How does Sudo work on Linux/Unix for Privilege management?

There are two ways to elevate your privileges on Linux/Unix. You can either log in as the root or superuser, or you can use sudo. The former is not recommended, as it violates the principle of least privilege. The latter is a more secure approach, as it allows for granular access control – and individual accountability.

Sudo is short for superuser do. It’s a tool that elevates a user’s privileges to execute sensitive commands, e.g. installing or updating a package, disabling a network interface, performing a restart, stopping the firewall daemon or modifying the crontab. The sudo utility is available across all Linux distributions, including Ubuntu, Debian, RedHat Enterprise and Fedora.

Sudo management is a technique to restrict and manage privileged access, using sudo configuration files. Administrators can either use a single configuration file (/etc/sudoers), or create multiple per-user configuration files inside the /etc/sudoers.d directory.

These configuration files contain rules that govern which users can execute which commands with root privileges. They also contain other configurable parameters, like whether to require a password for authentication, a list of applicable hostnames and networks, and where to report incorrect password attempts

Adding the sudo keyword before a command instructs the operating system to execute it as the root user. Here’s how a typical sudo command is run:

• Read the /etc/sudoers file, and any files in the /etc/sudoers.d directory to retrieve the permissions of the user executing the command
• If the permissions allow the user to run the entered command, continue. Otherwise, abort
• If configured, ask the user for a password
• Create a new child process
• Inside the child process, invoke the given command as the root user

1. Create a new account using the following command:
  sudo adduser alex


Follow on-screen prompts to set the password and other information for the user.

2. Run this command to add the user to the list of sudoers.
  usermod -aG sudo alex

That’s it. The user has been granted sudo privileges. In the next section, we will talk about assigning the relevant permissions to the user.

Linux privilege management is a means to protect security-critical assets and operations from unauthorized access. It ensures that only the required people can interact with the root file system, kernel and core services.

Sudo configuration files are a good way to implement privilege access management (PAM) in Linux. Through rules defined within these files, administrators can assign granular privileges to users and user groups. For example, they can grant a production engineer the rights to restart a core service using sudo. Or they can create a user group for network engineers, and allow them to execute networking related commands as the super-user.

1. To let a user named “alex” restart the postgres service as the root user, add the following entry to the sudo configuration file:
  alex ALL=(ALL) /bin/systemctl restart postgresd


2. To allow Alex to execute a list of commands, use this syntax:
  alex ALL=(ALL) command1, command2, command3


3. To allow a group named sysadmins to assume root privileges:
  %sysadmins ALL=(ALL) ALL

Assigning user-level privileges using sudo ensures that nobody has more permissions than they need.

The su command in Linux is used to switch to a different user account. For example, if you enter the command su bob, you will be prompted for Bob’s password. If you enter the correct password, you will switch over to Bob’s account.

If you don’t specify a username after the keyword su, it is assumed to be root, and you are prompted for the root user password. Since the commands sudo and su have overlapping functionalities and similar syntax, Linux users are often confused about their usage.

Both allow regular users to assume root privileges. Sudo does it by temporarily granting those privileges on a per-command or per-user basis, whereas su does it by letting a regular user be the root user, whenever needed.

It’s considered a best practice to never use su to grant root privileges, as sharing root credentials is not a good idea. Instead, use sudo to assign bare-minimum permissions to only the required users, as and when necessary.