Differences between the Linux su and sudo commands

Source: Internet
Author: User

I. Using the SU command to temporarily switch user identities

1, SU's applicable conditions and power

The SU command is the tool to switch users, how to understand it? For example, we use ordinary user Beinan login, but to add user tasks, execute useradd, Beinan the user does not have this permission, and this permission is exactly the root of the own. Solution can not have two, one is to exit Beinan user, re-login with the root user, but this method is not the best; second, we do not need to quit the Beinan user, you can use Su to switch to root to add the user's work, and so on when the task is completed before exiting Root. We can see that, of course, it is a better way to switch through SU;

Through SU can switch between users, if Superuser root to normal or virtual user switch does not require a password, what is power? That's it! And the normal user to switch to any other users need password authentication;

2, Su's usage:

SU [option parameter] [user]

-,-L,--login Login and change to the user environment of the switch;

-c,--commmand=command executes a command, and then exits the user environment that was switched to;

For more details, see Man su;

3, Su's example:

Su does not add any parameters, the default is to switch to the root user, but did not go to the root user home directory, that is, although the switch to the root user, but did not change the root login environment, the user default login environment, can be found in the/etc/passwd, including home directory, Shell definition, etc.;

[Email protected] ~]?$ supassword:[[email protected] beinan]# Pwd/home/beinan

Su plus parameter-, which means to switch to the root user by default, and change to the root user's environment;

[[email protected] ~]?$ pwd/home/beinan[[email protected] ~]?$ su-password:[[email protected] ~]# pwd/root

Su parameter-user name

[Email protected] ~]?$ Su-root Note: This and Su-are the same functions;

Password:

[Email protected] ~]# pwd

/root

[Email protected] ~]?$ Su-linuxsir Note: This is the switch to Linuxsir user

Password: Note: Enter the password here;

[[email protected] ~]?$ pwd Note: See where the user is currently located;

/home/linuxsir

[[email protected] ~]?$ ID Note: Check the user's UID and GID information, mainly to see if the switch over;

uid=505 (Linuxsir) gid=502 (Linuxsir) groups=0 (Root), (Beinan), 502 (Linuxsir)

[Email protected] ~]?$

[[email protected] ~]?$ Su-c ls Note: This is a combination of SU's parameters, which means switching to the root user and changing to the root environment, then listing the root directory files and then exiting the root user;

Password: Note: Enter the root password here;

Anaconda-ks.cfg Desktop install.log install.log.syslog testgroup Testgroupbeinan testgrouproot

[Email protected] ~]?$ pwd Note: see where the current user is located;

/home/beinan

[[email protected] ~]?$ ID Note: View current user information;

uid=500 (Beinan) gid=500 (Beinan) groups=500 (Beinan)

4, Su's advantages and disadvantages;

Su is indeed convenient for management, by switching to root, can complete all system management tools, as long as the root password to any ordinary user, he can switch to root to complete all system management work, but after the SU switch to root, there is also an unsafe factor , such as the system has 10 users, and all involved in management. If these 10 users are involved in the use of super-privilege, as an administrator if you want other users to switch to the root of the superuser through Su, the root password must be told to the 10 users, if the 10 users have root privileges, through root permission can do anything, This to a certain extent, the security of the system caused the association; Think of Windows, it is a nightmare; "There is no insecure system, only unsafe people", we can not guarantee that these 10 users can operate in accordance with normal operating procedures to manage the system, any one of them on the system operation of a major failure, Can cause system crashes or data loss, so SU tools in the system management of multi-person participation is not the best choice, Su only applies to one or two people to participate in the management system, after all, SU does not allow ordinary users limited use; Root password should be in the hands of a few users, this is absolutely true! So there is some truth in the existence of centralization and governance;

Two. Sudo is licensed to use Su, which is also a restricted Su

1. Applicable conditions of Sudo

Because SU does not have the restriction of permissions after switching to Superuser root, SU does not act as a system managed by multiple administrators. If you use SU to switch to the Superuser to manage the system, it is not clear what work is done by which administrator. In particular, for the management of the server with many people involved in the management, it is best for each administrator's technical expertise and scope of management, and a targeted delegation of authority, and agreed on what tools they use to complete their work, then we need to use sudo.

Through sudo, we can put some super-privileged targeted decentralization, and do not need to know the root password of ordinary users, so sudo relative to the unrestricted permission of Su, is still relatively safe, so sudo can also be referred to as restricted Su, and sudo is required to license, So also known as the licensing of SU;

The process of sudo executing a command is that the current user switches to root (or the other user specified to switch to), executes the command as root (or another specified switch to the user), and then returns directly to the current user after execution is completed, which is premised on the configuration file of sudo/etc/ Sudoers to authorize;

For example, we want to use Beinan ordinary users through the content of More/etc/shadow files, the following situation may occur;

[[email protected] ~]?$ More/etc/shadow/etc/shadow: Insufficient Authority

At this point we can use sudo more/etc/shadow to read the contents of the file, we need to give Beinan authorization in/etc/soduers

So we can first su to the root user through the Visudo to change the/etc/sudoers, (for example, we are Beinan User login system)

[email protected] ~]?$ su

Password: Note: Enter the root password here

Run Visodu below;

[[email protected] beinan]# Visudo Note: Run Visudo to change/etc/sudoers

Add the following line, exit Save, Exit Save, here will use Vi,visudo is also used in the VI editor; As for the use of VI not much to say; Beinan All=/bin/more means that Beinan can switch to root to perform more to view the file;

Return to the Beinan user, with the exit command;

[[Email protected] beinan]# exit

Exit

[Email protected] ~]?$

See what commands Beinan can execute with sudo?

[Email protected] ~]?$ sudo-l

Password: Note: Enter the password for the Beinan user here

User Beinan may run the following commands on this host: note: Here is a clear description on the host, Beinan users can run with root privileges more; Under root privileges, you can view any text The contents of the document;

(Root)/bin/more

Finally, let's see if Beinan users have the ability to see the contents of the/etc/shadow file;

[email protected] ~]?$ sudo more/etc/shadow

Beinan not only can see the contents of the/etc/shadow file, but also can see the contents of other files only under the root permission, such as;

[email protected] ~]?$ sudo more/etc/gshadow

For Beinan users to view and read all system files, I just want to put the contents of/etc/shadow to let him view, can join the following line;

Beinan All=/bin/more/etc/shadow

Digression: Some brethren will say, I can see all the things I want to see through SU switch to root user, haha, yes. But aren't we talking about the use of sudo now? If there are multiple users on the host and do not know the root user's password, but also want to see some of the files they do not see, then you need administrator authorization, this is the advantage of sudo;

Example five: Practice user groups in/etc/sudoers;

If the user group appears in the/etc/sudoers, the front to add a number, such as%beinan, the middle can not have spaces;%beinan all=/usr/sbin/*,/sbin/*

If we add the previous line in the/etc/sudoers, representing all the members under the Beinan user group, you can switch to the root user to run all commands under the/usr/sbin and/sbin directories under the name of all possible hosts;

Example six: Practice canceling the execution of a class of programs:

To cancel the execution of a program of some kind, precede the command action with a! number; In this case, the use of the wildcard character is also present;

Beinan All=/usr/sbin/*,/sbin/*,!/usr/sbin/fdisk Note: Add this line of rules to/etc/sudoers, but you have to have beinan this user group, and Beinan is also in this group;

This rule indicates that the Beinan user runs all programs under/usr/sbin and/sbin on all host names that may exist, except for FDISK programs;

[Email protected] ~]?$ sudo-l

Password: Note: Enter the password of the Beinan user here;

User Beinan may run the following commands on this host: (root)/usr/sbin/* (root)/sbin/* (root)!/sbin/fdisk[[email protect Ed] ~]?$ Sudo/sbin/fdisk-lsorry, user Beinan is not allowed to execute '/sbin/fdisk-l ' as root on localhost.

Note: You cannot switch to the root user to run the FDISK program;

If there is sudo permission without Su's permission: sudo su;

Differences between the Linux su and sudo commands

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.