I have been confused about the two commands su
and sudo
before. Recently, I searched for information on this aspect, and finally figured out the relationship and usage of the two. article to summarize the system.
1. Preparations
Because this blog involves user switching, I need to prepare a few test users in advance to facilitate subsequent switching.
The command to create a new user in Linux is useradd
. Generally, the path corresponding to this command in the system is in the PATH
environment variable. If you directly enter useradd
If used, use the absolute path name: /usr/sbin/useradd
useradd
The new user command can only be executed by the root user. Let’s switch from the common user ubuntu to the root user (how to switch will be introduced later):
ubuntu@VM-0-14-ubuntu:~$ su - Password: # Enter the root user login password root@VM-0-14-ubuntu:~# useradd -m test_user # Take the -m parameter root@VM-0-14-ubuntu:~# ls /home test_user ubuntu # You can see that there are two users under the /home directory
Because the login password for the newly created user test_user
has not been set yet, this prevents us from switching from the common user ubuntu to test_user, so next, we need to use root to set the login password of test_user. Need to use the passwd
command:
root@VM-0-14-ubuntu:~# passwd test_user Enter new UNIX password: # output the password of test_user Retype new UNIX password: passwd: password updated successfully root@VM-0-14-ubuntu:~#
Then we enter exit
to exit root user to normal user ubuntu:
root@VM-0-14-ubuntu:~# exit log out ubuntu@VM-0-14-ubuntu:~$
It can be seen that the front of the command prompt has changed from root
to ubuntu
, indicating that our current identity is ubuntu
user.
2. Introduction and main usage of su command
First of all, we need to explain what su
means.
I used to think that su
means super user
, but after consulting the data, I realized that it means 「switch user
」 .
After knowing the abbreviation of su
, the function it provides is obvious, which is “Switch User”.
2.1 -
parameters
The general usage of su
is:
su <user_name>
or
su - <user_name>
The difference between the two methods is only one character -
, and there will be a relatively large difference:
If the -
parameter is added, it is a login-shell
method, which means that after switching to another user
If the -
parameter is not added, then it is a non-login-shell
method, which means that I have switched to
The explanation alone will be more abstract, and it will be easier to understand if we look at an example.
We first switch from the ubuntu user to the root user in the form of non-login-shell
, and compare the value of PWD
in the environment variable of the two user states (su
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu USER=ubuntu PWD=/home/ubuntu # is /home/ubuntu HOME=/home/ubuntu # omit... ubuntu@VM-0-14-ubuntu:~$ su # non-login-shell mode Password: # Enter the root user login password root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu PWD=/home/ubuntu # can be found or /home/ubuntu root@VM-0-14-ubuntu:/home/ubuntu#
We have indeed switched to the root user, but the variables in the shell environment have not changed, and the environment variables of the previous ubuntu user are still used.
Then we switch from the ubuntu user to the root user in the form of login-shell
, and also compare the values of PWD
in the environment variables of the two users:
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu USER=ubuntu PWD=/home/ubuntu # is /home/ubuntu HOME=/home/ubuntu # omit....... ubuntu@VM-0-14-ubuntu:~$ su - # is the login-shell method Password: root@VM-0-14-ubuntu:~# env | grep root USER=root PWD=/root # has become /root HOME=/root MAIL=/var/mail/root LOGNAME=root root@VM-0-14-ubuntu:~#
You can see that if you switch users with login-shell
, the environment variables in the shell will also change.
"Summary": Which method to use to switch users depends on individual needs:
If you don’t want your settings under the current user to be unavailable due to switching to another user, then use the non-login-shell
method;
If you need to use various environment variables of the user after switching users (the environment variable settings of different users are generally different), then use the method of login-shell
.
Switch to specified user
As mentioned above, if the su
command is not followed by any
ubuntu@VM-0-14-ubuntu:~$ su - Password: # root user's password root@VM-0-14-ubuntu:/home/ubuntu#
Because we have created a test_user user in the 1. Preparation
section, and we also know the login password of the test_user user (set by the root user), we can switch from the ubuntu user to the test_user user:
ubuntu@VM-0-14-ubuntu:~$ su - Password: # root user's password root@VM-0-14-ubuntu:/home/ubuntu#
2.3 -c
parameter
In the previous method, we first switch to another user (root or test_user), execute the command under the status of that user, and finally enter exit
to return to the current ubuntu user.
Another way is: you don’t need to switch users before executing the command, you can directly execute the command under the current user as another user, and return to the current user after the execution is completed. This requires the use of the -c
parameter.
The specific usage method is:
su - -c "command string" # Execute "command string" as root
Let's see an example:
ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow cat: /etc/shadow: Permission denied # Ubuntu users cannot directly view the contents of the /etc/shadow file ubuntu@VM-0-14-ubuntu:~$ su - -c "tail -n 4 /etc/shadow" Password: # Enter root user password ubuntu:$1$fZKcWEDI$uwZ64uFvVbwpHTbCSgim0/:18352:0:99999:7::: ntp:*:17752:0:99999:7::: mysql:!:18376:0:99999:7::: test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7::: ubuntu@VM-0-14-ubuntu:~$ # Return to ubuntu user instead of root user immediately after execution
This execution method is very similar to the sudo
that will be introduced later. It is a temporary application for root user permissions. But there are still differences, let's look at it later.
3.Sudo command introduction and main usage
First of all, explain what the sudo
command means.
The full English name of sudo
is super user do
, that is, to execute commands as a super user (root user). The sudo
here is different from the switch user
represented by su
before. This needs to be noted, and it is easy to confuse.
Let's start by explaining what the sudo
command can do, then explain why it does it, and how it does it.
Let's start.
3.1 Main usage
We often encounter Permission denied
in Linux, such as viewing the content of /etc/shadow
as an ubuntu user. Because the contents of this file can only be viewed by the root user.
So what if we want to check? Then you can use sudo
:
ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow tail: cannot open '/etc/shadow' for reading: Permission denied # No permission ubuntu@VM-0-14-ubuntu:~$ sudo !! # followed by two exclamation points sudo tail -n 3 /etc/shadow ntp:*:17752:0:99999:7::: mysql:!:18376:0:99999:7::: test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7::: ubuntu@VM-0-14-ubuntu:~$
In the example, we used the trick sudo !!
to repeat the command entered above, but add sudo
in front of the command.
Because I have already set the sudo
command without entering a password, so here sudo !!
can directly output the content. If it is not set, you need to enter the password of the current user. For example, in this example, I should enter the login password of the ubuntu user.
For two adjacent sudo
operations, if the interval is within 5min
, the second input of sudo
does not require re-entering the password; if the interval exceeds 5min
, then when you enter sudo
again, you need to enter the password again. So a more convenient way is to set the sudo
operation without a password. How to set it up will be described later.
sudo
In addition to executing commands with root user privileges, there are several other usages, here is a brief introduction.
Switch to root user:
sudo su -
This method can also switch to the root user in the way of login-shell
, but it is different from the method of su -
:
After entering sudo su -
in the former, you need to provide the login password of the current user, which is the password of the ubuntu user;
After entering su -
in the latter, you need to provide the login password of the root user.
And one more command:
sudo -i
This command has the same effect as sudo su -
. It also switches to the root user, and also needs to provide the login password of the current user (ubuntu user).
We now switch to the test_user user and try to display the contents of the /etc/shadow
file:
ubuntu@VM-0-14-ubuntu:~$ su - test_user Password: # password for test_user $ sudo cat /etc/shadow [sudo] password for test_user: # password for test_user test_user is not in the sudoers file. This incident will be reported. $
We will see the error message in the penultimate line, we can not see the content of /etc/shadow
, why? Why can ubuntu use sudo
but not test_user?
This is how sudo
works.
3.2 How sudo
works
Whether a user can use the sudo
command depends on the settings in the /etc/sudoers
file.
From Section 3.1, we have seen that ubuntu users can use sudo
normally, but test_user users cannot, because test_user is not configured in the /etc/sudoers
file.
/etc/sudoers
is also a text file, but because of its specific syntax, we don't want to edit it directly with vim
or vi
, we need Use the command visudo
. After entering this command, you can directly edit the /etc/sudoers
file.
It should be noted that only the root user has permission to use the visudo
command.
Let's first look at the content displayed after entering the visudo
command.
Enter (root user):
root@VM-0-14-ubuntu:~# visudo
output:
# User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges ?min ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d ubuntu ALL=(ALL:ALL) NOPASSWD: ALL
Explain the format of each line:
1. The first one represents the user name, such as root
, ubuntu
and so on;
2. The ALL
on the left side of the equal sign means that the current user account is allowed to log in from any host;
3. ALL
on the right side of the equal sign means: the first pair of users in this line can switch to any other user in the system;
4. ALL
at the end of the line means: the user at the beginning of the line can issue any commands as the root user, and ALL
means that any command can be issued.
We also noticed that there is a NOPASSWD
keyword in the line corresponding to ubuntu
, which means that the ubuntu user does not need to enter a password when requesting sudo
, to explain the previous problem here.
At the same time, we noticed that there is no line corresponding to test_user
in this file, which explains why test_user cannot use the sudo
command.
Next, we try to add test_user to the /etc/sudoers
file so that test_user can also use the sudo
command. We add in the last line:
test_user ALL=(ALL:ALL) ALL # test_user needs to provide the password of test_user to use sudo
Next, we execute sudo
under the test_user account:
ubuntu@VM-0-14-ubuntu:~$ su - test_user Password: $ tail -n 3 /etc/shadow tail: cannot open '/etc/shadow' for reading: Permission denied $ sudo tail -n 3 /etc/shadow # plus sudo ntp:*:17752:0:99999:7::: mysql:!:18376:0:99999:7::: test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7::: $
As you can see, sudo
is now available.
3.3 Thinking
We have already seen that if a user is in the /etc/sudoers
file, then it has sudo
privileges and can pass sudo su -
Or the command such as sudo -i
switches to the root user, then the user becomes the root user at this time, then does this not cause a great threat to the system?
Indeed it is. So if you edit the /etc/sudoers
file to give a certain user sudo
permission, you must make sure that the user is 「trusted」, It will not cause malicious damage to the system, otherwise it will be very dangerous to grant all root permissions to this user.
Of course, the root user can also edit /etc/sudoers
so that the user only has some permissions, that is, only a small number of commands can be executed. Interested readers can refer to the second article of the Reference section, which will not be repeated in this article.
4. Comparison of the differences between the two
We have seen:
Use su -
, provide the password of the root account, you can switch to the root user;
Use sudo su -
, provide the password of the current user, and also switch to the root user
The difference between the two methods is also obvious: if many users need to use our Linux system, the former requires all users to know the password of the root user, which is obviously very dangerous; the latter does not need to expose the password of the root account. You only need to enter your own account password, and which users can switch to root, which is completely controlled by root (root is realized by setting /etc/sudoers
), so the system is much safer .
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. PostgreSQL skill tree HomepageOverview 6477 people are learning systematically