On most Linux systems, there are two basic types of user accounts: The root user (which also is called the “super user”) and the normal user.
The root user account is a special account that has full access to any program and all files on the system. A normal user account only has access to his/her own home directory, any commonly accessible programs and files and potentially any programs and files the user has been granted access to (by the root user).
This implies that there are programs and files to which a normal user does not have access by default. For example, a normal user can’t use the apt-get and dpkg package manager tools for installing or updating packages on a Debian/Ubuntu system. This type of user also can’t edit any global configuration files located in the “/etc” directory. There are many other situations just like these examples.
To allow normal users to do certain tasks with root user privileges, without giving them the root password, we can use the sudo tool.
With sudo, it is possible to grant users access to certain commands on certain hosts or simply grant them access to all that the root user can do. Sudo also logs every executed command to a log file (/var/log/auth.log), so the system administrator can keep an eye on what is done with sudo.
To learn how to configure sudo for certain users and with certain restrictions, see these tutorials:
- How to Edit the Sudoers File on Ubuntu and CentOS
- How to Add, Delete, and Grant Sudo Privileges to Users on a Debian VPS
To find out exactly what sudo permissions you have on your system, run the following command:
This could result in the following output for the example user “john” on the “server1” host:
Matching Defaults entries for john on server1: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin User john may run the following commands on server1: (ALL : ALL) ALL
The last line means this user can execute sudo on all hosts as any target user for any command.
Sudo Command Options
This is a summary of the sudo command options we will use in this tutorial:
- -l: list the permissions of the sudo invoking user
- -u: run command as another user
- -e: edit one or more files instead of executing a command
- sudoedit is an alias for “sudo -e”
Sudo Command Examples
To run commands as the root user, you would use the following syntax:
Lets install the “git” version control software using apt-get package manager. If we were to try this without using sudo:
apt-get install git
We would get this error message:
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
However, if we now add the sudo command before our previous command, we will get asked to fill in our own password first, after which the system will execute our command with the root user privileges:
sudo apt-get install git
With sudo, we also can run commands as a user other than root by using the -u option. This can be useful in cases when certain programs expect a certain user environment (i.e. for the mysql or postgres database users). The syntax for doing that is:
sudo -u username command
To run desktop (graphical windowing) applications as another user, we need to use the gksu command.
For example, we would open synaptic (the Debian/Ubuntu package manager frontend) like this from the command line (instead of going through the desktop menu system):
You would be prompted to enter your password in a graphical window, after which the command begin execution.
To edit a file as the root user instead of executing a command:
sudo -e /etc/hostname
You could have used the sudoedit command, which is simply a shortcut for sudo -e.
Note that you can change the editor used as described here.
Alternatively you also could simply have executed your favorite editor:
sudo vim /etc/hostname
If you need to have root privileges for many different commands, sometimes it can be useful to become the root user. This command will only work if the invoking user has the rights for executing the su command (also referred to as substitute user, super user, or switch user). By default, without any other command line argument, this will elevate the current user to the root user of the local system.
Now you can do a series of tasks that require root user privileges. Be careful, however, not to wreak havoc with these persistent superpowers.