Introduction
In Linux systems, not all operations can be performed by regular users. Some critical operations (such as installing software, modifying system configurations, and managing services) require superuser (root) privileges.
However, operating directly as root is highly risky; a single mistake can lead to system failure.
Therefore, Linux provides a safer solutionβsudo. With the <span>sudo</span> command, regular users can perform privileged operations within a controlled scope, ensuring both safety and flexibility.
1. Obtaining Superuser Access
The highest privilege account in Linux is the root user, with a UID of 0. It has complete control over the system, including user management, file modification, and system settings.
If a regular user wants to obtain root privileges, there are mainly two methods:
β Method 1: Switch to the root user using su
su - # Switch to root user, requires root password
su - username # Switch to specified user (enter corresponding user password)
π Note:
- The su (switch user) command can switch to other users.
- Adding the – option loads the target user’s environment variables.
- When switching to root with su -, the prompt changes to #, indicating that you are in the highest privilege level.
β οΈ Caution:
- su requires the root user’s password.
- If the administrator has not provided the root password to regular users, this method will be unavailable.
β Method 2: Use sudo to execute privileged commands
sudo command # Execute specified command with root privileges
sudo -i # Open a shell environment with root privileges
sudo -u user cmd # Execute command as specified user
π Note:
- sudo is the recommended method for privilege escalation, being safer than su.
- It controls who can use sudo and which commands can be executed through the configuration file /etc/sudoers.
- Using sudo will prompt for the current user’s password (not the root password).
π§© Practical Example:
Assuming the regular user student needs to install a software package:
sudo dnf install vim # Execute installation with root privileges
During command execution, the system will prompt for the student user’s password, and it will check in <span>/etc/sudoers</span> whether the student has permission to execute that command.
π Security Tip: All operations using sudo are logged in <span>/var/log/secure</span>, facilitating auditing and tracking by administrators.
2. sudo Configuration File and Rules
The sudo configuration file is located at <span>/etc/sudoers</span>, which defines which users can execute which commands as what identities.
β οΈ Directly editing <span>/etc/sudoers</span> may cause the system to lock up; always use the safe command:
sudo visudo
This command automatically checks for syntax errors upon saving.
π Basic Syntax of the sudoers File
User Host = (Switch Identity) Command List
For example:
root ALL=(ALL) ALL
student ALL=(ALL) /usr/bin/dnf, /usr/bin/systemctl
π Explanation:
<span>root ALL=(ALL) ALL</span>: The root user can execute any command on any host.<span>student ALL=(ALL) /usr/bin/dnf</span>,<span>/usr/bin/systemctl</span>: Indicates that the user student can execute the<span>dnf</span>and<span>systemctl</span>commands.
π§ Granting a User Full sudo Privileges
If you want a user to have complete root privileges, you can add the following to the sudoers file:
student ALL=(ALL) ALL
At this point, the <span>student</span> user can execute any command simply by prefixing it with <span>sudo</span>.
π Restricting a User to Execute Specific Commands Only
For example, to restrict the user devops to only restart services:
devops ALL=(ALL) /usr/bin/systemctl restart nginx
At this point, the <span>devops</span> user cannot perform other root-level operations, thus enhancing security.
π§© Practical Example: Editing sudoers to Add Custom Rules
sudo visudo
# Add the following at the end of the opened file:
student ALL=(ALL) ALL
After saving, the regular user student can use sudo to execute system commands.
Verifying the Effect:
sudo whoami # Execute as root, output "root"
π Note: <span>sudo visudo</span> performs syntax checks upon saving, effectively preventing misconfigurations that could render sudo unusable.
3. wheel Group and sudo Group
The management of sudo privileges varies slightly across different Linux distributions.
Typically, joining specific system groups (such as wheel or sudo) automatically grants sudo privileges.
1οΈβ£ wheel Group (CentOS / RHEL Series)
In systems like Red Hat, CentOS, and Rocky, the following configuration exists in <span>/etc/sudoers</span>:
%wheel ALL=(ALL) ALL
π Explanation:
- The % sign indicates a group name.
- It means that all users belonging to the wheel group can use sudo to execute any command.
To grant a user sudo privileges, simply add them to the wheel group:
sudo usermod -aG wheel student # Add student to the wheel group
Verifying Permissions:
sudo whoami # Output root
2οΈβ£ sudo Group (Ubuntu / Debian Series)
In Ubuntu, the corresponding group name is sudo:
%sudo ALL=(ALL:ALL) ALL
π Note:
- This serves the same purpose as the wheel group in CentOS.
- When creating a new user, if you add the –groups sudo parameter, they will automatically receive sudo privileges.
Example:
sudo usermod -aG sudo student
After this, the student can execute commands via sudo without modifying the sudoers file.
π§© Practical Example: Granting a User sudo Privileges
sudo useradd testuser -m # Create user
sudo passwd testuser # Set password
sudo usermod -aG wheel testuser # Grant sudo privileges (CentOS)
# Or in Ubuntu use:
# sudo usermod -aG sudo testuser
su - testuser # Switch to new user
sudo whoami # Output root indicates privileges are effective
π Note: This method is safer and more maintainable than manually editing the sudoers file.
Conclusion
In this chapter, we learned three key aspects of obtaining superuser privileges in Linux:
- The differences and usage scenarios of su and sudo
- The sudoers configuration file and permission rules
- The mechanisms and management methods of the wheel group and sudo group
By mastering these concepts, you can safely use root privileges while efficiently completing system management tasks and protecting system security.