The difference between the Linux commands su and sudo

Introduction and main usage of su command

The general usage of su is:

su  <user_name>

perhaps

su - <user_name>

There is only one character difference between the two methods - there will be a big difference:

  • If the - parameter is added, it is a login shell method, which means switching to another user < user_ After name >, the current shell will load < user >_ Name > corresponding environment variables and various settings;
  • If the - parameter is not added, it is a non login shell method, which means that I now switch to < user_ Name >, but the current shell still uses the environment variables and various settings of the previous user.

For example, chestnuts:

First, we switch from the ubuntu user to the root user in the form of non login shell, and compare the PWD values in the environment variables in the two user states (the su command does not follow any < user_name >, and switches to the root user by default):

ubuntu@VM-0-14-ubuntu:~$ env | grep PWD
PWD=/home/ubuntu                                         # Yes / home/ubuntu
# Omit
ubuntu@VM-0-14-ubuntu:~$ su root                         # Non login shell mode
Password:                                                # Enter the root login password
root@VM-0-14-ubuntu:/home/ubuntu# env | grep PWD
PWD=/home/ubuntu                                         # Can I find / home/ubuntu
root@VM-0-14-ubuntu:/home/ubuntu#

We did switch to the root user, but the variables in the shell environment have not changed. We still use the environment variables of the previous ubuntu user.

Then we switch from the ubuntu user to the root user by login shell, and compare the PWD values in the environment variables of the two users:

ubuntu@VM-0-14-ubuntu:~$ env | grep PWD
PWD=/home/ubuntu                               # Yes / home/ubuntu
# Omit
ubuntu@VM-0-14-ubuntu:~$ su - root             # Login shell mode
Password:
root@VM-0-14-ubuntu:~# env | grep PWD
PWD=/root                                      # Has become / root
root@VM-0-14-ubuntu:~#

You can see that if you switch users by login shell, the environment variables in the shell also change.

**Summary: * * which method is used to switch users to see their personal needs:

  • If you don't want to make your settings under the current user unavailable because you switch to another user, use the non login shell method;
  • If you need to use various environment variables of the user after switching users (the environment variable settings of different users are generally different), use the login shell method.

-c parameter

There is no need to switch the user before executing the command. You can directly execute the command as another user under the current user, and return to the current user after execution.

The method of use is:

su - -c "string of commands"                                  # Execute "instruction string" as root

For example, chestnuts:

[root@master ~]# su - omm -c "pwd"
/home/omm
[root@master ~]# su  omm -c "pwd"
/root
[root@master ~]# su omm -c "echo \$PWD"
/root
[root@master ~]# su - omm -c "echo \$PWD"
/home/omm

This execution method is very similar to sudo to be introduced later. Both of them temporarily apply for the permission of root user. But there are differences

Introduction and main usage of sudo command

The full English name of sudo is super user do, that is, execute commands as a super user (root user). Sudo here is different from the switch user represented by su before.

Main usage

We often encounter Permission denied in Linux, such as viewing the contents of / etc/shadow as a ubuntu user. Because the contents of this file can only be viewed by root.

What if we want to see it? In this case, sudo can be used:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied      # No permission
ubuntu@VM-0-14-ubuntu:~$ sudo !!                                    # And two exclamation marks
sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
ubuntu@VM-0-14-ubuntu:~$

In the example, we use sudo!! This little trick means repeating the command entered above, but adding sudo at the beginning of the command.

Because I have set the sudo command and do not need to enter a password, here is sudo!! You can output the content directly. If it is not set, you need to enter the password of the current user. For example, in this example, I should enter the login password of the ubuntu user.

For two adjacent sudo operations, if the interval is within 5min, the second sudo input does not need to re-enter the password; If it exceeds 5min, you need to enter the password when you enter sudo again. Therefore, an easy way is to set up sudo operation without password.

In addition to executing commands with the authority of root user, sudo has several other uses, which are briefly introduced here.

Switch to root:

sudo su -

This method can also switch to the root user in the login shell mode, but it is different from the su - Method:

  • For the former, after entering sudo su -, you need to provide the login password of the current user, that is, the password of the ubuntu user;
  • The latter needs to provide the login password of the root user after entering su -.

There is another command:

sudo -i

This command has the same effect as sudo su -. It is also required to switch to the root user and provide the login password of the current user (ubuntu user).

Let's switch to test now_ User, try to display the contents of the / etc/shadow file:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:                                       # test_user's password
$ sudo cat /etc/shadow
[sudo] password for test_user:                  # test_user's password
test_user is not in the sudoers file.  This incident will be reported.
$

We will see the error message in the penultimate line. We can't view the content of / etc/shadow. Why? Why can ubuntu use sudo but test_ Why not?

This involves the working principle of sudo.

How sudo works

Whether a user can use the sudo command depends on the setting of the / etc/sudoers file.

As we can see from Section 3.1, ubuntu users can use sudo normally, but test_user cannot use it because test is not configured in the / etc/sudoers file_ user.

/etc/sudoers is also a text file, but because of its specific syntax, we don't use vim or vi to edit it directly. We need to use the command visudo. After entering this command, you can directly edit the file / etc/sudoers.

It should be noted that only the root user has permission to use the visudo command.

Let's first look at the content displayed after entering the visudo command.

Enter (root user):

root@VM-0-14-ubuntu:~# visudo

Output:

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

Explain the format of each line:

  • The first represents the user name, such as root, ubuntu, etc;
  • Next, ALL on the left of the equal sign indicates that it is allowed to log in to the current user account from any host;
  • ALL on the right of the equal sign indicates that the user at the beginning of this line can switch to any other user in the system;
  • ALL at the end of the line indicates that the user at the beginning of the current line can issue any command as root user. ALL indicates that any command can be issued.

We also notice that the line corresponding to ubuntu has a NOPASSWD keyword, which means that the user of ubuntu does not need to enter a password when requesting sudo. Here we explain the previous problem.

At the same time, we note that there is no test in this file_ The row corresponding to user, which explains why test_user cannot use sudo command.

Next, we try to put test_ Add user to the / etc/sudoers file to make test_user can also use the sudo command. We add on the last line:

test_user  ALL=(ALL:ALL)  ALL       # test_user needs to provide test when using sudo_ User's password

Then we'll talk about it again_ Execute sudo under user account:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:
$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied
$ sudo tail -n 3 /etc/shadow                   # Plus sudo
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
$

As you can see, sudo is now available.

Tags: Linux Operation & Maintenance server

Posted on Wed, 01 Dec 2021 18:16:10 -0500 by beaux1