In-depth analysis! The difference between Linux command su and sudo

I have been confused about the two commands su and sudo before. Recently, I have searched for information in this area. I finally figured out the relationship and usage of the two. This article summarizes the system.

Ready to work

Because this blog involves user switching, I need to prepare a few test users in advance to facilitate subsequent switching.

The command for creating a new user in Linux is useradd. Generally, the path corresponding to this command in the system is in the PATH environment variable. If directly typing useradd does not work, use the absolute path name: /usr/sbin/useradd.

The useradd new user command can only be executed by the root user. Let's switch from the ordinary user ubuntu to the root user (how to switch will be introduced later):

ubuntu@VM-0-14-ubuntu:~$ su -
Password:                                    # 输入 root 用户登录密码
root@VM-0-14-ubuntu:~# useradd -m test_user     # 带上 -m 参数
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu              # 可以看到 /home 目录下面有两个用户了

Because the login password has not been set for the newly created user test_user, we cannot switch from the normal user ubuntu to test_user, so next, we need to use root to set the login password of test_user. Need to use passwd command:

root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password:           # 输出 test_user 的密码
Retype new UNIX password:       
passwd: password updated successfully
root@VM-0-14-ubuntu:~#

Then we enter exit to exit the root user to the ordinary user ubuntu:

root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

As you can see, the command prompt has changed from root to ubuntu, indicating that our current identity is an ubuntu user.

Introduction and main usage of su command

First, we need to explain what su means.

I always thought that su was a super user, but after information, I realized that it meant 1617f583ec877a switch user . After knowing the abbreviation of su, the function it provides is obvious, which is to switch users.

parameter

The general usage of su is:

su  <user_name>
或者
su - <user_name>

There is only one character difference between the two methods -, there will be a big difference:

• If the-parameter is added, it is a login-shell method, which means that after switching to another user <user_name>, the current shell will load the environment variables and various settings corresponding to <user_name>;
• If the-parameter is not added, it is a non-login-shell method, which means that I have switched to <user_name>, but the current shell still loads the environment variables and various settings of the user before the switch.

The explanation will be more abstract, and it will be easier to understand by looking at an example.

We first switch from the ubuntu user to the root user in a non-login-shell manner, and compare the PWD values in the environment variables in the two user states (the su command does not follow any <user_name>, and the root user is switched by default):

ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu                        # 是 /home/ubuntu
HOME=/home/ubuntu
# 省略......
ubuntu@VM-0-14-ubuntu:~$ su             # non-login-shell 方式
Password:                               # 输入 root 用户登录密码
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu                        # 可以发现还是 /home/ubuntu
root@VM-0-14-ubuntu:/home/ubuntu#

We did switch to the root user, but the variables in the shell environment have not changed, and the environment variables of the previous ubuntu user are still used.

Then we switch from the ubuntu user to the root user by way of login-shell, and also compare the value of PWD in the environment variables of the two user turntables:

ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu                # 是 /home/ubuntu
HOME=/home/ubuntu
# 省略.......
ubuntu@VM-0-14-ubuntu:~$ su -    # 是 login-shell 方式
Password:
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root                        # 已经变成 /root 了
HOME=/root
MAIL=/var/mail/root
LOGNAME=root
root@VM-0-14-ubuntu:~#

You can see that if you switch users by login-shell, the environment variables in the shell are also changed.

summarizes : Which method is used to switch users depends on personal needs:

• If you don't want to switch to another user to make your settings under the current user unavailable, use the non-login-shell method;
• If you need to use various environment variables of the user after switching users (the environment variable settings of different users are generally different), then use the login-shell method.

Switch to the specified user

As mentioned earlier, if the su command is not followed by any <user_name>, then the default is to switch to the root user:

ubuntu@VM-0-14-ubuntu:~$ su -
Password:                     # root 用户的密码
root@VM-0-14-ubuntu:/home/ubuntu#

Because we have created a new test_user user in the 1. Preparation part, and we also know the login password of the test_user user (set by the root user), we can switch from the ubuntu user to the test_user user:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:                 # test_user 用户的密码
$

-c parameter

In the previous method, we first switch to another user (root or test_user), execute the command in which user's state, and finally enter exit to return to the current ubuntu user.

There is another way: you do not need to switch users before executing the command, you can execute the command directly under the current user in the manner of another user, and return to the current user after the execution is over. This requires the -c parameter.

The specific method of use is:

su - -c "指令串"           # 以 root 的方式执行 "指令串"

Let's look at an example:

ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied     
# ubuntu 用户不能直接查看 /etc/shadow 文件内容

ubuntu@VM-0-14-ubuntu:~$ su - -c "tail -n 4 /etc/shadow"
Password:                      # 输入 root 用户密码
ubuntu:$1$fZKcWEDI$uwZ64uFvVbwpHTbCSgim0/:18352:0:99999:7:::
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
ubuntu@VM-0-14-ubuntu:~$     #执行完马上返回 ubuntu 用户而不是 root 用户

This execution method is very similar to the sudo that will be introduced later. It is a temporary application for root user permissions. But there are still differences, let's look back.

sudo command introduction and main usage

First of all, explain what the sudo command means.

The full English name of , which means to execute commands as a super user (root user). The sudo here is different from the switch user represented by su before. This point needs attention and it is easy to confuse.

We first introduce what the sudo command can do, and then explain why and how to do it. let's begin.

Main usage

We often encounter Permission denied in Linux, such as viewing the contents of /etc/shadow as an ubuntu user. Because the content of this file can only be viewed by the root user.

What if we want to view it? You can use sudo at this time:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied      # 没有权限
ubuntu@VM-0-14-ubuntu:~$ sudo !!                                    # 跟两个惊叹号
sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
ubuntu@VM-0-14-ubuntu:~$

In the example, we used sudo!! This little trick means to repeat the command entered above, but add sudo at the beginning of the command.

Because I have set the sudo command without entering a password, so here sudo !! can directly output the content. If it is not set, you need to enter the password of the current user. For example, in this example, I should enter the login password of the ubuntu user.

For two adjacent sudo operations, if the interval is within 5 minutes, the second input of sudo does not need to re-enter the password; if it exceeds 5 minutes, the password is required to be entered again when entering sudo again. So a more convenient method is to set the sudo operation without a password. How to set it up is described later.

In addition to executing commands with root user authority, sudo has several other uses, which are briefly introduced here.

Switch to the root user:

sudo su -

This method can also be switched to the root user by login-shell, but it is different from the su-method:

After the former enters sudo su -, you need to provide the login password of the current user, that is, the password of the ubuntu user;
After the latter enters su -, it needs to provide the login password of the root user.
There is also a command:

sudo -i

This command has the same effect as sudo su -. It also switches to the root user and also needs to provide the login password of the current user (ubuntu user).

We now switch to the test_user user and try to display the contents of the /etc/shadow file:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:                                       # test_user 的密码
$ sudo cat /etc/shadow
[sudo] password for test_user:                  # test_user 的密码
test_user is not in the sudoers file.  This incident will be reported.
$

We will see the error message in the penultimate line. We cannot view the content of /etc/shadow. Why? Why can ubuntu use sudo but not test_user?

This involves the working principle of sudo.

How sudo works

a user can use the sudo command depends on the settings of the /etc/sudoers file.

We have seen from the previous section that ubuntu users can use sudo normally, but test_user users cannot use it. This is because test_user is not configured in the /etc/sudoers file.

/etc/sudoers is also a text file, but because of its specific syntax, we do not use vim or vi to edit it directly, we need to use the visudo command. After entering this command, you can directly edit the /etc/sudoers file.

It should be noted that only the root user has the authority to use the visudo command.

Let's first look at the content displayed after entering the visudo command.

Enter (root user):

root@VM-0-14-ubuntu:~# visudo

Output:

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

Explain the format of each line

第一个表示用户名，如 root 、ubuntu 等；
接下来等号左边的 ALL 表示允许从任何主机登录当前的用户账户；
等号右边的 ALL 表示：这一行行首对一个的用户可以切换到系统中任何一个其它用户；
行尾的 ALL 表示：当前行首的用户，能以 root 用户的身份下达什么命令，ALL 表示可以下达任何命令。

We also noticed that there is a NOPASSWD keyword in the row corresponding to ubuntu, which means that the user ubuntu does not need to enter a password when requesting sudo. Here is the explanation of the previous problem.

At the same time, we noticed that there is no line corresponding to test_user in this file, which explains why test_user cannot use the sudo command.

Next, we try to add test_user to the /etc/sudoers file so that test_user can also use the sudo command. We add in the last line:

test_user  ALL=(ALL:ALL)  ALL       
# test_user 使用 sudo 需要提供 test_user 的密码

Next, we will execute sudo under the test_user account:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:
$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied
$ sudo tail -n 3 /etc/shadow                   # 加上 sudo
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
$

As you can see, sudo can now be used.

think

We have already seen that if a user is in the /etc/sudoers file, then it has sudo privileges and can be switched to the root user through commands such as sudo su-or sudo -i, then this user becomes root The user is there, then doesn't this pose a big threat to the system?

In fact, this is indeed the case. So if you edit the /etc/sudoers file to grant a certain user sudo permissions, you must make sure that the user is trustworthy and will not cause malicious damage to the system, otherwise it will be very big if all root permissions are granted to the user Danger.

Of course, the root user can also edit /etc/sudoers so that the user has only some permissions, that is, only a small number of commands can be executed.

The difference between the two

We have already seen:

• Use su-to provide the password of the root account, you can switch to the root user;
• Use sudo su-to provide the password of the current user, or you can switch to the root user
• The difference between the two methods is also obvious: if our Linux system has many users who need to use it, the former requires all users to know the password of the root user, which is obviously very dangerous; the latter does not need to expose the root account password. You only need to enter your own account password, and which users can switch to root is completely controlled by root (root is achieved by setting /etc/sudoers), so the system is much safer.

generally recommended to use sudo.

Have you learned it? If you have any help, you can and forward it to the circle of friends support it.

Source: https://tanjuntao.github.io/