The often-used sudo su combination works as follows: first sudo asks you for your password, and, if you're allowed to do so, invokes the next command (su) as a super-user. user X is only able to run program Y etc. it's not possible to login as root directly.Īlso, /etc/sudoers allows to specify some additional options - i.e.
SUDO VS SU VS SUDO SU PASSWORD
This results in much cleaner management of privileges.Īs a result of this, in many Debian-based systems root user has no password set - i.e. To revoke admin privileges from a person, you just need to edit the config file (or remove the user from a group which is listed in that config). It uses a config file (/etc/sudoers) which lists which users have rights to specific actions (run commands as root, etc.) When invoked, it asks for the password of the user who started it - to ensure the person at the terminal is really the same "joe" who's listed in /etc/sudoers. what's the mnemonic? Super-User-DO?) is completely different. If you need to revoke admin permissions from one of the users, you need to change root password and tell it only to those people who need to keep access - messy. If there are several users on your machine who need to run commands as root, they all need to know root password - note that it'll be the same password. So, to become root, you need to know root password. To ensure you have the rights to do that, it asks you for the password of the target user. Su (which means "substitute user" or "switch user") - does exactly that, it starts another shell instance with privileges of the target user. The main difference between these commands is in the way they restrict access to their functions. :)īasically, sudo su is like nailing one hand behind sudo's back and gaining nothing. and empty elements in $PATH and then checks those last if they were present, preventing people from sticking a shell script named "ls" in /tmp and similar shenanigans. When you run a command using sudo, it removes both. Meanwhile, sudo logs the commands that it runs, so as long as you're not just doing sudo -i or otherwise launching a shell, you can get a way better audit trail with sudo. And that's one more forked process that doesn't need to exist. The su command resets $HOME, while sudo can decide based on the ruleset available. The su command can only prompt for the target user's password (assuming a default pam stack), while sudo can be configured to authenticate as the source or target user, or neither, or always root - and can do so per command. The su commands passes through a few hard-coded environment vars (or, on recent Linux, can use -p to pass through the entire environment), while sudo can control exactly which variables pass through (try $DISPLAY for a useful example). There is no reason to ever type sudo su except for the situation where one is unfamiliar with the -i and -E options to sudo, or otherwise in the habit of doing things as root without understanding why they're done.
0 kommentar(er)
