1. Overview
In Linux systems, two common commands enable us to perform tasks that require higher privileges than a regular user account provides:
However, these commands have differing purposes and mechanisms and may require different passwords for access.
In this tutorial, we’ll understand what the sudo and su commands are and why they might request distinct passphrases. We’ll also discuss some common misconceptions about these commands.
2. Privilege Escalation
Privileges are the rights and permissions that we have when performing actions on the system. Consequently, privilege escalation is the process of obtaining higher privileges than the ones assigned to a user by default. For instance, we may have the privilege to read a file, but not to modify or delete it.
In Unix systems, there’s a special user account called the superuser or root. The superuser has the highest level of privileges on the system and can perform any action without restriction:
- access any file
- change any setting
- install any software
- execute any command
The superuser account is necessary for system administration tasks that require full control over the system.
However, using the superuser account all the time isn’t a good practice. This is because it can be dangerous and risky. For instance, if we make a mistake or run a malicious program as the superuser, we can cause irreversible damage to the system or expose it to security threats. Therefore, it’s advisable to use the superuser account only when necessary and use a regular user account with lower privileges for normal tasks.
3. su Command
The su command is one of the ways to escalate privileges in Linux systems. su stands for substitute user or switch user and it enables a user to switch to another account on the system:
$ su [options] [username]
Notably, if no username is specified, su switches to the root account by default:
$ suAs a result, we’ll be prompted to input the root password. If we input that correctly, we switch to the root account.
By default, root doesn’t have a password in most Linux distributions to prevent it from being used directly. Still, we can set one using the passwd command:
$ sudo passwd rootTo use the sudo command, we’ll first input our password. Then, we’ll be prompted to enter the new root password. Finally, we’ll confirm the new root password by entering it again.
However, we should avoid creating a root password or trying to access the root user using the su command.
Moreover, the purpose of the su command is to enable users to temporarily switch to another user account for performing specific tasks that require higher privileges. For instance, a user may want to switch to another user account that has access to a certain file or directory that they don’t have.
However, the su command switches to another user account completely and may not preserve any information about the original user account. This means that once a user switches to another user account using su, they may lose their identity and environment settings. They may also lose track of their current working directory and processes.
4. sudo Command
The sudo command is another way to escalate privileges in Linux systems. sudo stands for superuser do and enables us to execute a single command as another user, usually the superuser:
$ sudo [options] [command]
If we specify no command and use the -i option, the sudo command runs an interactive shell as another user:
$ sudo -i
We’ll be prompted to input our own password (not the root password). If we enter it correctly and are part of the sudoers, we’ll run an interactive shell as the superuser.
The purpose of the sudo command is to enable users to execute specific commands that require higher privileges without switching to another user context completely.
The sudo command differs from the su command in several ways. Firstly, the sudo command doesn’t require the root password for access. Instead, it requires the user’s own password for authentication. This has some importance:
- only users who are authorized to use sudo can execute commands as another user
- the root password isn’t exposed or shared with anyone, which enhances security.
Secondly, the sudo command doesn’t switch to another user account completely. However, it grants temporary and limited superuser privileges to the user.
5. Password Management in sudo
Password management in sudo involves two major mechanisms:
- sudoers file
- password caching
So, let’s discuss each of these mechanism.
5.1. The sudoers File
The sudoers file is a configuration file that defines which users can use sudo and which commands they can execute as another user. It’s located at /etc/sudoers:
$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
...
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
The sudoers file can also define various options and restrictions for each user or command.
5.2. Password Caching
Password caching is another mechanism that affects password management in sudo. It’s a feature that enables a user to enter their own password only once within a certain time period when using sudo.
By default, if a user enters their own password when using sudo for the first time, they don’t need to enter it again for subsequent uses of sudo within 15 minutes. This can be useful for convenience and efficiency purposes.
We can enable or disable password caching by setting the timestamp_timeout option in the sudoers file:
$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
...
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults use_pty
...
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
timestamp_timeout=25
...The timestamp_timeout option specifies how long (in minutes) a user’s password is cached by sudo. In this case, the option is set to 25 which means all sudo user passwords are cached for 25 minutes.
Further, this option can be changed to any value according to the needs and preferences of the system administrator. Notably, if we set the timestamp_timeout to a value less than 0, the password doesn’t expire.
6. Common Misconceptions
There are some common misconceptions about the sudo and su commands that may cause confusion or misunderstanding among users and system administrators.
6.1. Different Password
One of these misconceptions is that the sudo password is the same as the root password. However, the sudo password is the same as the user’s own password, not the root password. In practice, sudo doesn’t use the root password for authentication, but the user’s own password.
We’ll only be required to enter the root password when we want to switch to the root user using the su command.
6.2. Unlimited Superuser Privileges
Some users may also think that the sudo command gives a user unlimited superuser privileges. However, sudo only grants temporary and potentially limited superuser privileges to a user depending on the configuration of the sudoers file.
Still, we’ve seen an example where all sudo users execute every command. Yet, we can also grant a specific user to run a specific command as root:
$ sudo cat /etc/sudoers
...
bael ALL = (root) NOPASSWD: /usr/bin/apt-get update
...This line means that the user bael can execute the command /usr/bin/apt-get update as root on any host without entering a password. Also, if we want to require bael to input their password, we can remove the NOPASSWD option.
6.3. su root Isn’t su – root
Also, users may think that the su root command is equivalent to the su – root command.
However, the su root command switches to the root account but preserves the environment variables and settings of the original user account:
$ su root
Password:
# env
SHELL=/bin/bash
...
LOGNAME=bael
...
USER=bael
...
_=/usr/bin/env
In this code snippet, we use the env command to print the list of environment variables. Evidently, when we switch to the root account using su root, we still have our original home directory (/home/bael) and our original environment variables (such as USER=bael).
In contrast, the su – root command switches to the root account but also resets the environment variables and settings to those of the root account:
$ su - root
Password:
# env
SHELL=/bin/bash
...
LOGNAME=root
...
USER=root
...
_=/usr/bin/env
In this case, the home directory is now /root and our environment variables and settings are those of the root account (such as USER=root).
7. Conclusion
In this article, we’ve learned the concept of privilege escalation using the su and sudo commands. We also understood some common misconceptions about these commands and their passwords.