Understanding SU – Installing and Configuring SUDO

Who is the Superuser (SU)?

The SuperUser (SU) – usually known as root in my Unix-like systems is the first user created at the installation of the Linux system. Users in Linux systems usually have their User ID, known as UID in Linux – this is the ID of each user in the system. Linux recognize user by their ID, so root is the first user which makes it bear the ID 0.

The Superuser has all the privileges in the Linux systems – can create, modify, execute and delete ANY file in the system

How to Use Superuser

It is not safe to root your system, don’t always login as root. Seen couple of friends that rooted their system, making them login as root on system boot with their Desktop Environment. This is not safe, granting all applications root access is not advisable as applications can edit some files without permission and this may damage some system files making it unable to run Linux properly.

SU Command: This command is use to log into the Superuser account in the CommandLine Interface (CLI) and then perform any actions as a Superuser.

But being in the account for a long time, you might sometimes forget to log out leaving the Superuser account logged in and someone somehow seats on your system; he has all access he needs! This is why


command was introduced.


This is a Linux package that runs a command as another user per command and returns back to the currently logged in account. This package mainly is for running commands as root at a time but also supports running it as another user if any provided.

Installing SUDO

In most Linux Distributions, SUDO comes pre-installed, checking if SUDO is already installed:


$ dpkg -s sudo

Red Hat/CentOS:

$ rpm -qa | grep sudo

Returns the package file name or nothing as not installed

If SUDO is not installed in your system, you can install it using this:


# apt-get install sudo

Red Hat/CentOS

# yum install sudo

When installation is done, you have SUDO installed successfully!

Configuring SUDO

SUDO configuration files are located at




. Please do not edit this files with normal text editors like




; rather use


which is a package for editing


file so when you have a syntax error, it will tell you other than just ignoring the configuration and you face a permission problem in your system.

Before we continue, lets look at what the configuration syntax means.


The configuration is a rule set for the user


First ALL applies to all hosts
Second ALL – Can run command as all user
Third ALL – Can run command as all group
Fourth ALL – Can run all commands

This summarizes that the user


can run any command as root as long as he provides his password. Pasting this in the




the privilege.

Adding a Group

Similar to giving a user a permission, you can also give same permission to a group. The only thing you will do is adding


at the beginning of the rule.

%sshusers ALL=(ALL:ALL) ALL

Giving a User Privilege

I have a user who is


by username and want to give root privilege, it is easy! Just add the user


to the


group by typing:


# gpasswd -a ikenna sudo

Red Hat/CentOS

# gpasswd -a ikenna wheel

The user


will now be able to use full root permission with


because he has been added to the


group. In CentOS, the group name for sudo users is


Giving more Complex Privileges

SUDO package comes with more advance way of privileging users, a complex way of restricting to commands, users and groups.

You create an array of users, groups or commands into a variable and they are being reference with the variable, below I will show example of giving 2 users privilege of shutting down the system only.

  • User_Alias: Use to define variable to hold users
  • Cmnd_Alias: Use to define variables to hold commands
  • Runas_Alias: Use to define variable to hold list of alias users can run
  • Host_Alias: Use to define variable of hosts users can run sudo

Before that, SUDO has  a default place permission files can be kept, which is


. I will be creating a file


and the content is:

User_Alias  GROUPONE = ikenna, orji

GROUPONE    ALL = /sbin/shutdown

From the above configuration, save it and you find out




can not run any other command with





You can specify file system groups too:

User_Alias  GROUPONE = %ftpgroup, orji, %sshgroup

If I want to allow multiple command, I can create a command alias too:

Cmnd_Alias  GONECOMMAND = /sbin/shutdown, /bin/ls, /sbin/reboot

Limiting Run as users

Runas_Alias GONERUNAS = www-data, apache

Some Tricks with SUDO

  • Switching to Root: If you are given the whole permission in

    , you could switch to root itself or any user by typing:

    $ sudo su

    Switch to the user

    $ sudo su donjajo
  • Run command as a user or group:
    $ sudo -u donjajo ls /
    $ sudo -g root ls /


With this post, you can understand how Superuser works and its permissions. How to use and setup SUDO package. Good luck!