Sudo and Su

Owned by Bradley Roderick
Jan 05, 2023

suĀ  is a program that you can run in the command line at a terminal to login as a user that is different from the current user. You will need to know the password of the user that you are switching to. For example if you want to login as the root user, and you know the root password:

[bradr@ssh8-2 ~]$ su root
Password: 

[root@ssh8-2:0 bradr]#

As mentioned in the last section, you don't necessarily need to login as the root user or even use the root password to access some root privileges. This is done with the command sudo . Sudo elevates your privileges to root user for the running of one command, for instance installing tmux does not work if I use my user:

[bradr@localhost ~]$ apt install tmux
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?


However, If I use sudo I can do it, and I don't even need the root password, I can just use my password.

[bradr@localhost ~]$ sudo apt install tmux
[sudo] password for bradr: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  tmux
0 upgraded, 1 newly installed, 0 to remove and 14 not upgraded.
Need to get 0 B/428 kB of archives.
After this operation, 1,051 kB of additional disk space will be used.
Selecting previously unselected package tmux.
(Reading database ... 279100 files and directories currently installed.)
Preparing to unpack .../tmux_3.2a-4ubuntu0.1_amd64.deb ...
Unpacking tmux (3.2a-4ubuntu0.1) ...
Setting up tmux (3.2a-4ubuntu0.1) ...
Processing triggers for man-db (2.10.2-1) ...


I can also start an interactive sudoĀ  session, similar to using su but I user my user's password instead of the root password. This is done with the --interactive flag, or just sudo -iĀ 


Now, importantly, not every user has sudo privileges. If you try to use sudo but are not authorized, you will get the error message:

[bradr@ssh8-2 ~]$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bradr: 
bradr is not in the sudoers file.  This incident will be reported.


The mentioned sudoers file is maintained by the command visudo . Typically, this file will have a line of code that will say which group or groups have sudo access. There are other configuration options, for instance whether or not to require a password etc. Then to grant a user sudo access, you would add them to the privileged group. The exact group differs slightly by Linux Distribution. RedHat and Arch distributions typically use the wheelĀ  group, whereas Debian derivatives, like Ubuntu, typically use the sudoĀ  group. You can use visudo to see what the sudo group is, then a privileged user can then add a new user to that group with usermod -a -G wheel usernameĀ 


source: https://xkcd.com/149/