Since ancient times, many have been confused by the variety of security options when performing operations with maximum privileges. For example, in the official Ubuntu Documentation it is recommended to use something like sudo nano as an editing command, and in numerous amateur manuals (in the style of "5 tricks on the command line that will surprise your grandmother"), it is suggested to write sudo su - to get the root "new shell. I will try to explain why this state of affairs seems wrong to me.

Historically the only universal way run a command as another user in Unix was the su program. Run without parameters, it asked for the root password and, if successful, simply changed the current username to root, leaving almost everything environment variables from the old user (except for PATH, USER and a couple more, see man su from your distribution). It was more correct to run it as su - - in which case the shell would also get the correct environment. With the -c option, it was possible to execute the command: su -c "vim /etc/fstab" .

At the same time, trusted users had to remember the root password, and all users listed in the wheel group (that is, in a group whose members could execute the su command and become a superuser) had the same unrestricted access to the entire system, which was a serious security problem.

Then came the sudo command, and that was the breakthrough. Now the administrator could specify a list of allowed commands for each user (or group of users), files available for editing, special environment variables and much more (all this splendor is controlled from /etc/sudoers , see man sudoers from your distribution). When sudo runs, it asks the user for their own password, not the root password. A full shell can be obtained with " sudo -i "

Of special note is the special command sudoedit , which safely launches the editor specified in the $EDITOR environment variable. With a more traditional scheme, editing files was done something like this:
sudo vi /etc/fstab

Vi launched in this way inherited a shell with unlimited rights and through:! the user could run any command (unless, of course, the admin took care of it in advance) and open any file.

Sudoedit checks if this user can edit given file, then copies the specified file to a temporary directory, opens it in an editor (which inherits user rights, not root "a), and after editing, if the file has been changed, copies it back with special precautions.

On Debian-based distributions, the root user does not have a password, instead all administrative actions must be done through sudo or its graphical counterpart gksudo . As a complete replacement for su , sudo should be the only command to switch between users, however, as mentioned at the beginning, this is not the case at the moment and everyone invents wild sequences of sudo, su, vi and dashes for some reason.

Therefore, I suggest everyone once and for all remember:

After the first publication of this note, I was asked several questions. From the answers it turned out to make a mini-FAQ.

Q: how to do su -c "echo 1 > /etc/privileged_file" with sudo? sudo echo 1 /etc/privileged_file swears "permission denied"
A: This is because only the echo command is executed with elevated rights, and the result is redirected to a file already with normal user rights. To add something to the privileged_file, you need to run the following command:
$echo 1| sudo tee -a privileged_file >/dev/null
Or temporarily become root:
$ sudo -i # echo 1 > privileged_file # exit $
Q: sudo -i is longer than su - , and there seems to be no difference between them, why print more?
A: sudo has several advantages that are worth the trouble of typing a few extra characters:

• by default, sudo writes all user activity to the authpriv syslog channel (as a rule, the result is put in the /var/log/auth.log file), and a similar feature must be included in su by setting a special parameter in the settings file, which differs from distribution to distribution (SULOG_FILE in /etc/login.defs in ubuntu linux, /etc/login.conf and /etc/pam.d/su on FreeBSD, etc.)
• in the case of su, the system administrator cannot restrict the commands that users can execute, but in the case of sudo, he can
• if the user should be deprived of administrative rights, in the case of su, after removing him from the wheel group, he must forget the root password; if sudo is used, it is enough to remove it from the appropriate group (for example, wheel or admin) and / or sudoers file if it has been additionally configured.

Q: I'm the only user on my system and I'm used to su, why do I need sudo?
A: I will answer the question with a question: if there is a correct sudo, why use the deprecated su?

Paradoxically, the sudo command does not preclude running an administrator session inside a normal user session. Because it can be used to run the same su command:

$ sudo su

And this is even in Ubuntu's, where there is no root account; more precisely, by default there is no password. But using sudo makes it unnecessary even for the su command. But it is not forbidden to set the superuser password - after all, for this it is enough to give the command

$ sudo passwd

to use su in the usual way. And even, if desired, log in as root when registering in the system.

However, even here the sudo command provides an “ideologically correct” method, and not even one. These are the -s and -i options, which prolong, albeit in slightly different ways, the action of the sudo command indefinitely, until the “secondary session” ends with the exit command.

The -s option, when opening a secondary root session, preserves all environment variables of the original user. However, if you add the -H option to it, then these variables will be re-read from the profile files of the administrator's home directory, that is, /root, as when launching an interactive shell instance. However, the directory that was current at the time the command was entered will not change, nor will the appearance of the prompt change. command line.

The -i option completely reproduces the root environment by running its shell as a login shell. Of course, this also changes the current directory to /root, and the command line prompt takes the form described in the corresponding variable in the profile file of the administrative shell (in bash - PS1).

In practice, there isn't much difference between the two forms of gaining permanent admin rights, especially in bash . But in zsh, with the appropriate settings of profile files, if desired, you can achieve significantly different environments in each of these cases. True, how much the user needs is a big question. But the fact that when using the -H options, being in permanent administrative mode does not appear outwardly in any way is fraught with errors. This makes the -i option preferable in most cases.

By the way, sudo's capabilities are not limited to running commands as an administrator: by setting the -u username option, they can also be executed on behalf of the user whose login is set as its value. This can be useful when viewing or copying another user's dot files and dot directories, often only readable and editable by their owner.

By the way, the sudo command can be run so that it asks for the password of the user on whose behalf the command will be executed (for example, administrator), and not the one who requires his authority. There is a -targetpw option for this. And to make the requirement of the root password permanent, it is enough to define, for example, an alias like

Alias ​​sudo -targetpw

Requiring a root password when running sudo is its default behavior in some distributions, for example Suse is said to be.

The sudo command has many more options - above I have given only those that I had to use. The rest is easy to see in man sudo . Of those not listed, I will also mention the -b option, which instructs to run the “jurisdictional” command in the background. It can be useful when performing long-term tasks, such as copying USB images to a flash drive with the dd command.

As we have just seen, the sudo command gives the user almost unlimited powers for any system-wide actions, as well as for manipulating other people's user data. With this in mind, let's ask ourselves the following questions:

• whether any user can gain admin rights through the sudo command, and
• Can he perform all administrative actions through it?

If we talk about the Ubuntu family, in which this mechanism was first used “out of the box”, then “out of the box”, the answer to the first question will be negative, to the second - positive. In general, it depends on the settings of the sudo program, which are described in the /etc/sudoers file. And in it you can set rules that allow only certain users to execute certain commands. In summary, it looks like this:

username host=command

Here, as you might guess, username is the name of the user for which this rule is set, host is the name of the machine from which he can resort to this rule, command is the specific command whose use is allowed given user from this machine. The command must be given with the full absolute path (i.e. /sbin/fdisk , not fdisk). The command description field can include multiple values ​​separated by commas, for example:

Username ALL = /sbin/fdisk,/bin/mount

In Ubuntu's default rules for user access to administrative privileges are described as follows:

# User privilege specification root ALL=(ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL

That is, the root user, as it should be, can execute any commands from any hosts. But only users belonging to the admin group (an analogue of the wheel group, which was mentioned in) can get its rights. A user created during a typical installation automatically becomes a member of this group, and therefore all administrative rights are available to him without any further settings. However, other users, whose accounts will be created later, are deprived of this privilege. Unless, of course, they were specifically included in the admin group.

In other distributions that do not use sudo out of the box, you will need to edit its configuration file - the same /etc/sudoers mentioned above.

The /etc/sudoers file is a regular text file, and, accordingly, it can be edited in any text editor (or, say, using ed or sed). However, at the same time, there is a certain risk of screwing up something (due to the usual typos), up to completely blocking access to superuser privileges for oneself. Of course, these situations are fixable - for example, through a reboot in single-user mode. However, it's best not to hit them. And therefore, a more reliable means of modifying /etc/sudoers is to use a utility specially designed for this - visudo .

The visudo utility does nothing fancy - it just opens /etc/sudoers in a text editor described by the superuser's EDITOR variable (if not defined, it will again be classic vi - hence the name) and allows you to edit it in the usual way, and then exit editor with saving the results by its regular means. However, before that, the result of editing is checked for correctness. And if a violation of the syntax accepted for /etc/sudoers is detected, an appropriate warning is issued. After which you can return to editing, refuse the changes made, or still accept them (of course, under your own responsibility).

The visudo utility does not guarantee 100% editing success. Since it checks only the conformity of the syntax, but not the “correctness of the rules themselves”. That is, if an error is made in specifying the path to the command needed for this rule, this command will not work through sudo.

However, in reality it usually looks much simpler and not scary at all. So, in Fedora 11, in the exemplary /etc/sudoers config, I only had to uncomment the line

%wheel ALL=(ALL) ALL

to give the user from the specified group (and I included myself there in advance, as described in) all the rights that the administrator has. At the same time, it would be possible to provide yourself with a pull and the ability to use sudo without a password. This would require uncommenting the line

# %wheel ALL=(ALL) NOPASSWD: ALL

But I limited myself only to making the password action more long-lasting by entering (initially missing line

Defaults timestamp_timeout=10

where the timeout value is in minutes. By the way, if you change it to zero -

Defaults timestamp_timeout=0

then the password will be requested each time the sudo command is accessed.

Alternatively, you can disable the timeout on the sudo action by entering a negative value for it:

Defaults timestamp_timeout=-1

In this case, the password will be requested only the first time this command is called.

A closer look at the /etc/sudoers file will easily reveal the possibilities to give certain users or groups only a limited set of rights. However, here the subtleties of real administration begin. I simply deprived my double-experimenter of access to any administrative actions in order to stop all his encroachments in this field. However, even this does not always allow me to cope with him - just as Timur Shaov is unable to cope with his lyrical hero.

The sudo command is very important for managing access rights in operating system linux. Thanks to this small command, you can give permission to perform certain actions on behalf of the administrator to other users, while not giving them the superuser password itself. Also, you do not need to always be under the superuser account to sometimes perform administrative actions.
It would seem that such a small team, with a minimum of features and the most simple use, but in fact it can do much more. In this article, we will look at how sudo is configured in linux to control access to system functions and user capabilities.

How does sudo work?

Before moving on to setting up access to the sudo utility, let's look at how it works. On Linux, there are two ways to get administrator rights. You can switch to the root user with the su command, or you can pass the desired command as a parameter to the sudo utility, which will execute it with administrator rights. Moreover, the second method is preferable, because you will not forget that you are using root rights and will not do anything extra.
The command name means substitute user do or super user do. The utility allows you to run programs on behalf of another user, but most often on behalf of the root. The utility was developed back in 1980 by Bob Cogshell and Cliff Spencer. During this time, many developers have changed and many features have been added.
sudo works thanks to the SUID access flag. If this flag is set for the program, then it is not executed on behalf of the user who launched it, but on behalf of the owner, given that the sudo file belongs, then the utility is executed as root. It then reads its settings, asks for the user's password, and decides whether he can be allowed to run commands as an administrator. If yes, then the command passed in the parameter is executed.
Now that you know the theory, let's look at how to set up sudo on Linux.

Setting up sudo on Linux

All sudo settings are located in /etc/sudores. Here you can configure a lot of parameters, starting from who will be allowed to execute commands on behalf of the superuser and ending with limiting the set of available commands.
To open a file for editing, type the following command as superuser:

You can also specify text editor where you want to edit the configuration file:

# EDITOR=nano visudo

Next, we will look at the most interesting settings that you can set in this file. But first, let's look at the basic syntax of the file. It consists of two types of lines, these are aliases, which allow you to create lists of users and flags, as well as the rules themselves, which specify how the sudo command will behave. The alias syntax looks like this:
type alias_name = element1, element2, element3
The type specifies what type of alice to create, the name specifies the name to be used, and the list of elements specifies the elements that will be implied when referring to this name.
Description of permissions for users has a slightly different syntax:
host user = (other_user:group) teams
The user specifies the user or group for which we are creating the rule, the host is the computer for which this rule will apply. Other user - under the guise of which user the first one can execute commands, and the last - allowed commands. An alias can be used instead of any of the parameters. And now setting up sudo on Debian and other distributions.

Main settings

The Defaults alias allows you to set standard parameters for the utility to work, and we will consider them in this section. Such an alias begins with the word Defaults, followed by the name of the flag. If there is a ! symbol before the name, this means that the flag needs to be turned on, otherwise, turned off:
Disable intro on first use:

Defaults !lecture

The superuser cannot sudo:

Defaults !root_sudo

Now if you try to sudo sudo nothing will work:


Change the home directory for the target user, defaults to the current user's folder as the home directory:

Defaults set_home

Save the list of groups of the current user:

Defaults !preserve_groups

Prompt for superuser password instead of user password:



Next, consider the variables that can be set to values ​​to set the desired settings:
Set the number of password attempts before sudo exits, default is 3:

defaults passwd_tries=5

The number of minutes that will elapse before sudo asks for a password again, the default is 5. If set to 0, then the password will always be asked, no matter how long ago you used the utility:

Defaults timestamp_timeout=10

The following parameter specifies the number of minutes that sudo will wait for the password to be re-entered if it is entered incorrectly:

defaults passwd_timeout=10

You can change the message that will be displayed when prompted for a password:

Defaults passprompt="Your password is:"

You can specify another user, not root, from which all commands will be executed, for this use:

defaults runas_default="user"

You can log all attempts to connect to sudo:

Defaults logfile=/var/log/sudo

Then we try to check the operation of the log:

$ sudo cat /var/log/sudo

These have been all of the most interesting sudo configuration options you may need, next we will look at how to set sudo permissions for users.

Setting up sudo users

We have already discussed the syntax for setting actions for users above, everything is more complicated here than with aliases, but you can figure it out. For example, let's allow any user to use sudo, from any host, and execute any commands:

ALL ALL = (ALL) ALL

Such a command is very insecure, it allows everyone and everything. The first is ALL to allow all users, the second is ALL to all hosts, the third is ALL to allow login as any user, and the fourth is to allow any command to be executed. But much more often another construction is used:

%wheel ALL = (ALL) ALL

It means the same as the previous one, only here we do not allow all users to use sudo, but only those who are members of the wheel group.

%wheel ALL = (root) ALL

Here we have already limited the possible selection of users to only the root user. You can also specify the user group on whose behalf he can execute commands:

%wheel ALL = (root:admins) ALL

This means that you can run the command as root or another user from the admins group. We can also specify commands that the user can execute. For example:

Runas_Alias- alias of users on whose behalf the commands will be executed;

host_alias- host alias;

Cmnd_Alias- command alias;

For example, let's create four aliases and apply them to our rule:

User_Alias ​​Users = user1,user2,user3
Runas_Alias ​​Admins = root,admin
Host_Alias ​​Hosts = host1,host2
Cmd_Alias ​​Cmds = /bin/mount, /bin/umount

Users Hosts = (Admins) Cmds

This means that users in the Users list will be able to execute Cmds commands as Amdins users on Hosts.
It remains to say a few words about the flags. The NOPASSWD flag tells you not to ask for a password when executing this rule. For example, to allow all users to execute the mount command with sudo without a password:

ALL ALL = (root) NOPASSWD: /bin/mount

You can also disable this particular command at all using the NOEXEC flag:

ALL ALL = (root) NOEXEC /bin/mount

You can check if the /etc/sudores file was configured correctly and see all the created rules using the command:


All flags and settings set, as well as the permissions of this user, are displayed here.

conclusions

In this article, we looked at how sudo is configured on linux. As you can see, although it is very simple utility, it hides a lot of useful settings that you can use in your system. If you have any questions, ask in the comments!

In any Linux system, there is always one privileged user - root. This user has the rights to perform any action, delete any files and change any settings. It is almost impossible to somehow limit the freedom of action of root. On the other hand, all other users of the system usually do not have a majority necessary rights, for example, rights to install programs, since this is an administrative operation that only root has rights to. Another common operation, available only to the superuser, is copying and modifying files in system folders where the normal user does not have access.

Previously, this problem was solved quite simply: if you had the root password, you could log into the system under his account or temporarily get his rights using the su command. Then perform all the necessary operations and return back as a regular user. In principle, such a scheme works well, but it has many significant drawbacks, in particular, it is impossible in any way (more precisely, it is very difficult) to limit administrative privileges only to a certain range of tasks.

Therefore, in modern Linux distributions instead of the root account for administration, the sudo utility is used.

In Ubuntu, by default, the root account is generally disabled, i.e. there is no way you can access root without enabling it. root is exactly what is disabled, i.e. it is present in the system, you just cannot go under it. If you want to return the ability to use root, see the paragraph on enabling the root account below.

What is sudo

sudo is a utility that grants root privileges to perform administrative operations according to its settings. It allows you to easily control access to important applications in the system. By default, when installing Ubuntu the first user (the one created during installation) is given full rights to use sudo. Those. in fact, the first user has the same discretion as root. However, this behavior of sudo is easy to change, see below in the paragraph about configuring sudo.

Where is sudo used

sudo is used whenever you run something from the System Administration menu. For example, when starting Synaptic, you will be asked to enter your password. Synaptic is an install management program, so you need administrator rights to run it, which you get through sudo by entering your password.

However, not all programs that require administrative privileges are automatically run with sudo. Usually you have to start programs with administrator rights manually.

Running graphics programs with administrator rights

For start graphic programs with administrator rights, you can use the program launch dialog, called by default with the keyboard shortcut Alt + F2 .

Let's say we need to run file manager Nautilus with admin rights to through GUI somehow change the content system folders. To do this, enter the command in the application launcher dialog

gksudo nautilus

gksudo can be substituted for gksu , and KDE users should write kdesu instead of gksudo . You will be asked to enter your password, and if you have necessary rights, Nautilus will run as administrator. Any graphical software can be launched with administrator rights by simply writing in the launch dialog

gksudo<имя_команды>

Be extremely careful when working in applications running with administrator rights. You will be able to perform any operation without any warnings from the system, in particular, delete system files thus rendering the system unusable.

Running programs with administrator rights in the terminal

To run a command in the terminal as an administrator, simply type sudo in front of it:

sudo<команда>

You will be asked to enter your password. Be careful, the password when entering no way is not displayed, this is normal and done for security purposes, just type to the end and press Enter. After entering the password, the specified command will be executed as root.

The system remembers the entered password for some time (keeps the sudo session open). Therefore, subsequent sudo runs may not require the password. To ensure that a sudo session is terminated, type in a terminal

In addition, bugs related to pipes in Linux are common. When executing a command

Sudo cat test.txt | grep text > result.txt

With as root only cat will be executed, so the file result.txt may not sign up. You either need to write sudo before each command, or temporarily switch to superuser.

Getting superuser rights to execute multiple commands

Sometimes it becomes necessary to execute several commands in a row with administrator rights. In this case, you can temporarily become the superuser with one of the following commands:

sudo -s sudo -i

After that, you will enter the superuser mode (with restrictions imposed through the sudo settings), as indicated by the # symbol at the end of the command prompt. The action command data is similar to su , however:- sudo -s- does not change the home directory to /root, the home directory remains the home directory of the user who called sudo -s which is usually very convenient. - sudo -i- will also change the home directory to /root.

To exit back to normal user mode, type exit or simply press Ctrl + D .

Using the traditional root account and the su command

Unlock account root brings unjustified risks (by working as root all the time you have 100,500 ways to "shoot yourself in the foot"), and also makes it easier for an attacker to gain access to your computer.

Ubuntu 11.04 and below

To log in as root, just set a password for it:

sudo passwd root

Then, on the login screen, click Other... and enter the login (root) and password that you set.

Ubuntu 11.10 and older

Since version 11.10, the lightdm login manager has been installed, and dealing with root logins is a bit more complicated.

1. Set the root password. Type in terminal:

sudo passwd root

2. Turn on the item "Enter your login". Type in terminal:

Gksu gedit /etc/lightdm/lightdm.conf

At the end of the file add:

Greeter-show-manual-login=true

3. Restart lightdm. Type in terminal:

sudo service lightdm restart

That's it, the "Login" item will appear on the login screen. In the login field, enter "root", in the password field - the password that we set at the first stage.

To lock the root account back, you will need to revert the changes in the lightdm settings, as well as lock the root account with the command in the terminal:

sudo passwd -l root

Setting up sudo and permissions to execute various commands

sudo allows you to allow or deny users the execution of a specific set of programs. All settings related to access rights are stored in a file /etc/sudoers. This is not an ordinary file. To edit it necessary(for security purposes) use the command

sudo visudo

By default, it says that all members of the group admin have full access to sudo , as indicated by the line

%admin ALL=(ALL) ALL

You can read more about the syntax and customization options for this file by running

Man sudoers

If you make a mistake while editing this file, it is quite possible that you will completely lose access to administrative functions. If this happens, then you need to boot into recovery mode, and you will automatically get administrator rights and be able to fix everything. In addition, you can edit this file from the LiveCD.

Allowing a user to execute a command without entering a password

In order for the system not to ask for a password with certain commands, it is necessary in sudoers after the line # Cmnd alias specification add a line where, separated by commas, list the desired commands with the full path (the command path can be found by running which commandname:

# Cmnd alias specification Cmnd_Alias ​​SHUTDOWN_CMDS = /sbin/shutdown, /usr/sbin/pm-hibernate, /sbin/reboot

And add the line to the end of the file

Username ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS

Attention! The above steps do not change the need to enter the sudo command before your command

Creating synonyms (alias)

In order not only not to enter a password for sudo, but also not to enter sudo at all, do the following: open the .bashrc file located in your home directory

nano ~/bashrc

and add the lines to the end of the file

alias reboot ="sudo reboot" alias poweroff ="sudo poweroff" alias pm-hibernate="sudo pm-hibernate" alias hibernate ="sudo pm-hibernate" alias shutdown ="sudo shutdown"

Validity time of the entered password

Perhaps you want to change the amount of time sudo runs without entering a password. This can be easily achieved by adding something like this to /etc/sudoers (visudo):

Defaults:foo timestamp_timeout=20

Here sudo for the user foo valid without the need to enter a password for 20 minutes. If you want sudo to always require a password, set timestamp_timeout to 0.

sudo doesn't ask for password

sudo without a password is a monstrous security hole, anyone is allowed to do anything. If you allowed it on purpose - urgently return it back as it was.

However, in some cases, sudo suddenly stops asking for a password on its own. If you do visudo , then you can see something like this line that the user did not seem to have added:

ALL ALL=(ALL) NOPASSWD:ALL

Most likely, this catastrophic line was added when installing a program like Connect Manager from MTS or Megafon. In this case, it needs to be changed to a line that allows only this Connect Manager to run as root, something like this:

Username ALL= NOPASSWD: /path/to/program

There are other solutions to the problem, a small discussion.

As a Linux administrator, I have always used and sudo, And su. AND system administrator it is very important that you know the difference between them. For those who don't have a basic understanding of the difference between the two, or always confuse them, here is a list of 12 Q&A's (Questions and Answers) that aim to help you understand the finer points of sudo and su.

NOTE- This article is specific to Ubuntu only. Although some of the information may apply to most popular distributions.

sudo vs su

This series of questions and answers should clarify some of the specifics of sudo vs su for many Ubuntu users.

Q1. How are sudo and su used? What is the difference between them?

Answer.sudo is used to run some command with root permission. The interesting thing is that when you use sudo for a specific command, the system will prompt you for the password of the current user. After entering the password, the command is run with superuser privileges.

Here is an example:

$ apt-get install skype E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root ? $ sudo apt-get install skype password for mylinuxbook: Reading package lists... Done Building dependency tree Reading state information... Done ... ...

As you can see, first I tried to install Skype using the command apt-get but i got permission denied error. Then I used sudo along with the same command system and password system for the mylinuxbook user. After entering the correct password, the command completed successfully.

On the other hand, su is used to switch any user. Set password corresponding user is enabled. If su is used without options, it jumps to the root user account. In this case, the system asks for the superuser password.

Here is an example:

$ su mylinuxbook Password: mylinuxbook@mylinuxbook-Inspiron-1525:~$

In the example above, I used su to switch to the mylinuxbook user account and after entering the password for mylinuxbook, I was able to do so.

Here is another example:

$ su Password: su: Authentication failure

In the example above, I sued to root the account to the normal user, but he couldn't because I didn't have the root password configured. Distributions such as Ubuntu do not have root passwords configured by default. Once it's set up, you can use this password.

Q2. What if I don't want to set up an admin password on my Ubuntu but still want to switch to superuser?

Answer. In this case, you can try the command " sudo su". Here is an example:

$ sudo su password for mylinuxbook: root@mylinuxbook-Inspiron-1525:/home/mylinuxbook#

Once sudo has been used to start su, the system prompts for the current user's password, not the superuser's password. As soon as this was entered, the current account was transferred to the account.

Q3. What if I want to use su to navigate to other user accounts but don't want to remember each and every user password?

Answer. Well, in that case, just use the su command, enter the administrator password, and switch to the account. From here, using su, you can switch to any user account without using passwords.

Q4. If sudo is used to do something with superuser privileges, then why is the current user's password needed and not the superuser's password?

Answer. Well, it's not really that any normal user can do sudo and run commands that require superuser privileges. You, as a user, must be sudoer Same. This means that you must have privileges to use sudo. If you are a valid sudoer, the system only asks for a password to make sure you understand that you are doing some work that requires root privileges, and you should double check everything before actually doing it.

Now comes the question of sudoers. How to become a user sudoer? A user can become a sudoer if they are added to the sudo group. Here is an example:

$ sudo adduser sudo

Just replace with the actual username for the account. Note that previously (prior to Ubuntu 12.04) the group had to be called admin but this is not required now.

You can use command " group" to check all groups that have this user. Here is an example:

$ groups mylinuxbook mylinuxbook: mylinuxbook adm cdrom sudo dip plugdev lpadmin sambashare

So you see that the user " mylinuxbook" is a member of all of these groups, including the sudo groups, and therefore sudoer.

Q5. I noticed that as soon as I used sudo, my root rights persist for a long time, although after a while everything returns to normal. What is this?

Answer. Ubuntu remembers the password for sudo for about 15 minutes. This means that once you have used sudo to execute a command, the system will not prompt you for a password if you run other commands that require superuser privileges to run. Although you will have to use " sudo before each command.

Q6. What are the advantages of sudo over su?

Answer. Sudo has many advantages over su.

Here is the list:

Sudo makes sure that privileges exist for a specific command (or for a specific period of time) and not for the entire session, as this can lead to accidental abuse of superuser privileges.

You can use sudo to restrict user permissions. This is useful when you don't want the user to have control over all superuser rights when running suda.

There is a log file (auth.log) that is maintained for each sudoer. This file contains information about the commands that were executed using sudo, their execution time. This helps the administrator keep track of even trusted users (sudoers).

The most important advantage is that suda requires its own user password instead of the superuser password to log into suda. This helps keep the root password private and there is no need to change it even when the user (sudoer) leaves.

Q7. Any user can perform sudo operations?

Answer. No, only trusted users or sudoers can perform sudo operations. Here is the official page which describes how and what a sudoer user can do.

Q8. I'm interested in su. How can I customize the use of su in a way that achieves similar functionality to suda?

Answer. If you're running su, that means you already have the root password set up. To achieve functionality similar to sudo, i.e. to run just one command with root privileges using su, all you need to do is use the option -c from the su command.

Here is an example:

$ su -c "apt-get install skype" Password:

Just enter the password and only this command will work with superuser privileges. Although it's the same as sudo, the only difference is that you need to enter the root password instead of the current user's password.

Q9. I work with sudo. How can I tweak the use of sudo to achieve the same functionality as su?

Answer. To achieve su functionality via sudo, try the option -i sudo commands.

Here is an example:

$ sudo -i password for mylinuxbook: root@mylinuxbook-Inspiron-1525:~#

You see that with " sudo -i", the transition to the root account was performed, although the password entered for the current user (mylinuxbook in this case).

Q10. The root password of my account has not yet been activated. Can I use sudo to enable the superuser password?

Answer. To activate the password for the superuser, you can use the command passwd in the following way:

$ sudo passwd root

This command requires root access, so you will need to use sudo.

Q12. Can I use sudo to grant special permissions to users?

Answer. Configuration file for sudo- /etc/sudoers. It cannot be edited manually with an editor. For this purpose it is recommended to use the command visudo.

Here is the exact command:

$sudo visudo

and this is what you get:

This command will open a temporary /etc/sudoers.tmp file in the nano editor for editing. Visudo makes sure there is no conflict when multiple instances of the same file get edited.

To understand how to grant limited rights, understand the design of this configuration file, .