The biggest difference between the sudo and su commands is:
The sudo command requires the password of the current user, and the su command requires the password of the root user. Another difference is its default behavior. The sudo command only allows a single command to be run with elevated privileges, whereas the su command starts a new shell while allowing as many commands as root to be run until explicitly logged out.
su is used to switch to a different user identity
By default, only the identity is switched, and the environment variables are not switched. The environment variables are still those of ordinary users. When switching user identities, the user’s environment variables are also switched to the new user’s environment variables, so “-” cannot be omitted, otherwise some operations cannot be performed.
su root enters the root password and switches to the root user, but the pwd directory remains unchanged.
su – root switches to the root user after entering the root password but the pwd directory/root
sudo usually adds a command
sudo -i root has the same effect as sudo – root, sudo -i, sudo -, sudo root. When prompted to enter a password, the password is the password of the current account. The user who executes the command must be in sudoers. What su needs is the account after switching. The secret usage is “su account name”
sudo: Temporarily switch to super user mode to execute super user privileges, generally refers to the root user. When prompted to enter a password, the password is the password of the current user, not the password of the super account. However, there is a time limit. Ubuntu defaults to a 15-minute session.
su: Switch to a certain user mode. When prompted to enter a password, the password will be the password of the account after the switch. The usage is “su account name”. If no account is added later, the system defaults to the root account, and the password is also the password of the super account. no time limit.
sudo -i: In order to frequently execute certain permissions that only the super user can execute without having to enter a password every time, you can use this command. When prompted for a password, the password will be the password for the current account. no time limit. After executing this command, the prompt changes to “#” instead of “$”. When you want to return to a normal account, you can execute “exit” or “logout”. The user who executes this command must be in sudoers.
sudo -i directly runs the sudo command and adds the -i parameter. The user who executes the command must be in sudoers.
sudo su Run the sudo command to elevate the su command and run the su command. The user who executes this command must be in sudoers.
Linux commands–su, su -, sudo
Foreword
The default account of most Linux distributions is an ordinary user. Changing system files or executing certain commands requires root identity, which requires switching from the current user to the root user.
There are two commands to switch user identities: su [-] username and sudo
su and su – difference
su just switched the root identity, but the Shell environment is still the Shell of ordinary users; at this time, pwd found that the working directory is still the working directory of ordinary users.
su – Switches both the user and the Shell environment to the root identity. Only by switching the Shell environment will the PATH environment variable error not occur. At this time, the working directory of pwd becomes the working directory of root. Use the echo $PATH command to see the difference between su and su – future environment variables.
bash-4.2$ echo $PATH /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin [root@localhost ~]# echo $PATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
By analogy, to switch from the current user to another user, you should use the su – command.
The difference between su and sudo
su or su – can switch user identities, and each user can switch to the root user as long as he knows the root password. This is very unsafe. If any user accidentally leaks the root password, it will be GG.
This led to the improved version of the command sudo
It is possible to use sudo to execute a command that only root can execute, but a password is required. Notice. The password here is no longer the root password, but the user’s own password. By default, only the root user can execute sudo commands. If ordinary users want to execute sudo, root needs to be set in advance. This is achieved by editing /etc/sudoers with the visudo command. (It seems that you can also vi /etc/sudoers directly)
The contents of the /etc/sudoers file are as follows
## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin /systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe #Defaults specification # # Refuse to run if unable to disable echo on the tty. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep + = "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep + = "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep + = "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep + = "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep + = "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d
Focus on the following two points
①Here you can set a user individually. The 3 columns respectively represent the user name. I don’t know (it’s written like this anyway). What are the commands that can be used to specify sudo?
② If there are hundreds or thousands of users, you can’t write them one by one. . . By joining the wheel group, all users can have sudo rights.