Who is the Superuser (SU)?
The SuperUser (SU) – usually known as root in my Unix-like systems is the first user created at the installation of the Linux system. Users in Linux systems usually have their User ID, known as UID in Linux – this is the ID of each user in the system. Linux recognize user by their ID, so root is the first user which makes it bear the ID 0.
The Superuser has all the privileges in the Linux systems – can create, modify, execute and delete ANY file in the system
How to Use Superuser
It is not safe to root your system, don’t always login as root. Seen couple of friends that rooted their system, making them login as root on system boot with their Desktop Environment. This is not safe, granting all applications root access is not advisable as applications can edit some files without permission and this may damage some system files making it unable to run Linux properly.
SU Command: This command is use to log into the Superuser account in the CommandLine Interface (CLI) and then perform any actions as a Superuser.
But being in the account for a long time, you might sometimes forget to log out leaving the Superuser account logged in and someone somehow seats on your system; he has all access he needs! This is why
sudo command was introduced.
This is a Linux package that runs a command as another user per command and returns back to the currently logged in account. This package mainly is for running commands as root at a time but also supports running it as another user if any provided.
In most Linux Distributions, SUDO comes pre-installed, checking if SUDO is already installed:
$ dpkg -s sudo
$ rpm -qa | grep sudo
Returns the package file name or nothing as not installed
If SUDO is not installed in your system, you can install it using this:
# apt-get install sudo
# yum install sudo
When installation is done, you have SUDO installed successfully!
SUDO configuration files are located at
/etc/sudoers.d. Please do not edit this files with normal text editors like
vim; rather use
visudo which is a package for editing
sudoers file so when you have a syntax error, it will tell you other than just ignoring the configuration and you face a permission problem in your system.
Before we continue, lets look at what the configuration syntax means.
orji ALL=(ALL:ALL) ALL
The configuration is a rule set for the user
First ALL applies to all hosts
Second ALL – Can run command as all user
Third ALL – Can run command as all group
Fourth ALL – Can run all commands
This summarizes that the user
orji can run any command as root as long as he provides his password. Pasting this in the
orji the privilege.
Adding a Group
Similar to giving a user a permission, you can also give same permission to a group. The only thing you will do is adding
% at the beginning of the rule.
%sshusers ALL=(ALL:ALL) ALL
Giving a User Privilege
I have a user who is
ikenna by username and want to give root privilege, it is easy! Just add the user
ikenna to the
sudo group by typing:
# gpasswd -a ikenna sudo
# gpasswd -a ikenna wheel
ikenna will now be able to use full root permission with
sudo because he has been added to the
sudo group. In CentOS, the group name for sudo users is
Giving more Complex Privileges
SUDO package comes with more advance way of privileging users, a complex way of restricting to commands, users and groups.
You create an array of users, groups or commands into a variable and they are being reference with the variable, below I will show example of giving 2 users privilege of shutting down the system only.
- User_Alias: Use to define variable to hold users
- Cmnd_Alias: Use to define variables to hold commands
- Runas_Alias: Use to define variable to hold list of alias users can run
- Host_Alias: Use to define variable of hosts users can run sudo
Before that, SUDO has a default place permission files can be kept, which is
/etc/sudoers.d. I will be creating a file
group1 and the content is:
User_Alias GROUPONE = ikenna, orji GROUPONE ALL = /sbin/shutdown
From the above configuration, save it and you find out
orji can not run any other command with
You can specify file system groups too:
User_Alias GROUPONE = %ftpgroup, orji, %sshgroup
If I want to allow multiple command, I can create a command alias too:
Cmnd_Alias GONECOMMAND = /sbin/shutdown, /bin/ls, /sbin/reboot GROUPONE ALL = GONECOMMAND
Limiting Run as users
Runas_Alias GONERUNAS = www-data, apache GROUPONE ALL = (GONERUNAS) GONECOMMAND
Some Tricks with SUDO
- Switching to Root: If you are given the whole permission in
sudo, you could switch to root itself or any user by typing:
$ sudo su
Switch to the user
$ sudo su donjajo
- Run command as a user or group:
$ sudo -u donjajo ls / $ sudo -g root ls /
With this post, you can understand how Superuser works and its permissions. How to use and setup SUDO package. Good luck!