Use and enable the root account with Ubuntu sudo and su commands

Source: Internet
Author: User
Tags root access
Today, we will introduce two Ubuntu commands: sudo and susudo, which are called super-userdo, so that the current user can temporarily run this command as the root administrator. Su is used to change the current user. suroot is used to switch the current user to the root user. After suroot is used, all the following commands can be skipped, because the current user is already the administrator root. Ubuntu has a distinctive feature, that is, when you use it for the first time, you cannot act as a roo.

Today we will introduce two Ubuntu commands: sudo and su.

Sudo refers to super-user do, which allows the current user to temporarily run this command as the administrator.

Su is used to change the current user. su root is used to switch the current user to the root user. After su root is used, all the following commands can be skipped, because the current user is already the administrator root.

Ubuntu has a distinctive feature, that is, when you use it for the first time, you cannot log on to the system as the root user. Why? This should begin with the installation of the system. For other Linux systems, the root password is usually set during the installation process, so that the user can use it to log on to the root account or use the su command to convert to the Super User identity. By default, Ubuntu does not set a password for the root user or enable the root account. The problem is, what should I do if I want to run the command as a root user? It doesn't matter. We can use the sudo command for this purpose.

Sudo is a common tool in linux that allows general users to use superuser permissions. This command provides the Administrator with a fine-grained access control method, through it, people can access the system both as Super Users and as other types of users. The advantage of this is that administrators can grant some specific types of Super User Permissions without telling the user the root password, which is what many system administrators dream.

1. Default sudo Configuration

During the authentication, Ubuntu provides a basic configuration for sudo, Which is saved in the sudoers file under the/etc directory. When modifying the configuration file, you must use the mongodo tool to edit the file, because the tool automatically performs a strict check on the configuration syntax. If an error is found, a warning is given when saving and exiting the file, the system prompts you which configurations are incorrect to ensure the correctness of the configuration file. On the contrary, if other text editing programs are used, once an error occurs, it will cause serious consequences to the system. The following shows the Ubuntu default/etc/sudoers file content: # User privilege specificationroot ALL = (ALL) ALL # Members of the admin group may gain root privileges % admin ALL = (ALL) ALL

The following is a brief description of the above Configuration:

The role of the first configuration is to allow the root user to use The sudo command to become any other type of user in the system. The second configuration requires that all Members in the Management Group can execute all command orders as root. Therefore, in the default Ubuntu system, to execute commands as root, you only need to keep up with the commands to be executed after sudo. The following is an example. If you want to execute apt-get update, type the following content in the command line: $ sudo apt-get update

2. Configuration File Syntax explanation

Next, we will use an instance to explain in detail the configuration syntax of the/etc/sudoers file. See the following example: jorge ALL = (root)/usr/bin/find, /bin/rm

The first column above specifies that it applies to users or groups. In this example, It is user jorge. In addition, because the group and user in the system can be renamed, to specify that the rule applies to a group rather than a user, the Group Object Name must start with a percent sign (%.

The second column specifies the applicable host of the rule. This column is particularly useful when we deploy the sudo environment among multiple systems. Here ALL represents ALL hosts. However, if you do not want to deploy sudo on a desktop or multiple systems, replace this column with the corresponding host name.

The value in the third column is enclosed in brackets, indicating the identity of the user specified in the first column to execute the command. In this example, the value is set to root, which means that the user jorge can run the commands listed below as the root user. This value can also be set to the wildcard "ALL". jorge can be used as any user in the system to execute the listed command.

The last column (/usr/bin/find,/bin/rm) is a command table separated by commas, these commands can be run by users specified in the first column as indicated in the third column. In this example, the configuration allows jorge to run the/usr/bin/find and/bin/rm commands as Super Users. It must be noted that the commands listed here must use absolute paths.

3. How to Use the sudo command

Now the question is, how can a user jorge use the permissions assigned to him? In fact, it is very simple. You only need to use the sudo command in command line mode.

Add the program he wants to run, for example, jorge @ ubuntu :~ $ Sudo find .! -Name '*. avi'-exec rm-f \\{\\}\\;

If jorge tries to execute a program (such as find or rm) outside of the/etc/sudoers file, The sudo command will end with a failure and give a warning, it indicates that he is not authorized to run these commands as a Super User.

To run commands as a non-root user, you must use the-u option to specify the user to be used. Otherwise, sudo will be the root user by default, for example, to run the ls command as fred, you should: $ sudo-u fred ls/home/fred

As you can see, we can use these rules to create specific roles for the system. For example, if you want a group to be responsible for account management, on the one hand, you do not want these users to have full root access permissions, on the other hand, you must grant them the right to add and delete users, then we can create a group named accounts on the system and add those users to the group. Then, add the following content using mongodo for/etc/sudoers: % accounts ALL = (root)/usr/sbin/useradd,/usr/sbin/userdel, /usr/sbin/usermod

Now, all the Members in the accounts Group can run the useradd, userdel, and usermod commands. If you find that the role requires other tools after a while, you just need to add them at the end of the table. This is really convenient!

Note that the complete command path must be used when you define commands that can be run for users. This is completely out of security considerations. If the command we give is just a simple userad, rather than/usr/sbin/useradd, the user may create his own script, it is also called userad and placed in its local path, so that he can execute any command he wants through the local script named useradd as root. This is quite dangerous!

Another convenient feature of the sudo command is that it can indicate which commands do not require a password for execution. This is useful, especially when running some commands as a Super User in non-interactive scripts. For example, you want to run the kill command without entering a password as a Super User so that the user can immediately kill a process out of control. Therefore, add the NOPASSWD: attribute to the front of the command line. For example, you can add a line up and down in the/etc/sudoers file so that jorge can obtain this power: jorge ALL = (root) NOPASSWD:/bin/kill,/usr/bin/killall

In this way, jorge can run the following command to kill the out-of-control rm process as the root user. Jorge @ ubuntu :~ $ Sudo killall rm

6. How to enable the root account

Through the above introduction, we found that sudo is indeed very useful, but if you have been used to working in root for a long time, what should you do to review the past? Simply set a root password for the root user: $ sudo passwd root

Now you can log on directly as the root user.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.