There are two ways to elevate your privileges on Linux/Unix. You can either log in as the root or superuser, or you can use sudo. The former is not recommended, as it violates the principle of least privilege. The latter is a more secure approach, as it allows for granular access control – and individual accountability.
Sudo is short for superuser do. It’s a tool that elevates a user’s privileges to execute sensitive commands, e.g. installing or updating a package, disabling a network interface, performing a restart, stopping the firewall daemon or modifying the crontab. The sudo utility is available across all Linux distributions, including Ubuntu, Debian, RedHat Enterprise and Fedora.
Sudo management is a technique to restrict and manage privileged access, using sudo configuration files. Administrators can either use a single configuration file (/etc/sudoers), or create multiple per-user configuration files inside the /etc/sudoers.d directory.
These configuration files contain rules that govern which users can execute which commands with root privileges. They also contain other configurable parameters, like whether to require a password for authentication, a list of applicable hostnames and networks, and where to report incorrect password attempts
Adding the sudo keyword before a command instructs the operating system to execute it as the root user. Here’s how a typical sudo command is run:
Follow on-screen prompts to set the password and other information for the user.
That’s it. The user has been granted sudo privileges. In the next section, we will talk about assigning the relevant permissions to the user.
Linux privilege management is a means to protect security-critical assets and operations from unauthorized access. It ensures that only the required people can interact with the root file system, kernel and core services.
Sudo configuration files are a good way to implement privilege access management (PAM) in Linux. Through rules defined within these files, administrators can assign granular privileges to users and user groups. For example, they can grant a production engineer the rights to restart a core service using sudo. Or they can create a user group for network engineers, and allow them to execute networking related commands as the super-user.Let’s look at a few sample rules:
Assigning user-level privileges using sudo ensures that nobody has more permissions than they need.
The su command in Linux is used to switch to a different user account. For example, if you enter the command su bob, you will be prompted for Bob’s password. If you enter the correct password, you will switch over to Bob’s account.
If you don’t specify a username after the keyword su, it is assumed to be root, and you are prompted for the root user password. Since the commands sudo and su have overlapping functionalities and similar syntax, Linux users are often confused about their usage.
Both allow regular users to assume root privileges. Sudo does it by temporarily granting those privileges on a per-command or per-user basis, whereas su does it by letting a regular user be the root user, whenever needed.
It’s considered a best practice to never use su to grant root privileges, as sharing root credentials is not a good idea. Instead, use sudo to assign bare-minimum permissions to only the required users, as and when necessary.