I've been right before su and sudo These two commands are confused. Recently, I specially searched the information in this regard, and finally figured out the relationship and usage of the two. This article will systematically summarize them.
1. Preparation
Because this blog involves user switching, I need to prepare several test users in advance to facilitate subsequent switching.
The command to create a new user in Linux is useradd , In general, the path corresponding to this command is PATH In the environment variable, if you enter it directly useradd If it doesn't work, use it absolute path name Method: / usr/sbin/useradd .
useradd The new user command can only be executed by the root user. Let's first switch from the ordinary user ubuntu to the root user (how to switch will be described later):
ubuntu@VM-0-14-ubuntu:~$ su - Password: # Enter the root login password root@VM-0-14-ubuntu:~# useradd -m test_user # With - m parameter root@VM-0-14-ubuntu:~# ls /home test_user ubuntu # You can see that there are two users under the / home directory
Because it hasn't been given to the new user yet test_user Set the login password, which makes it impossible for us to switch from ordinary user ubuntu to test_user, so next, we need to set test with root_ User's login password. Need to use passwd Command:
root@VM-0-14-ubuntu:~# passwd test_user Enter new UNIX password: # Output test_user's password Retype new UNIX password: passwd: password updated successfully root@VM-0-14-ubuntu:~#
Then we enter exit Exit root user to normal user ubuntu:
root@VM-0-14-ubuntu:~# exit logout ubuntu@VM-0-14-ubuntu:~$
As you can see, the command prompt is preceded by root become Ubuntu, it means that our current identity is ubuntu User.
two su Command introduction and main usage
First of all, I need to explain su What does it mean.
I always thought su yes super user, you can only know the original expression after consulting the data switch user.
know su After it is abbreviated, the function it provides is obvious, that is, switching users.
two point one - parameter
su The general usage of is:
su <user_name>
perhaps
su - <user_name>
There is only one character difference between the two methods -, There will be big differences:
- If you join - Parameter, then it is a login-shell Means to switch to another user < user_ name> After that, the current shell loads < user_ name> Corresponding environment variables and various settings;
- If you don't join - Parameter, then it is a non-login-shell That means I'm switching to < user_ Name >, but the current shell still loads the environment variables and various settings of the user before switching.
Light interpretation will be more abstract, and it will be easier to understand if we look at an example.
Let's start with ubuntu users non-login-shell Switch to the root user and compare the environment variables in the two user states PWD Value of (su) The command does not follow any < user_name> , Default switch to root:
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu USER=ubuntu PWD=/home/ubuntu # Yes / home/ubuntu HOME=/home/ubuntu # Omit ubuntu@VM-0-14-ubuntu:~$ su # Non login shell mode Password: # Enter the root login password root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu PWD=/home/ubuntu # Can I find / home/ubuntu root@VM-0-14-ubuntu:/home/ubuntu#
We did switch to the root user, but the variables in the shell environment have not changed. We still use the environment variables of the previous ubuntu user.
Then we start with ubuntu users login-shell Switch to the root user, and compare the environment variables of the two users PWD Value of:
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu USER=ubuntu PWD=/home/ubuntu # Yes / home/ubuntu HOME=/home/ubuntu # Omit ubuntu@VM-0-14-ubuntu:~$ su - # Login shell mode Password: root@VM-0-14-ubuntu:~# env | grep root USER=root PWD=/root # Has become / root HOME=/root MAIL=/var/mail/root LOGNAME=root root@VM-0-14-ubuntu:~#
Can see with login-shell If you switch users in the same way, the environment variables in the shell also change.
Summary: which method is used to switch users to see their personal needs:
- If you don't want to make your settings under the current user unavailable because you switch to another user, use non-login-shell The way of;
- If you need to use various environment variables of the user after switching users (the environment variable settings of different users are generally different), use login-shell The way.
2.2 switch to the specified user
As described earlier, if su The command is not followed by any < user_ Name >, the default is to switch to the root user:
ubuntu@VM-0-14-ubuntu:~$ su - Password: # Password of root user root@VM-0-14-ubuntu:/home/ubuntu#
Because we're 1. Preparation Section has created a new one test_user Users, and we also know test_ With the login password of user (set by root), we can switch from ubuntu user to test_user:
ubuntu@VM-0-14-ubuntu:~$ su - test_user Password: # test_user password $
two point three - c parameter
In the previous methods, we first switch to another user (root or test_user), execute the command in which user's state, and finally enter exit Returns the current ubuntu user.
There is another way: you do not need to switch users before executing commands. You can directly execute commands in the form of another user under the current user, and return to the current user after execution. This requires - c Parameters.
The specific use methods are:
su - -c "string of commands" # Execute "instruction string" as root
Let's take an example:
ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow cat: /etc/shadow: Permission denied # ubuntu users cannot directly view the contents of the / etc/shadow file ubuntu@VM-0-14-ubuntu:~$ su - -c "tail -n 4 /etc/shadow" Password: # Enter the root user password ubuntu:$1$fZKcWEDI$uwZ64uFvVbwpHTbCSgim0/:18352:0:99999:7::: ntp:*:17752:0:99999:7::: mysql:!:18376:0:99999:7::: test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7::: ubuntu@VM-0-14-ubuntu:~$ # After execution, return to the ubuntu user instead of the root user
This implementation method is similar to that described later sudo Very similar. They all temporarily apply for the permission of root user. But there are still differences. Let's look back.
three sudo Command introduction and main usage
First, explain sudo What does command mean.
sudo My full English name is super user do, that is, execute the command as a super user (root user). there sudo And before su Expressed switch user It's different. We should pay attention to this. It's easy to get confused.
Let's introduce it first sudo Command what can be done, then explain why and how.
Let's start.
3.1 main usage
We often encounter in Linux Permission denied In this case, for example, view as a ubuntu user / etc/shadow Content of the. Because the contents of this file can only be viewed by root.
What if we want to see it? It can be used at this time sudo :
ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow tail: cannot open '/etc/shadow' for reading: Permission denied # No permission ubuntu@VM-0-14-ubuntu:~$ sudo !! # And two exclamation marks sudo tail -n 3 /etc/shadow ntp:*:17752:0:99999:7::: mysql:!:18376:0:99999:7::: test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7::: ubuntu@VM-0-14-ubuntu:~$
In the example, we use sudo !! This little trick means repeating the command entered above, but adding sudo .
Because I've set it up sudo The command does not require a password, so here sudo !! You can output the content directly. If it is not set, you need to enter the password of the current user. For example, in this example, I should enter the login password of the ubuntu user.
Two adjacent sudo Operation, if the interval is 5min Within, second input sudo No need to re-enter the password; If more than 5min, then enter again sudo You need to enter a password again. So a relatively easy way is to set sudo The operation does not require a password. How to set it will be described later.
sudo In addition to executing commands with the authority of root user, there are several other uses, which are briefly introduced here.
Switch to root:
sudo su -
This way can also login-shell Switch to root, but it is different from su - Methods are distinguished by:
- Former input sudo su - After, you need to provide the login password of the current user, that is, the password of the ubuntu user;
- Latter input su - After, you need to provide the login password of root user.
There is another command:
sudo -i
This command and sudo su - The effect is the same. It is also necessary to switch to the root user and provide the login password of the current user (ubuntu user).
Let's switch to test now_ User, trying to display / etc/shadow Contents of the document:
ubuntu@VM-0-14-ubuntu:~$ su - test_user Password: # test_user's password $ sudo cat /etc/shadow [sudo] password for test_user: # test_user's password test_user is not in the sudoers file. This incident will be reported. $
We will see the error message in the penultimate line, which we can't view / etc/shadow What is the content of this? Why can ubuntu be used sudo But test_ Why not?
This involves sudo How it works.
three point two sudo working principle
Can a user use sudo Command, depending on / etc/sudoers File settings.
As we have seen in Section 3.1, ubuntu users can use it normally sudo , But test_user cannot use it because / etc/sudoers Test is not configured in the file_ user.
/etc/sudoers It is also a text file, but because it has a specific syntax, we don't use it directly vim perhaps vi To edit it, you need to use visudo This command. After entering this command, you can edit it directly / etc/sudoers This file is missing.
It should be noted that only the root user has permission to use visudo Command.
Let's look at the input first visudo The content displayed after the command.
Enter (root user):
root@VM-0-14-ubuntu:~# visudo
Output:
# User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d ubuntu ALL=(ALL:ALL) NOPASSWD: ALL
Explain the format of each line:
- The first represents the user name, such as root , ubuntu Etc;
- Next, to the left of the equal sign ALL Indicates that the current user account is allowed to log in from any host;
- To the right of the equal sign ALL Indicates that the first user in this line can switch to any other user in the system;
- End of line ALL Indicates: the user at the beginning of the current line can issue any command as root user, all Indicates that any order can be issued.
We also note that ubuntu There is one in the corresponding line NOPASSWD Keyword, which indicates that the user Ubuntu is requesting sudo There is no need to enter a password. Here we explain the previous problem.
At the same time, we note that there is no in this document test_user The corresponding line, which explains why test_user cannot use sudo Command.
Next, we try to put test_ Add user to / etc/sudoers File, make test_user can also use sudo Command. We add on the last line:
test_user ALL=(ALL:ALL) ALL # test_user needs to provide test when using sudo_ User's password
Then we'll talk about it again_ Execute under user account sudo :
ubuntu@VM-0-14-ubuntu:~$ su - test_user Password: $ tail -n 3 /etc/shadow tail: cannot open '/etc/shadow' for reading: Permission denied $ sudo tail -n 3 /etc/shadow # Plus sudo ntp:*:17752:0:99999:7::: mysql:!:18376:0:99999:7::: test_user:$6$.ZY1lj4m$ii0x9CG8h.JHlh6zKbfBXRuolJmIDBHAd5eqhvW7lbUQXTRS//89jcuTzRilKqRkP8YbYW4VPxmTVHWRLYNGS/:18406:0:99999:7::: $
As you can see, it is now available sudo Yes.
3.3 thinking
We've seen that if a user is / etc/sudoers File, then it has sudo Permission, you can pass sudo su - perhaps sudo -i When the command is switched to the root user, this user will become the root user. Does this not pose a great threat to the system?
Actually, it is. So if you're editing / etc/sudoers The file is assigned to a user sudo During permission, you must make sure that the user is trusted and will not cause malicious damage to the system. Otherwise, it will be very dangerous to give all root permissions to the user.
Of course, root can also edit / etc/sudoers Enables the user to have only some permissions, that is, only a small number of commands can be executed. Interested readers can refer to Article 2 of the Reference section, which will not be repeated in this article.
4. Comparison of differences between the two
We have seen:
- use su - , Provide the password of the root account, and you can switch to the root user;
- use sudo su - , Provide the password of the current user, or switch to the root user
The difference between the two methods is also obvious: if many users need to use our Linux system, the former requires all users to know the password of root user, which is obviously very dangerous; The latter does not need to expose the root account password. Users only need to enter their own account password, and which users can switch to root is completely controlled by root (set by root) / etc/sudoers Implementation), so that the system is much safer.