Did You Know?
Got a tip? Let us know

HostGator Diwali Mega Offer 50% Flat Discount on all Hosting Plans - Grab it Now

Difference Between su and sudo and How to Configure sudo in Linux

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators
CW

Linux System is much secured than any of its counterpart. One of the way to implement security in Linux is the user management policy and user permission. normal users are not authorized to perform any system operations.

If a normal user needs to perform any system wide changes he needs to use either ‘su‘ or ‘sudo‘ command.

su vs sudo in Linux

Linux: su v/s sudo

NOTE – This article is more applicable to Ubuntu based distributions, but also applicable to most of the popular Linux distributions.

‘su’ Vs ‘sudo’

su‘ forces you to share your root password to other users whereas ‘sudo‘ makes it possible to execute system commands without root password. ‘sudo‘ lets you use your own password to execute system commands i.e., delegates system responsibility without root password.

What is ‘sudo’?

sudo‘ is a root binary setuid, which executes root commands on behalf of authorized users and the users need to enter their own password to execute system command followed by ‘sudo‘.

Who can execute ‘sudo’?

We can run ‘/usr/sbin/visudo‘ to add/remove the list of users who can execute ‘sudo‘.

$ sudo /usr/sbin/visudo

A screen shot of ‘/usr/sbin/visudo‘ file, looks something like this:

su-vs-sudo

The sudo list looks like the below string, by default:

root ALL=(ALL) ALL

Note: You must be root to edit /usr/sbin/visudo file.

Granting sudo Access

In many situation, System Administrator, specially new to the field finds the string “root ALL=(ALL) ALL” as a template and grants unrestricted access to others which may be potentially very harmful.

Editing ‘/usr/sbin/visudo’ file to something like the below pattern may really be very dangerous, unless you believe all the listed users completely.

root ALL=(ALL) ALL
adam ALL=(ALL) ALL
tom ALL=(ALL) ALL
mark ALL=(ALL) ALL

Parameters of sudo

A properly configured ‘sudo‘ is very flexible and number of commands that needs to be run may be precisely configured.

The Syntax of configured ‘sudo‘ line is:

User_name Machine_name=(Effective_user) command

The above Syntax can be divided into four parts:

  1. User_name: This is the name of ‘sudo‘ user.
  2. Machine_name: This is the host name, in which ‘sudo‘ command is valid. Useful when you have lots of host machines.
  3. (Effective_user): The ‘Effective user’ that are allowed to execute the commands. This column lets you allows users to execute System Commands.
  4. Command: command or a set of commands which user may run.

Some of the Situations, and their corresponding ‘sudo‘ line:

Q1. You have a user mark which is a Database Administrator. You are supposed to provide him all the access on Database Server (beta.database_server.com) only, and not on any host.

For the above situation the ‘sudo‘ line can be written as:

mark beta.database_server.com=(ALL) ALL

Q2. You have a user ‘tom‘ which is supposed to execute system command as user other than root on the same Database Server, above Explained.

For the above situation the ‘sudo‘ line can be written as:

mark beta.database_server.com=(tom) ALL

Q3. You have a sudo user ‘cat‘ which is supposed to run command ‘dog‘ only.

To implement the above situation, we can write ‘sudo’ as:

mark beta.database_server.com=(cat) dog

Q4. What if the user needs to be granted several commands?

If the number of commands, user is supposed to run is under 10, we can place all the commands alongside, with white space in between them, as shown below:

mark beta.database_server.com=(cat) /usr/bin/command1 /usr/sbin/command2 /usr/sbin/command3 ...

If this list of command varies to the range, where it is literally not possible to type each command manually we need to use aliases. Aliases! Yeah the Linux utility where a long-lengthy command or a list of command can be referred as a small and easy keyword.

A few alias Examples, which can be used in place of entry in ‘sudo‘ configuration file.

User_Alias ADMINS=tom,jerry,adam
user_Alias WEBMASTER=henry,mark
WEBMASTERS WEBSERVERS=(www) APACHE
Cmnd_Alias PROC=/bin/kill,/bin/killall, /usr/bin/top

It is possible to specify a System Groups, in place of users, that belongs to that group just suffixing ‘%’ as below:

%apacheadmin WEBSERVERS=(www) APACHE

Q5. How about executing a ‘sudo‘ command without entering password?

We can execute a ‘sudo‘ command without entering password by using ‘NOPASSWD‘ flag.

adam ALL=(ALL) NOPASSWD: PROCS

Here the user ‘adam‘ can execute all the commands aliased under “PROCS”, without entering password.

sudo” provides you a robust and safe environment with loads of flexibility as compared to ‘su‘. Moreover “sudo” configuration is easy. Some Linux distributions have “sudo” enabled by default while most of the distros of today needs you to enable it as a Security Measure.

To add an user (bob) to sudo just run the below command as root.

adduser bob sudo

That’s all for now. I’ll be here again with another Interesting article. Till then stay tuned and connected to Tecmint. Don’t forget to provide us with your valuable feedback in our comment section.

I am a major in computer science, love to research nix. I love to write codes and scripts, review distros, experiment Foss Technologies, write technical articles, Hack, of course Ethically. I am working as System Administrator (nix) for a NGO.

Linux Services & Free WordPress Setup

Our post is simply ‘DIY’ aka ‘Do It Yourself, still you may find difficulties and want us to help you out. We offer wide range of Linux and Web Hosting Solutions at fair minimum rates. Please submit your orders by Clicking Here.

14 Responses

  1. Manoj says:

    Hello Sir,

    Thanks for this article, because i thought that both are same but this article clear me différence between both.

    Regards,

    Manoj

    • Avishek Kumar says:

      Dear Manoj,
      It was very pleasing to know our posts helped you.

      Keep connected to Tecmint for more such posts.
      Refer to your friends and colleagues.

  2. Quovadis says:

    If a newbie ask me what different between su and sudo, i simply answer that su require root password where sudo require your cyrrent password. :D

    • Avishek Kumar says:

      Dear Quovadis,
      we prepare our post after several hours of study, research, test before making it available to you. Our post is for Newbies as well as advanced users. Actually we write our contents from every possible user perspective.

      Keep connected to Tecmint for such detailed posts.

  3. Gurdip says:

    Plz provide video tutorial

  4. Manoj says:

    Dear Sir,

    I have a query. It’s not related to this post.

    How to assign hard quota to limited user in centos/Ubuntu ?

    Kindly let us know about this.

    Thanks,
    Manoj Gupta

  5. Rodrigo Gonzalez says:

    One comment about the article, you dont need root password to use su

    su default is root but not only that

    if I want to change my user id to become user test I run

    su test

    and I need test user password not root password

    Best regards

    Rodrigo Gonzalez

  6. Tomas says:

    What a misleading article name that is.

    You use “sudo” when you need to execute a command as a superuser. You use “su” when you want to switch to another user’s account, or, execute a command AS another user, not necessarily a superuser.

    Saying that “su forces you to share your root password to other users whereas sudo makes it possible to execute system commands without root password” shows you having no idea what the real purpose (and the difference) is.

    • old486whizz says:

      1. I read as far as the second mention of “editing the /usr/sbin/visudo file” .. The file you are editing is in fact /etc/sudoers. /usr/sbin/visudo is the binary you are running.

      2. As has been pointed out, su is mainly used to switch to another user’s shell. sudo is mainly there for scripts, but it also allows you to centralize configuration and as you describe, no additional password requirements.
      You can do with sudo exactly the same as you would with su ([sudo -u $newuser -i] for example is the same as [su - $newuser] – although you have to be weary of some environment variables).

      3. sudo may or may not be SUID (as SELinux becomes more popular, the settings are actually going in there rather than SUID).

      4. “Parameters of sudo” looks like it should actually be “Syntax of sudoers file” or “Syntax of sudo config”… Parameters are what you pass on the command line.

      5. adduser instead of useradd? You must really only know specific linux’s as useradd is the traditional Unix command (and adduser is actually a symbolic link to the correct useradd command… no idea why)

      6. It doesn’t look like you’ve stated you always need to use the full path name to the binary in the config file (dog will not do – it has to be /path/to/dog).

      7. “Linux System is much secured than any of its counterpart.” – I’m pretty sure several BSD fanatics will disagree with you there. BSD (kernel) is built with security more in mind – Linux (kernel) is built with more compromises and different ideals.

    • n0neXn0ne says:

      @Tomas

      In his context, Technically he is correct.

      From su man page
      su(1)

      su – change user ID or become superuser

  7. Victor says:

    I agree with Tomas,

    su means Substitute User. So we can use su to switch user temporarily. In this way we can switch to root user. The sudo one gives temporarily root privileges, using the normal user password.

    I really do not understand this article :(.

  8. Albarki says:

    Can u clear Q2 please, cause it is not clear . Thanks.

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.