If you are using a system configured to use individual user accounts for each user then you may find yourself needing more access than your account provides.
If you aren’t, and you and other users are logging in as root to administer your server, then we’d strongly recommend that you rethink that policy.
If you are, then there are two useful options that will enable you to administer the server without needing to log in as root. Firstly the switch user (su) command which enables you to change your session from your user account to an alternate user, and secondly switch user do (sudo) which enables you to perform a specific command as another user. Both options work slightly differently, so we’ll explain them both in a little more detail.
Su will change your login session to the specified user, or if no user is specified, it will change your session to the root user. To use this you need to know the password of the user whose account you intend to use. There are a few helpful to know options for su that can make life easier.
The -l flag will set the environment variables for the session to match those of the user you are logging in as. This is helpful if you are changing to a user account of a specific daemon to see why it may have some issues.
The -c flag will run a single command and drop you back to your existing shell session. The downside to this is that it can only run programs that don’t require any interaction from the user as you will not receive an interactive shell. So, if the program pauses for input then it will not complete.
So some examples, first to restart the apache web server in CentOS:
su -c ‘/etc/init.d/httpd restart’
Secondly, to get a terminal session as the user Alice with their environment variables…
su -l alice
Unlike su, while sudo will perform the provided command with the rights of the provided user, it asks for your user password rather than the target user’s password. So rather than using the password of the requested user to prevent unauthorised access sudo uses a configuration file /etc/sudoers to specify which commands a user can run and whether they need to enter their password or not.
There are a couple of handy flags to know:
The -i flag creates an interactive shell, essentially mirroring the use of su -l.
sudo -u <username>
In order to sudo as another user you need to use the -u flag and replace <username> with the username of the target user.
So to our examples, we’ll repeat the same examples used for su. Firstly to restart the apache web server in CentOS…
sudo /etc/init.d/httpd restart
Secondly, to get a terminal session as the user Alice with their environment variables:
sudo -i -u alice
While both commands have more options and abilities, what is shown here should cover a large quantity of use cases that you should come across. But by no means have I listed all the options available.
Lastly, we come to the /etc/sudoers file, which you will need to edit to enable users to get some access to use the sudo command. In this file ALL is a special term that means pretty much exactly what it says. By default you will see in the file a line such as…
root ALL=(ALL:ALL) ALL
This means that the root user has access on all servers in this group to sudo as all users and can run all commands, the format of the lines is:
user/group server=(usernames to run as) options command
The options are ironically optional and written in allcaps followed by a colon, for example NOPASSWD: means that the user won’t need to enter a password. Here’s another default line:
%admin ALL=(ALL) ALL
This line means that any users that are in the admin group have access to sudo as all users and run all commands. Note the % at the start of the line denotes that the following name is a group name for the purposes of permissions rather than a username.
Now to show a few examples of the sorts of thing you can do:
alice ALL= NOPASSWD: /sbin/shutdown
This allows Alice to use the shutdown command without being prompted for a password.
bob ALL= NOEXEC: /root/scriptthatneedsroot
This allows Bob to run a script in his root’s home directory that may need root privileges, but the NOEXEC flag prevents Bob from obtaining a root shell from it.
%sysad ALL=(bob) NOPASSWD: /bin/kill,/bin/cat
This command allows members of the sysad group to kill programs started by Bob and cat files owned by Bob. In order to use it, relevant users would need to use “sudo -u bob” as by default with no arguments, it would attempt to run the command as root and deny access.
As can be seen, with sudoers it’s possible to allow users pretty fine-grained access to other areas of the system without needing to grant full root user privileges. Again this is by no means an exhaustive list or explanation, and a look at the /etc/sudoers man page or sudo.ws will help you gain further insight into the possibilities. Again I shall reiterate the security recommendation that users should only be given the minimum required permissions to perform their tasks, but with care and planning, this can be easily achieved on a Linux system.Save this article