Running Commands as Superuser with `sudo`

Publication Date: 27 Sep 2024

WHAT?

Learn about the basic concepts of sudo and how to use it as a regular user.

WHY?

Certain commands require administrator privileges. To run a command with administrator rights, the sudo command can be used.

EFFORT

It takes you up to 20 minutes to read through this article. If you have a specific question, you can jump directly to the respective chapter.

GOAL

Understanding the basic concepts of sudo and running commands with sudo for certain use cases.

REQUIREMENTS

root or sudo privileges. These are only available if you are the administrator of the system. For more information, refer to Section 1, “Basic concepts of sudo”.
The sudo package needs to be installed. This package is available on SUSE Linux Enterprise Server by default.

Revision History: Running Commands as Superuser with sudo

1 Basic concepts of `sudo` #

Learn about the basic concepts of sudo and how it works on SUSE Linux Enterprise Server systems.

sudo is a Linux command that is used to temporarily execute programs as another user. It is the abbreviation for substitute user and do and borrows the privileges of another user, for example, the root user. This way, sudo helps you accomplish system administration tasks without logging in as root.

1.1 `sudo` on Linux systems in general #

As a regular user on Linux, you have reduced permissions that are sufficient for most of the tasks. The root user is the Linux superuser and the equivalent to the administrator.

sudo allows specified (non-root) users or a group of users to run privileged tasks, like calling system functions as root or another user. Through a configuration file, the system administrator can control which users are allowed to run sudo commands and for which tasks.

1.2 `sudo` on SUSE Linux Enterprise Server systems #

For security reasons, all SUSE Linux Enterprise Server systems separate the regular user from the root user. As a regular user, you cannot write to system directories or install programs. Any user with access to the root password can gain these privileges and accidentally or maliciously break the system.

For example, you are logged in as a regular user and accidentally browse to a malicious website. An attacker cannot install malware on your system behind your back, as you are logged in as a regular user, means without any administrative permissions.

As explained above, it is not recommended to be logged in as root user permanently for security reasons. A safer approach is to stay logged with your regular user and running a restricted command prefaced with sudo.

Note: sudo requires administrator rights

On a single-user machine, where you have set your own root password, you have the required rights to administrate your system by using the sudo command and to configure sudo settings yourself.

For more information about how to configure sudo, refer to https://documentation.suse.com/smart/systems-management/html/sudo-configure-superuser-privileges/index.html.

In a multi-user environment, such as in companies, the sudo privileges are managed by a system administrator and the permissions of the root user can be restricted. You may not be allowed to change certain system directories or files, even when executing the command with sudo.

1.3 How `sudo` works #

When running a command prefaced with sudo, the system asks you for the password of the root account. After successful authentication, the command is executed with superuser privileges.

Depending on the sudo configuration, the elevated privileges persist for a certain period of time and as long as you are working in the same terminal session. So you do not need to provide a password again when running another sudo command.

To run a command with sudo, this syntax is used:

    > sudo [command]

The following example explains how the sudo command is used to open the YaST Control Center in the terminal directly. To open YaST, administrator rights are needed and therefore, it only works with the sudo command.

Example 1: Opening the YaST control center with sudo #

> yast
Absolute path to 'yast' is '/usr/sbin/yast', so running it may require superuser privileges (eg. root).1
> sudo yast
[sudo] password for root:2

When only the yast command is entered, the system returns that root privileges are required.

Starting the yast command with sudo prompts you for the root password. The password is not shown during input, neither as clear text nor as masking characters.

After successful authentication, the YaST Control Center is opened.

The elevated privileges persist for a certain period of time, so you do not have to provide a password again for the next sudo command.

2 Running a command prefaced with `sudo` #

As a regular user, you can run any command as root by adding sudo before it. This prompts you to provide the root password. If authenticated successfully, this runs the command as root.

When running a command prefaced with sudo, the system asks you for the password of the root account. After successful authentication, the command is executed with superuser privileges.

Procedure 1: Running a command prefaced with sudo #

The following procedure describes how to use the sudo command to copy a file into a directory where only the root user has editing rights.

Open a terminal and create a test file with:
```
> touch test.txt
```
Try to copy the file into the /usr/local/bin/ directory with:
```
> cp test.txt /usr/local/bin
```
The terminal returns, for example:
```
cp: cannot create regular file '/usr/local/bin/test.txt': Permission denied
```
This message also appears if the required privileges were not granted to sudo.
Now, enter the same command prefaced with sudo:
```
> sudo cp test.txt /usr/local/bin
```
You are prompted to enter the root password. Note that the password is not shown during input, neither as clear text nor as masking characters.
```
[sudo] password for root:
```
After successful authentication, the test file is copied to /usr/local/bin.

You have run your first sudo command.

3 Common `sudo` commands #

By adding sudo before any command, you can run commands with elevated permissions. You can also run commands as another user and use their environment variables.

This section provides examples of common commands that often require administrative privileges.

Repeat the last command with sudo

To repeat the last command as an administrator, run sudo !! and enter the password. For example, a user without administrative privileges cannot create a directory under the /etc/ directory. To create it, run sudo !!.

> mkdir /etc/test/
mkdir: cannot create directory ‘/etc/test/’: Permission denied

> sudo !!
sudo mkdir /etc/test/
[sudo] password for root:

> ls -alrt /etc  | grep test
drwxr-xr-x 1 root root        0 Apr 20 12:48 test

Manage packages using sudo and zypper

To run package management commands as an administrator, add sudo before the command:

> sudo zypper [--GLOBAL-OPTIONS] <COMMAND> [--COMMAND-OPTIONS] [ARGUMENTS]

For example, to install the Docker CE containerization platform from its official package repository, run the following commands with sudo:

> sudo zypper addrepo https://download.docker.com/linux/suse/docker-ce

> sudo zypper refresh

> sudo zypper search docker-ce

> sudo zypper install docker-ce

You do not need to add sudo before zypper commands that do not modify the system, or provide privileged access to information. For example, you can list the repositories for the installed software packages on your system without using sudo:

> zypper lr

Manage system services using sudo and systemctl

In systems that use systemd for managing services, you can use the systemctl command with sudo. For example, to restart the Apache Web Server service, run:

> sudo systemctl restart apache2

You do not need to add sudo before systemctl commands that do not modify the system, or provide privileged access to information. For example, you can display the status of Network Manager without using sudo:

> systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/NetworkManager.service.d
             └─NetworkManager-ovs.conf
     Active: active (running) since DAY YYYY-MM-DD HH:MM:SS TIMEZONE; 1h 21min ago
       Docs: man:NetworkManager(8)
   [...]

Modify a user account using sudo and usermod

To run the usermod command for modifying user accounts, use:

> sudo usermod [OPTION] USERNAME

For example, to set the number of days to 30 for permanently disabling the user account tux after password expiry, run:

> sudo usermod --inactive 30 tux

Modify file and directory ownership using sudo and chown

To change file and directory ownerships from the current owner to a new owner, use:

> sudo chown [OPTION] [OWNER:[GROUP]] FILE

For example, to give tux the ownership of files and subdirectories in the /home/test/tux-files directory, run:

> sudo chown tux /home/test/tux-files/ --recursive

You can test the change in ownership by running the following command:

> ls -alrt /home/test/tux-files/ --recursive

Run a command as another user using sudo -s

Instead of using the su command for switching to a different user and then running commands, you can use the sudo -s command. A shell run by the sudo -s command inherits the environment of the current user. The sudo -s command also offers a few privilege control measures.

To run a command as a different user, use:

> sudo -s -u USERNAME COMMAND

By default, the command runs from the directory of the previous user, because the target user inherits the environment of the previous user.

For example, to recursively list the files and subdirectories of the /home/test/tux-files/ directory as the target user tux, run:

> sudo -s -u tux ls -alrt /home/test/tux-files/ --recursive

When you use the sudo -s approach for running a command as a different user, the command is logged in your history.

Run a command as another user with a clean environment using sudo -i

When using the sudo -s command, the target user inherits the environment of the previous user. You can prevent it by using the sudo -i command, where the target user gets a clean environment and starts at their own $HOME directory.

To run a command as a different user with a clean environment, use:

> sudo -i -u USERNAME COMMAND

The sudo -i command runs the shell as an interactive login shell of the target user. As a result, there are shell startup scripts such as .profile and .bash_profile files.

For example, to list the files and subdirectories of the /home/test/tux-files/ directory as tux, run the following command:

> sudo -i -u tux ls -alrt /home/test/tux-files/

When you use the sudo -i approach for running a command as a different user, the command is logged in your history.

4 Difference between `sudo` and `su` #

Learn the difference between sudo and su commands and when to use which.

On Linux systems, you can preface a command with either sudo or su. Both let you execute commands as root.

4.1 Characteristics of the `sudo` command #

sudo allows you to run a command as root. Depending on the configuration, it does not require you to enter the root password, but only the user's password. This way, no sensitive information needs to be shared with all the other (regular) users.
With the sudo configuration file, the system administrator can control which users are allowed to use sudo and restrict the usage to certain tasks.
sudo caches the password for a certain period of time. After this period, you are prompted for the password again, when running another sudo command.
All commands executed with sudo are logged individually. The log file tracks date and time, the user that ran the command, and the command itself.

4.2 Characteristics of the `su` command #

su allows you to run a command as root but requires you to know the root password.
It cannot be configured to restrict access to certain users and tasks and elevate the privileges for anyone who knows the root password.
The privileges are elevated for the entire terminal session. As long as you stay in the session, you are not prompted for the password again.
Commands executed with su are not logged individually, as all actions can only be logged with the user account.

5 Legal Notice #

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.

Running Commands as Superuser with sudo

1 Basic concepts of sudo #

1.1 sudo on Linux systems in general #

1.2 sudo on SUSE Linux Enterprise Server systems #

1.3 How sudo works #

2 Running a command prefaced with sudo #

3 Common sudo commands #

4 Difference between sudo and su #

4.1 Characteristics of the sudo command #

4.2 Characteristics of the su command #