The difference between Sudo and Su

  • Su is used to switch between users
  • Sudo is used for common users to execute commands with root permission

The su command is used by the current user to switch to another user. The parameter is the user name. The execution will require a password, which is the password of the user you want to switch to.

Sudo stands for superuser do. It allows authenticated users to run commands as other users. Other users can be ordinary users or super users. However, most of the time we use it to run commands with elevated permissions.

Sudo command workflow

  • Sudo reads and parses the /etc/sudoers file to find the calling user and permissions
  • Prompt for the password of the user who invoked the command, if anyNOPASSWDFlag skips password validation.
  • Sudo creates a child process that calls setuid to switch to the target user
  • Finally, the given shell command is executed in the child process

Sudo configuration

USER/GROUP HOST=(USER[:GROUP]) [NOPASSWD:] COMMANDS
Copy the code
  • USER/GROUP: indicates the USER or GROUP to be authorized%At the beginning
  • HOST: indicates the HOST from which users are allowed to run sudo,ALLAllows any terminal, machine access.
  • (USER[:GROUP]): indicates the USER or GROUP that can be switched by sudo. ALL Indicates ALL users that can be switched to the system.
  • NOPASSWD: If specified, the user or group does not need to enter a password when using sudo
  • COMMANDS: Runs the specified command. ALL allows you to specify any command
%sudo ALL=(ALL:ALL) ALL # escape ALL=(ALL) NOPASSWD: Escape ALL =(ALL) NOPASSWD: Escape localhost=/sbin/shutdown -h now # Allow users in the Users group to use the command as root user %users ALL=/sbin/mount/MNT /cdrom, /sbin/umount/MNT /cdromCopy the code

Execute commands with promoted authority

> sudo cat /etc/passwd
Copy the code

When you execute this command, it asks for Rumenz’s password, not root’s.

Run the command as another user

> sudo -u deploy whoami
deploy
Copy the code

Built-in command behavior

One limitation of Sudo is that it cannot use the Shell’s built-in commands. History is a built-in command. If you try to execute this command with sudo, you will get the following command error:

> sudo history 
[sudo] password for rumenz: 
sudo: history: command not found
Copy the code

We can access the root shell and execute any command from there, including the shell’s built-in commands.

To access the root shell, execute the following command:

> [rumenz@localhost]$ sudo bash
> [root@localhost rumenz]# history
Copy the code

Sudo executes multiple commands

sudo -- bash -c 'pwd; hostname; whoami'
Copy the code
  • Double – hyphen (-) Stops command line switchover
  • Bash represents the name of the shell to be used to execute the command
  • The -c option is followed by the command to execute

Restrict the user from executing certain commands

To provide controlled access, we can restrict sudo users to executing certain commands. For example, the following line only allows echo and ls commands.

rumenz ALL=(ALL) NOPASSWD: /bin/echo /bin/ls
Copy the code

Use sudo in vim

When we edited the configuration file for our system, we realized when we saved that we needed root access to do this. Because this may cause us to lose our changes to the file. There is no need to panic, we can use the following command in Vim to resolve this situation

:w ! sudo tee %Copy the code
  • The colon (? Indicates that we are in Vim exit mode
  • Exclamation mark (!) Indicates that we are running a shell command
  • Sudo and tee are shell commands
  • The percent sign (%) indicates all lines starting from the current line

The principle of sudo

> ls -l /usr/bin/sudo
---s--x--x. 1 root root 143248 Jun 28  2018 /usr/bin/sudo
Copy the code

If you look closely at file permissions, you see that the SetuID bit is enabled on Sudo. When any user runs the binary, it will run with the rights of the user who owns the file. In this case, it is the root user.

When we do not execute the id command with sudo, the id of user rumenz is displayed.

> id
uid=1001(rumenz) gid=1001(rumenz) groups=1001(rumenz)
Copy the code

When sudo ID is used

uid=0(root) gid=0(root) groups=0(root)
Copy the code

sudo -i

Sudo -i: You can switch to the root state. To frequently execute certain permissions that only super users can execute without entering a password every time, run this command. Example If you are prompted to enter the password, the password is the password of the current account. There is no time limit. After the command is executed, the prompt changes to # instead of $. To logout of a normal account, you can run exit or logout.

sudo !!

The Linux command line records the commands previously executed. These records can be accessed by pressing the up arrow. To repeat the last command with promoted privileges, use the

> sudo !!
Copy the code

sudo ! n

Want to run a command as root authorization, but forgot to use “sudo”? Don’t worry. We can use sudo!! Use the command history to execute the command you want to execute. Parameters “!!!!! “And”! -1 “allows the user as root to execute the command we just entered. Of course, by analogy, we can execute the penultimate command with the following command:

> sudo ! 2 -Copy the code

Original link :rumenz.com/rumenbiji/l… Wechat official account: entry station