Running Commands as Superuser with sudo
- WHAT?
Learn about the basic concepts of
sudo
and how to use it as a regular user.- WHY?
Certain commands require administrator privileges. To run a command with administrator rights, the
sudo
command can be used.- EFFORT
It takes you up to 20 minutes to read through this article. If you have a specific question, you can jump directly to the respective chapter.
- GOAL
Understanding the basic concepts of
sudo
and running commands withsudo
for certain use cases.- REQUIREMENTS
root
orsudo
privileges. These are only available if you are the administrator of the system. For more information, refer to Section 1, “Basic concepts ofsudo
”.The sudo package needs to be installed. This package is available on SUSE Linux Enterprise Server by default.
1 Basic concepts of sudo
#
Learn about the basic concepts of sudo
and how it works on SUSE Linux Enterprise Server
systems.
sudo
is a Linux command that is used to temporarily execute programs as
another user.
It is the abbreviation for substitute user and do
and
borrows the privileges of another user, for example, the root
user.
This way, sudo
helps you accomplish system administration tasks without
logging in as root
.
1.1 sudo
on Linux systems in general #
As a regular user on Linux, you have reduced permissions that are sufficient
for most of the tasks. The root
user is the Linux superuser and the
equivalent to the administrator.
sudo
allows specified (non-root
) users or a group of users to run
privileged tasks, like calling system functions as root
or another
user. Through a configuration file, the system administrator can control
which users are allowed to run sudo
commands and for which tasks.
1.2 sudo
on SUSE Linux Enterprise Server systems #
For security reasons, all SUSE Linux Enterprise Server systems separate the regular user
from the root
user.
As a regular user, you cannot write to system directories or install
programs. Any user with access to the root
password can gain these
privileges and accidentally or maliciously break the system.
For example, you are logged in as a regular user and accidentally browse to a malicious website. An attacker cannot install malware on your system behind your back, as you are logged in as a regular user, means without any administrative permissions.
As explained above, it is not recommended to be logged in as root
user
permanently for security reasons. A safer approach is to stay logged with
your regular user and running a restricted command prefaced with sudo
.
sudo
requires administrator rights
On a single-user machine, where you have set your own root
password,
you have the required rights to administrate your system by using the
sudo
command and to configure sudo
settings yourself.
For more information about how to configure sudo
, refer to
https://documentation.suse.com/smart/systems-management/html/sudo-configure-superuser-privileges/index.html.
In a multi-user environment, such as in companies, the sudo
privileges
are managed by a system administrator and the permissions of the
root
user can be restricted. You may not be allowed to change
certain system directories or files, even when executing the command with
sudo
.
1.3 How sudo
works #
When running a command prefaced with sudo
, the system asks you for the
password of the root
account. After successful authentication, the
command is executed with superuser privileges.
Depending on the sudo
configuration, the elevated privileges persist for a
certain period of time and as long as you are working in the same terminal
session. So you do not need to provide a password again when running
another sudo
command.
To run a command with sudo
, this syntax is used:
>
sudo [command]
The following example explains how the sudo
command is used to open
the YaST Control Center in the terminal directly. To
open YaST, administrator rights are needed and therefore, it only works
with the sudo
command.
sudo
#>
yast
Absolute path to 'yast' is '/usr/sbin/yast', so running it may require superuser privileges (eg. root).1>
sudo
yast
[sudo] password for root:2
When only the | |
Starting the After successful authentication, the is opened. |
The elevated privileges persist for a certain period of time, so you
do not have to provide a password again for the next sudo
command.
2 Running a command prefaced with sudo
#
As a regular user, you can run any command as root
by adding
sudo
before it. This prompts you to provide the root
password.
If authenticated successfully, this runs the command as root
.
When running a command prefaced with sudo
, the system asks you for the
password of the root
account. After successful authentication, the
command is executed with superuser privileges.
Depending on the sudo
configuration, the elevated privileges persist for a
certain period of time and as long as you are working in the same terminal
session. So you do not need to provide a password again when running another
sudo
command.
sudo
#
The following procedure describes how to use the sudo
command to copy a
file into a directory where only the root
user has editing rights.
Open a terminal and create a test file with:
>
touch test.txt
Try to copy the file into the
/usr/local/bin/
directory with:>
cp test.txt /usr/local/bin
The terminal returns, for example:
cp: cannot create regular file '/usr/local/bin/test.txt': Permission denied
This message also appears if the required privileges were not granted to
sudo
.Now, enter the same command prefaced with
sudo
:>
sudo
cp test.txt /usr/local/bin
You are prompted to enter the
root
password. Note that the password is not shown during input, neither as clear text nor as masking characters.[sudo] password for root:
After successful authentication, the test file is copied to
/usr/local/bin
.
You have run your first sudo
command.
3 Common sudo
commands #
By adding sudo
before any command, you can run commands with elevated
permissions. You can also run commands as another user and use their
environment variables.
This section provides examples of common commands that often require administrative privileges.
- Repeat the last command with
sudo
To repeat the last command as an administrator, run
sudo !!
and enter the password. For example, a user without administrative privileges cannot create a directory under the/etc/
directory. To create it, runsudo !!
.>
mkdir /etc/test/
mkdir: cannot create directory ‘/etc/test/’: Permission denied>
sudo
!!
sudo mkdir /etc/test/ [sudo] password for root:>
ls -alrt /etc | grep test
drwxr-xr-x 1 root root 0 Apr 20 12:48 test- Manage packages using
sudo
andzypper
To run package management commands as an administrator, add
sudo
before the command:>
sudo
zypper [--GLOBAL-OPTIONS] <COMMAND> [--COMMAND-OPTIONS] [ARGUMENTS]
For example, to install the Docker CE containerization platform from its official package repository, run the following commands with
sudo
:>
sudo
zypper addrepo https://download.docker.com/linux/suse/docker-ce
>
sudo
zypper refresh
>
sudo
zypper search docker-ce
>
sudo
zypper install docker-ce
You do not need to add
sudo
beforezypper
commands that do not modify the system, or provide privileged access to information. For example, you can list the repositories for the installed software packages on your system without usingsudo
:>
zypper lr
- Manage system services using
sudo
andsystemctl
In systems that use
systemd
for managing services, you can use thesystemctl
command withsudo
. For example, to restart the Apache Web Server service, run:>
sudo
systemctl restart apache2
You do not need to add
sudo
beforesystemctl
commands that do not modify the system, or provide privileged access to information. For example, you can display the status of Network Manager without usingsudo
:>
systemctl status NetworkManager
● NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/NetworkManager.service.d └─NetworkManager-ovs.conf Active: active (running) since DAY YYYY-MM-DD HH:MM:SS TIMEZONE; 1h 21min ago Docs: man:NetworkManager(8) [...]- Modify a user account using
sudo
andusermod
To run the
usermod
command for modifying user accounts, use:>
sudo
usermod [OPTION] USERNAME
For example, to set the number of days to
30
for permanently disabling the user accounttux
after password expiry, run:>
sudo
usermod --inactive 30 tux
- Modify file and directory ownership using
sudo
andchown
To change file and directory ownerships from the current owner to a new owner, use:
>
sudo
chown [OPTION] [OWNER:[GROUP]] FILE
For example, to give
tux
the ownership of files and subdirectories in the/home/test/tux-files
directory, run:>
sudo
chown tux /home/test/tux-files/ --recursive
You can test the change in ownership by running the following command:
>
ls -alrt /home/test/tux-files/ --recursive
- Run a command as another user using
sudo -s
Instead of using the
su
command for switching to a different user and then running commands, you can use thesudo -s
command. A shell run by thesudo -s
command inherits the environment of the current user. Thesudo -s
command also offers a few privilege control measures.To run a command as a different user, use:
>
sudo
-s -u USERNAME COMMAND
By default, the command runs from the directory of the previous user, because the target user inherits the environment of the previous user.
For example, to recursively list the files and subdirectories of the
/home/test/tux-files/
directory as the target usertux
, run:>
sudo
-s -u tux ls -alrt /home/test/tux-files/ --recursive
When you use the
sudo -s
approach for running a command as a different user, the command is logged in your history.- Run a command as another user with a clean environment using
sudo -i
When using the
sudo -s
command, the target user inherits the environment of the previous user. You can prevent it by using thesudo -i
command, where the target user gets a clean environment and starts at their own$HOME
directory.To run a command as a different user with a clean environment, use:
>
sudo
-i -u USERNAME COMMAND
The
sudo -i
command runs the shell as an interactive login shell of the target user. As a result, there are shell startup scripts such as.profile
and.bash_profile
files.For example, to list the files and subdirectories of the
/home/test/tux-files/
directory astux
, run the following command:>
sudo
-i -u tux ls -alrt /home/test/tux-files/
When you use the
sudo -i
approach for running a command as a different user, the command is logged in your history.
4 Difference between sudo
and su
#
Learn the difference between sudo
and su
commands and when to use which.
On Linux systems, you can preface a command with either sudo
or
su
. Both let you execute commands as root
.
4.1 Characteristics of the sudo
command #
sudo
allows you to run a command asroot
. Depending on the configuration, it does not require you to enter theroot
password, but only the user's password. This way, no sensitive information needs to be shared with all the other (regular) users.With the
sudo
configuration file, the system administrator can control which users are allowed to usesudo
and restrict the usage to certain tasks.sudo
caches the password for a certain period of time. After this period, you are prompted for the password again, when running anothersudo
command.All commands executed with
sudo
are logged individually. The log file tracks date and time, the user that ran the command, and the command itself.
4.2 Characteristics of the su
command #
su
allows you to run a command asroot
but requires you to know theroot
password.It cannot be configured to restrict access to certain users and tasks and elevate the privileges for anyone who knows the
root
password.The privileges are elevated for the entire terminal session. As long as you stay in the session, you are not prompted for the password again.
Commands executed with
su
are not logged individually, as all actions can only be logged with the user account.
5 Legal Notice #
Copyright© 2006–2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.