re trying to run the command. If you supply a user, you will be logged in as that account until you exit it. To do so, press Ctrl-d or type exit at the command prompt.

Using su creates security hazards, is potentially dangerous, and requires more administrative maintenance. It’s not good practice to have numerous people knowing and using the root password because when logged in as root, you can do anything to the system. This could provide too much power for inexperienced users, who could unintentionally damage the system. Additionally, each time a user should no longer use the root account (e.g., an employee leaves), the system administrator will have to change the root password.

One of the things that makes Linux more secure than some operating systems is a permission system and separate logins. This adds the complication that some administrative tasks must be done using the administrator login (called root) but that is a small price to pay for the added level of security.

 
Additionals

Different Linux distributions offer different ways to become root to perform these administrative tasks. The differences are not complicated to understand and there are valid reasons for each approach. In this article TUX explains these differences and how to get the job done using the various approaches.

If your system presents you with a graphical login screen (SuSE and Debian are two examples) then you would expect that logging in as root instead of your personal login would be the approach. While it can be done, it is the most dangerous approach from a security point of view.

Once you have logged in you will be running your typical graphical interface but with system-wide permissions. This means an inadvertent mistake could have systemwide consequences. For example, you could drag an important system file or program to the trash can. Without your typical user-level restrictions, the file would be removed and the system could quickly come to a grinding halt.

SuSE systems warn you that you are the root user by displaying a red background with bombs on it but this is just a warning to you to be careful. The system isn’t checking your work so it is up to you not to make a mistake or you will just pay the consequences. A better solution would be to have you use your normal login for most of the work but be able to temporarily become the administrator as needed.

YAST, SuSE’s graphical administration program offers a level of protection. You can start YAST from the menu and it prompts you for the root password and then keeps you within its graphical environment. Thus, you at least have the level of hand-holding that YAST offers before you can make a fatal mistake. But, besides still having the ability to make a mistake, a bug in the YAST software itself could result in system damage.

The real goal is to do the various tasks with the minimum permissions that allow the task to be performed. For geeks, Linux (and UNIX) has always had the su or substitute user command. This means that from the command line, you could become the administrator or any other user as long as you had the appropriate password. No need to log out and back in.

The most common place where this capability would be used in in building new software from source code. Typically, this is done by running three commands, ./configure, make and make install. Only the last one of these commands (make install) needs to be run as the administrator. Thus, from the command line, the user can use the su command before running make install to run only the one command as root. Not much overhead for a large amount of added security.

While this approach is a lot safer than just logging in as root, you still must remember to exit the administrator level with either exit or Control-D to get you back to your own user permissions. That means forgetting a step or just being lazy can be dangerous. A safer approach would be to require you to take action each time you want to run a command as root.

Enter the sudo command. Unlike su, sudo changes your permissions for only a single command. Once that command completes your permissions revert back to the ones you had when you logged in. Note that while sudo has additional capabilities, 99% of the time this is all you want. For the geeks out there, read the sudo man page by entering man sudo in a terminal window.

Using sudo, the build sequence described above just becomes ./configure, make and sudo make install. No other changes other than adding sudo to the third command and no need to exit to get back to your normal user permissions.

Both the Knoppix and Ubuntu/Kubuntu distributions don’t include the su command nor do the have root logins. The only way to get administrator privileges at the command-line level is to use sudo. With Knoppix running from a live CD there are no user logins so sudo happens with no questions asked.

With Kubuntu, it works a bit different. When you enter the sudo command for the first time, you will be prompted for a password. What password? Yours. That is, the password you normally use to log in. This is to prevent someone walking over to an unattended system from getting root access. In order to make it more convenient to do a series of commands as root, Kubuntu remembers that you have run as root recently and doesn’t require the password. But, after a short idle period, you will be asked for it again.

Hopefully this article has filled in your knowledge on how to get administrator access. The most important information in this article is, however, to always try to do as much as possible without administrator permissions. Using this approach you will find that you say "Oops!" a lot less often.

14 thoughts on “Linux Command Sudo vs SU

  1. Oh what I was actually asking is, why does ubuntu not have a (known) root password, given that you can just sudo su – which if anything would be worse than using su since you are probably setting a less secure password for an ordinary user than for root?

    Seems like it would be safer to have both passwords and to prevent sudo breakouts like that?

    • simiancreased says:

      Hi Sophia,
      You have a good question on this thing. I used to asked myself too when I use Ubuntu for the first time (I have used BackTrack before with full of Auditing and security tools inside). For me, Ubuntu is like for the beginner user who wants to explore what “Linux” is. It’s like the most easiest Linux where others with other operating system who wants to change their OS to linux but don’t have any knowledge about it. So, Ubuntu has made it in simple ways with full of GUI.

      Everybody can hack password, it depends on how long does it takes, not how good you have your password or what does your operating system did. I think it’s safe enough because Ubuntu have made it simple, with remembering that you have run as root recently and doesn’t require the password. But, after a short idle period, you will be asked for it again. This is a kind of security backups.

      CMIIW

  2. ishmeet says:

    Is it necessary that we should know the password of another user or administrator to use it? what can we do to use access and read/write the data of other users???reply a.s.a.p

    • simiancreased says:

      Hello ishmeet,

      It is not necessary to know the administrator password. The only thing you will get by knowing this password is that you will get the unlimitted access of the computer, like install or uninstalling apps.
      With gaining access of others data, we will get some information. Either manipulating, modifying or deleting it. CMIIW

    • simiancreased says:

      Of course they will know it. They will find some issue of can’t log in with their account, and from there they will know that they are being monitored. CMIIW

  3. ishmeet says:

    ok dude now correct me if i am wrong.
    if some user is not logged in .then we can use the SU command to access (read/write) their account (without knowing their password).and we can’t be spotted by the admin .(because the user is not logged in).am i right?

  4. Hello, I think your blog could possibly be having browser compatibility
    problems. Whenever I look at your website in Safari, it looks fine however when opening in
    Internet Explorer, it has some overlapping issues.

    I just wanted to give you a quick heads up! Besides that, fantastic website!

  5. We are a group of volunteers and starting a new scheme in our community.

    Your site provided us with valuable info to work on. You’ve done an impressive job and our entire community will be thankful to you.

  6. Wօnderful work! Thiis is the kind of ino that aree meaոt to be shared aross
    the web. Shame on Goߋgle for now nօt positioning this put
    up higher! Comе on over and visit my web site .
    Thanks =)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s