Difference between Su and sudo commands

Source: Internet
Author: User
I. Use the su command to temporarily switch user identities

1. Conditions and power of Su

The su command is a tool for switching users. How can this problem be solved? For example, if we log on as a normal user beinan, but want to add a user task and execute useradd, The beinan user does not have this permission, and this permission is exactly owned by the root user. There are two solutions. One is to log out of the beinan user and log in again as the root user, but this method is not the best. The other is that we do not need to log out of the beinan user, you can use Su to switch to the root directory to add users. After the task is completed, exit root. We can see that, of course, using su switching is a better way;

Su allows users to switch between users. If the super-Permission User Root switches to a common or virtual user without a password, what is power? That's it! The password verification is required for normal users to switch to other users;

2. Su usage:

Su [Option option parameter] [user]

-,-L, -- log on to login and change to the switched user environment;

-C, -- commmand = command: execute a command and then exit the switched user environment;

For more details, see Man Su;

3. Examples of SU:

Su switches to the root user by default without adding any parameters, but does not go to the root user's home directory. That is to say, it is switched to the root user, however, the root logon environment is not changed. You can find the default logon environment in/etc/passwd, including the Home Directory and shell definition;

[Beinan @ localhost ~]? $ Supassword: [root @ localhost beinan] # PWD/home/beinan

Su adds the parameter-, indicating that the system switches to the root user by default and changes to the root user environment;

[Beinan @ localhost ~]? $ PWD/home/beinan [beinan @ localhost ~]? $ Su-Password: [root @ localhost ~] # PWD/root

Su parameter-User Name

[Beinan @ localhost ~]? $ Su-root note: this is the same as Su;

Password:

[Root @ localhost ~] # Pwd

/Root

[Beinan @ localhost ~]? $ Su-linuxsir Note: switching to linuxsir user

Password: enter the password here;

[Linuxsir @ localhost ~]? $ PWD Note: view the current user location;

/Home/linuxsir

[Linuxsir @ localhost ~]? $ Id Note: Check the UID and GID information of the user, mainly to see whether the switch is over;

Uid = 505 (linuxsir) gid = 502 (linuxsir) groups = 0 (Root), 500 (beinan), 502 (linuxsir)

[Linuxsir @ localhost ~]? $

[Beinan @ localhost ~]? $ Su--C ls Note: This is a combination of Su parameters, indicating that the system switches to the root user and changes to the root environment. Then, it lists the files in the root directory and exits the root user;

Password: Enter the root password here;

Anaconda-ks.cfg desktop install. Log install. log. syslog testgroup testgroupbeinan testgrouproot

[Beinan @ localhost ~]? $ PWD Note: view the current user's location;

/Home/beinan

[Beinan @ localhost ~]? $ Id Note: view the current user information;

Uid = 500 (beinan) gid = 500 (beinan) groups = 500 (beinan)

4. Advantages and Disadvantages of Su;

Su is indeed convenient for management. By switching to root, all system management tools can be completed, as long as the root password is handed over to any common user, he can switch to the root to complete all the system management work. However, after su switches to the root, there are also insecure factors. For example, the system has 10 users who are also involved in the management. If these 10 users are involved in the use of super permissions, if the administrator wants other users to switch to the super-Permission root through Su, the root permission password must be told to these 10 users; if these 10 users have the root permission and can do anything through the root permission, the system security will be caused by the threat Association to a certain extent; think about Windows, it is a nightmare; "There is no insecure system, and there are only insecure people." We cannot guarantee that these 10 users can manage the system according to the normal operation process, any major mistake made to system operations may result in system crash or data loss. Therefore, the su tool is not the best choice in system management involving many people, su is only applicable to systems where one or two people participate in management. After all, Su cannot be used by common users. It is absolutely true that the root password of a Super User should be in the hands of a few users! Therefore, the existence of centralized governance still makes sense;

II. The su authorized by sudo is also restricted.

1. Applicable Conditions for sudo

Due to Su's unrestricted permissions after switching to the super-Permission User Root, Su cannot act as a system managed by multiple administrators. If Su is used to switch to a Super User to manage the system, it is not clear which operations are performed by the Administrator. Especially when many people are involved in server management, it is best to assign specific permissions to the technical expertise and management scope of each administrator, and specify the tools used to complete the work related to it, so we need to use sudo.

Through sudo, We can delegate certain super permissions to specific users without requiring common users to know the root password. Therefore, sudo is safer than Su with unrestricted permissions, therefore, sudo can also be referred to as restricted Su. In addition, sudo requires authorization, so it is also called the authorization permission Su;

The sudo command execution process is that the current user switches to the root (or another specified user), and then runs the command as root (or another specified user). After the command is executed, directly return to the current user. The premise is that the sudo configuration file/etc/sudoers must be used for authorization;

For example, if we want to use the beinan ordinary user to pass the content of the more/etc/shadow file, the following may occur;

[Beinan @ localhost ~]? $ More/etc/shadow: insufficient Permissions

In this case, we can use sudo more/etc/shadow to read the file content. We need to authorize beinan in/etc/soduers.

So we can first Su to the root user to change/etc/sudoers through mongodo; (for example, we use the beinan user to log on to the system)

[Beinan @ localhost ~]? $ Su

Password: Note: Enter the root password here.

Run visodu below;

[Root @ localhost beinan] # mongodo Note: Run mongodo to modify/etc/sudoers.

Add the following line to exit and save. Exit and save. Here, VI is used, and the VI editor is used for doing so. As for VI usage, I will not talk about it much; beinan all =/bin/more indicates that beinan can switch to root and execute more to view the file;

Return to the beinan user and run the exit command;

[Root @ localhost beinan] # exit

Exit

[Beinan @ localhost ~]? $

View what commands can beinan execute through sudo?

[Beinan @ localhost ~]? $ Sudo-l

Password: Note: enter the password of the beinan user here.

User beinan may run the following commands on this host: Note: on this host, the beinan user can run more with the root permission; more with the root permission, you can view the content of any text file;

(Root)/bin/more

Finally, let's see if the beinan user can see the content of the/etc/shadow file;

[Beinan @ localhost ~]? $ Sudo more/etc/shadow

Beinan can not only view the content of the/etc/shadow file, but also the content of other files that can only be viewed under root permissions, such;

[Beinan @ localhost ~]? $ Sudo more/etc/gshadow

For the beinan user to view and read all the system files, I just want to view the/etc/shadow content for him; you can add the following line;

Beinan all =/bin/more/etc/shadow

Digress: some brothers will say that I can see all the content I want to see by switching Su to the root user. Haha, right. But aren't we talking about sudo's usage now? If there are multiple users on the host who do not know the password of the root user but want to view some files they do not see, the administrator needs to authorize them. This is the benefit of sudo;

Example 5: The exercise user group is written in/etc/sudoers;

If the user group appears in/etc/sudoers, add the "%" sign before it. For example, % beinan cannot contain spaces. % beinan all =/usr/sbin/*,/sbin /*

If we add the above line in/etc/sudoers, it indicates all the members in the beinan user group, under all possible host names, all commands under the/usr/sbin and/sbin directories can be switched to the root user;

Example 6: cancel the execution of a program:

To cancel the execution of a program, you must add it before the command action! In this example, the wildcard * usage is also displayed;

Beinan all =/usr/sbin/*,/sbin /*,! /Usr/sbin/fdisk Note: add this rule to/etc/sudoers. However, you must have the beinan user group and beinan is in this group;

This rule indicates that the beinan user runs all programs under/usr/sbin and/sbin on all hosts with all possible host names, except for the fdisk program;

[Beinan @ localhost ~]? $ Sudo-l

Password: Note: enter the password of the beinan user;

User beinan may run the following commands on this host :( root)/usr/sbin/* (Root )! /Sbin/fdisk [beinan @ localhost ~]? $ Sudo/sbin/fdisk-lsorry, user beinan is not allowed to execute '/sbin/fdisk-L' as root on localhost.

Note: you cannot switch to the root user to run the fdisk program;

If you have sudo permission but do not have Su permission: sudo Su;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.