Click on "end of life", pay attention to the official account.
Daily technical dry goods, delivered at the first time!
I've been confused about the two commands su and sudo before. Recently, I specially searched the information in this regard, and finally figured out the relationship and usage of the two. This article systematically summarizes them.
1. Preparatory work
Because this blog involves user switching, I need to prepare several test users in advance to facilitate subsequent switching.
The command to create a new user in Linux is "useradd". In general, the PATH corresponding to this command in the system is in the "PATH" environment variable. If you directly enter "useradd" and it doesn't work, use the absolute PATH name: / usr/sbin/useradd.
The useradd new user command can only be executed by the root user. Let's first switch from the ordinary user ubuntu to the root user (how to switch will be described later):
ubuntu@VM-0-14-ubuntu:~$ su -
Password: # input root User login password
root@VM-0-14-ubuntu:~# useradd -m test_user # close -m parameter
root@VM-0-14-ubuntu:~# ls /home
test_user ubuntu #You can see that there are two users under the / home directory
Because the new user has not been given a test_user , set the login password, which makes it impossible for us to switch from ordinary user ubuntu to test_user, so next, we need to set test with root_ User's login password. The passwd command is required:
root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: # output test_user Password for
Retype new UNIX password:
passwd: password updated successfully
root@VM-0-14-ubuntu:~#
Then, enter "exit" to exit the root user to the normal user ubuntu:
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$
You can see that the front of the command prompt has changed from "root" to "ubuntu", indicating that our current identity is "ubuntu" user.
2. Introduction and main usage of su} command
First, we need to explain what "su" means.
I always thought that "su" was "super user". After consulting the data, I learned that it originally meant "switch user".
After you know what abbreviation su is, the function it provides is obvious, that is, switching users.
2.1 - parameters
The general usage of su is:
su <user_name>
perhaps
su - <user_name>
There is only one character difference between the two methods - there will be a big difference:
- If the - parameter is added, it is a login shell method, which means switching to another user < user_ After name >, the current shell will load < user >_ Name > corresponding environment variables and various settings;
- If the - parameter is not added, it is a "non login shell" method, which means that I now switch to < user_ Name >, but the current shell still loads the environment variables and various settings of the user before switching.
Light interpretation will be more abstract, and it will be easier to understand if we look at an example.
We first switch from the ubuntu user to the root user in the form of "non login shell" and compare the value of "PWD" in the environment variable in the two user states (the su command does not follow any < user_name >, and switches to the root user by default):
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu # yes /home/ubuntu
HOME=/home/ubuntu
# ellipsis......
ubuntu@VM-0-14-ubuntu:~$ su # non-login-shell mode
Password: # input root User login password
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu # Can you find or /home/ubuntu
root@VM-0-14-ubuntu:/home/ubuntu#
We did switch to the root user, but the variables in the shell environment have not changed. We still use the environment variables of the previous ubuntu user.
Next, we switch from the ubuntu user to the root user in the form of login shell, and also compare the value of PWD in the environment variable under the turntable of the two users:
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu # yes /home/ubuntu
HOME=/home/ubuntu
# ellipsis.......
ubuntu@VM-0-14-ubuntu:~$ su - # yes login-shell mode
Password:
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root # Has become /root Yes
HOME=/root
MAIL=/var/mail/root
LOGNAME=root
root@VM-0-14-ubuntu:~#
You can see that the environment variables in the shell also change when you switch users in the login shell mode.
Summary: which method is used to switch users to see their personal needs:
- If you don't want to make your settings under the current user unavailable because you switch to another user, use the method of "non login shell";
- If you need to use various environment variables of the user after switching the user (the environment variable settings of different users are generally different), use the login shell method.
2.2 switch to the specified user
As mentioned earlier, if the su command is not followed by any < user_ Name >, the default is to switch to the root user:
ubuntu@VM-0-14-ubuntu:~$ su -
Password: # root User's password
root@VM-0-14-ubuntu:/home/ubuntu#
Because we are in 1 A new test has been created in the preparation section_ User, and we also know test_ With the login password of user (set by root), we can switch from ubuntu user to test_user:
ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: # test_user's password
$
2.3 -c} parameters
In the previous methods, we first switch to another user (root or test_user), execute the command in which user's state, and finally enter "exit" to return to the current ubuntu user.
There is another way: you do not need to switch users before executing commands. You can directly execute commands in the form of another user under the current user, and return to the current user after execution. This requires the - c} parameter.
The specific use methods are:
su - -c "string of commands" #Execute the "instruction string" in the form of "root"
Let's take an example:
ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied # ubuntu Users cannot view it directly /etc/shadow File content
ubuntu@VM-0-14-ubuntu:~$ su - -c "tail -n 4 /etc/shadow"
Password: # input root User password
ubuntu:$1$fZKcWEDI$uwZ64uFvVbwpHTbCSgim0/:18352:0:99999:7:::
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
ubuntu@VM-0-14-ubuntu:~$ #Immediately after execution, return to the {ubuntu} user instead of the} root} user
This execution method is very similar to the {sudo} to be introduced later. It is to temporarily apply for the permission of root user. But there are still differences. Let's look back.
3. Introduction and main usage of sudo} command
First, explain what the "sudo" command means.
Sudo's full English name is "super user do", that is, execute commands as a super user (root user). The "switch user" represented by "sudo" here is different from the "switch user" represented by "su" before. It should be noted that it is easy to be confused.
Let's first introduce what the sudo command can do, then explain why it can do this and how to do it.
Let's start.
3.1 main usage
We often encounter "Permission denied" in Linux, such as viewing the contents of / etc/shadow as a ubuntu user. Because the contents of this file can only be viewed by root.
What if we want to see it? In this case, you can use} sudo:
ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied # No permission
ubuntu@VM-0-14-ubuntu:~$ sudo !! #And two exclamation marks
sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
ubuntu@VM-0-14-ubuntu:~$
In the example, we use "sudo!! This trick means repeating the command entered above, but adding {sudo at the beginning of the command.
Because I have set the "sudo" command and do not need to enter a password, here is "sudo!! You can output the content directly. If it is not set, you need to enter the password of the current user. For example, in this example, I should enter the login password of the ubuntu user.
For two adjacent {sudo} operations, if the interval is within {5min}, the second input of} sudo} does not need to re-enter the password; If it exceeds , 5min, you need to enter the password when you enter , sudo , again. Therefore, an easy way is to set the sudo operation without a password. How to set it will be described later.
sudo # in addition to executing commands with the authority of root user, there are several other uses, which are briefly introduced here.
Switch to root:
sudo su -
This method can also switch to the root user in the "login shell" mode, but it is different from the "su - Method:
- The password provided by the former user is the password of the current user, that is, the password provided by the former user;
- The latter needs to provide the login password of the root user after entering su -.
There is another command:
sudo -i
This command has the same effect as {sudo su -. It also switches to the root user and needs to provide the login password of the current user (ubuntu user).
Let's switch to test now_ User, try to display the contents of the / etc/shadow file:
ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: # test_user Password for
$ sudo cat /etc/shadow
[sudo] password for test_user: # test_user's password
test_user is not in the sudoers file. This incident will be reported.
$
We will see the error message in the penultimate line. We can't view the content of / etc/shadow , why? Why can ubuntu use {sudo} but test_ Why not?
This involves the working principle of sudo.
3.2} working principle
Whether a user can use the {sudo} command depends on the setting of the / etc/sudoers} file.
As we can see from Section 3.1, ubuntu users can use} sudo normally, but test_user cannot use it because test is not configured in / etc/sudoers_ user.
/etc/sudoers , is also a text file, but because of its specific syntax, we don't use , vim , or , vi , to edit it directly. We need to use , visudo , command. After entering this command, you can edit the / etc/sudoers file directly.
It should be noted that only the root user has permission to use the {visudo} command.
Let's first look at the content displayed after entering the , visudo , command.
Enter (root user):
root@VM-0-14-ubuntu:~# visudo
Output:
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
ubuntu ALL=(ALL:ALL) NOPASSWD: ALL
Explain the format of each line:
- The first one represents the user name, such as "root", "ubuntu", etc;
- Next, ALL on the left of the equal sign indicates that you are allowed to log in to the current user account from any host;
- ALL on the right of the equal sign indicates that a user at the beginning of this line can switch to any other user in the system;
- ALL at the end of the line indicates that the user at the beginning of the current line can issue any command as root user, and ALL indicates that any command can be issued.
We also notice that the line corresponding to "ubuntu" has a "NOPASSWD" keyword, which means that the user of "ubuntu" does not need to enter a password when requesting "sudo". Here we explain the previous problem.
At the same time, we notice that there is no test in this file_ The line corresponding to user , which explains why test_user cannot use the {sudo} command.
Next, we try to put test_ Add user to the / etc/sudoers} file to make test_user can also use the sudo command. We add on the last line:
test_user ALL=(ALL:ALL) ALL # test_user , using , sudo , you need to provide , test_user's password
Then we'll talk about it again_ Execute} sudo under user account:
ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:
$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied
$ sudo tail -n 3 /etc/shadow #Plus sudo
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7:::
$
As you can see, sudo is now available.
3.3 thinking
We have seen that if a user is in the / etc/sudoers , file, it has the , sudo , permission and can switch to the root user through , sudo su - or , sudo -i , and so on. Then the user becomes the root user. Does this not pose a great threat to the system?
Actually, it is. Therefore, when editing the / etc/sudoers file to give a user sudo permission, you must make sure that the user is trusted and will not cause malicious damage to the system. Otherwise, it will be very dangerous to give all root permissions to the user.
Of course, the root user can also edit / etc/sudoers so that the user has only some permissions, that is, only a small number of commands can be executed. Interested readers can refer to Article 2 of the Reference section, which will not be repeated in this article.
4. Comparison of differences between the two
We have seen:
- Use su -, provide the password of the root account, and you can switch to the root user;
- Use sudo su -, provide the password of the current user, or switch to the root user
The difference between the two methods is also obvious: if many users need to use our Linux system, the former requires all users to know the password of root user, which is obviously very dangerous; The latter does not need to expose the root account password. Users only need to enter their own account password, and which users can switch to root is completely controlled by root (root is realized by setting / etc/sudoers), so the system is much safer.
Source: Jun Tao https://tanjuntao.github.io
PS: in case you can't find this article, you can collect some likes for easy browsing and searching.