sudo and su
Sudo is a standard way to give users some administrative rights without giving out the root password. Sudo is very useful in a multi user environment with a mix of server and workstations. Simply call the command with sudo:
sudo /etc/init.d/dhcpd restart # Run the rc script as root sudo -u sysadmin whoami # Run cmd as an other user
Configuration
Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is (the lists are comma separated):
user hosts = (runas) commands # In /etc/sudoers
users
one or more users or %group (like %wheel) to gain the rightshosts
list of hosts (or ALL)runas
list of users (or ALL) that the command rule can be run as. It is enclosed in ( )!commands
list of commands (or ALL) that will be run as root or as (runas)
Additionally those keywords can be defined as alias, they are called User_Alias, Host_Alias, Runas_Alias and Cmnd_Alias. This is useful for larger setups. Here a sudoers example:
cat /etc/sudoers
# Host aliases are subnets or hostnames.Host_Alias DMZ = 212.118.81.40/28 Host_Alias DESKTOP = work1, work2 # User aliases are a list of users which can have the same rights User_Alias ADMINS = colin, luca, admin User_Alias DEVEL = joe, jack, julia Runas_Alias DBA = oracle,pgsql # Command aliases define the full path of a list of commands Cmnd_Alias SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/ Cmnd_Alias PW = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root pwd! Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap # The actual rules root,ADMINS ALL = (ALL) NOPASSWD: ALL # ADMINS can do anything w/o a password. DEVEL DESKTOP = (ALL) NOPASSWD: ALL # Developers have full right on desktops DEVEL DMZ = (ALL) NOPASSWD: DEBUG # Developers can debug the DMZ servers. # User sysadmin can mess around in the DMZ servers with some commands. sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ. %dba ALL = (DBA) ALL # Group dba can run as database user. # anyone can mount/unmount a cd-rom on the desktop machines ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom
The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.
PAM is used to set the policy su(1) will use. In particular, by default only users in the wheel group can switch to UID 0 (root). This group requirement may be changed by modifying the pam_group
section of /etc/pam.d/su. See pam_group for details on how to modify this setting.
By default, the environment is unmodified with the exception of USER, HOME, and SHELL. HOME and SHELL are set to the target login’s default values. USER is set to the target login, unless the target login has a
user ID of 0, in which case it is unmodified. The invoked shell is the one belonging to the target login. This is the traditional behavior of su. Resource limits and session priority applicable to the original user’s login class (see login.conf(5)) are also normally retained unless the target login has a user ID of 0.
The options are as follows:
-
-f
If the invoked shell is csh(1), this option prevents it from reading the “.cshrc” file. -
-l
Simulate a full login. The environment is discarded except for HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified as above. USER is set to the target login. PATH is set to/bin:/usr/bin. TERM is imported from your current environ- ment. Environment variables may be set or overridden from the
login class capabilities database according to the class of the target login. The invoked shell is the target login’s, and su will change directory to the target login’s home directory. Resource limits and session priority are modified to that for the target account’s login class. -
-
(no letter) The same as -l. -
-m
Leave the environment unmodified. The invoked shell is your login shell, and no directory changes are made. As a security precaution, if the target user’s shell is a non-standard shell (as defined bygetusershell(3)) and the caller’s real uid is non- zero, su will fail. -
-s
Set the MAC label to the user’s default label as part of the user credential setup. Setting the MAC label may fail if the MAC label of the invoking process is not sufficient to transition to the user’s default MAC label. If the label cannot be set, su will fail. -
-c
class Use the settings of the specified login class. Only allowed for the superuser.
The -l (or -) and -m options are mutually exclusive; the last one specified overrides any previous ones.
If the optional args are provided on the command line, they are passed to the login shell of the target login. Note that all command line arguments before the target login name are processed by su itself, everything
after the target login name gets passed to the login shell.
By default (unless the prompt is reset by a startup file) the superuser prompt is set to # to remind one of its awesome power.
ENVIRONMENT
Environment variables used by su:
-
HOME
Default home directory of real user ID unless modified as specified above -
PATH
Default search path of real user ID unless modified as specified above. -
TERM
Provides terminal type which may be retained for the substituted user ID. -
USER
The user ID is always the effective ID (the target user ID) after an su unless the user ID is 0 (root). -
FILES
/etc/pam.d/su PAM configuration for su.
EXAMPLES
su man -c catman
Runs the command catman as user man. You will be asked for man’s password unless your real UID is 0.
su man -c ‘catman /usr/share/man /usr/local/man /usr/X11R6/man’ Same as above, but the target command consists of more than a single word and hence is quoted for use with the -c option being
passed to the shell. (Most shells expect the argument to -c to be a single word). su -c staff man -c, catman /usr/share/man /usr/local/man /usr/X11R6/man Same as above, but the target command is run with the resource limits of the login class staff. Note: in this example, the first -c option applies to su while the second is an argument to the shell being invoked.
su -l foo #Simulate a login for user foo. su - foo #Same as above. su - #Simulate a login for root.Also tagged su