To su or to sudo...that is the question(s)! ;)

English Install/Boot/Login
1

This isn’t a question but I did notice (in the archives) someone was trying to use sudo instead of su to run a command and they kept getting a ‘command not found’. I figured that this is a common new linux user question.

The sudo can be used as a ‘temporary root’, “sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The ‘sudo’ requires that users authenticate themselves with a password by default, after issuing the command (if it requires a root password). Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers)”.

(yes, I ‘borrowed’ the definition from man but I shortened it a bit) :shame:

Su on the other hand, called as in ‘su [ENTER]’, and requires the user to know and type the root password before allowing the user to do anything. It will allow the user an indefinite period of time to do whatever they want or need to do. To exit the ‘su’ command, after the user is done, they simply need to type at the prompt, ‘exit’ (without the '). (‘man’ definition: Change the effective user id and group id to that of USER. So you see, it’s not used just to get root privaleges). Then, to close the terminal, type ‘exit’ again (or just simply right-click the [X] at the upper right-hand corner (or left-hand corner, as the case may be) and close the terminal without having to type ‘exit’ at all).

Example:
user_name@linux:~> su
Password: _

At the ‘Password: _’ prompt, the user enters the root password to gain access to root permissions. One could also type: ‘su root’ or ‘su username’ to get that users’ privalege or access.

Sudo will not allow a normal user (non-root or system administrator [also known as 'default user, the first user when the system was installed]) to run any command that would change
(or alter) the system without root access.

If this is confusing to some people, try (in a terminal) ‘man su’ and/or ‘man sudo’ (without the ') for a more complete description of each call.

If I am wrong anywhere or left something out, I will graciously accept being corrected. :open_mouth: :wink:

QBall

2

Sudo will not allow a normal user (non-root or system administrator [also known as 'default user, the first user when the system was installed]) to run any command that would change
(or alter) the system without root access.

I’m not quite sure that is correct sudo can be configured to allow any command to be run by any user, and iirc as any user. Also iirc on a default install sudo is allowed I think for all commands, I also think though it will prompt for the root pw this can be changed.

If I was to try to be succinct I would say su -c “command to run” equates to sudo command_to_run. Now on a default install this will prompt for root pw(iirc), but this can be changed to prompt for the users pw.

To me the real difference is probably granularity of control sudo can be finer controlled. Where as su root or su - has no granularity.(I’d also be interested in the path env for sudo and su - respectively(But suspect sudo has the granularity to change this).

On a default install iirc there is little difference between sudo zypper in package and su -c “zypper in package”.

3

jqball2u wrote:
> If I am wrong anywhere or left something out, I will graciously accept
> being corrected.

welcome, i see have been here a little less than a month…

i like seeing new folks with the spunk to speak up…but, it seems
the purpose of your post was to inform newly arriving folks about the
ins and outs of accessing superuser/root powers in openSUSE…

a noble endeavor, but one that has already been covered…so, let me
suggest that before you start developing other knowledge packed posts
you first direct your energy to learning the lay of the land here and
become more familiar with what is already available in the forum and
the wiki…

for example, you posted a potential how-to into a help forum…a forum
which supposed to be where folks needing help ask questions and get
answers…not search for how-tos on various topics…

but, since there is a valid need for the kind of post you made, there
is a good place for it to be posted, in
http://forums.opensuse.org/information-new-users/unreviewed-how-faq/

where you will find your subject is already covered pretty well in
http://forums.opensuse.org/information-new-users/unreviewed-how-faq/424498-become-su-terminal-howto.html

additionally, there is info on how to take on the powers of root via
su, su-, sudo, kdesu, and gnomesu in the wiki’s Support Data Base
(SDB), a place where lots of how-to, knowledge packed pages live:
http://en.opensuse.org/SDB:Login_as_root

please don’t take what i type as admonishment, but rather as a
friendly attempt to redirect energy and enthusiasm into what might be
a more productive, and less redundant path…


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

4

OOPS! Sorry, origionally I hadn’t intended it to be a turorial but just a comment and, I guess I got kind of carried away! :shame: I was commenting on something I saw (in the archives, while searching for help on locked desktop icons) that I came across on my own computer about sudo [command] and got a ‘command not found’ until I had su-ed to root, then I was allowed to carry out the command.

I won’t go ‘off topic’ again (not on purpose, anyway)! :X

Thanks for the comments on my post though … I learned more about linux than I knew before! :stuck_out_tongue:

QBall

5

jqball2u wrote:
> I won’t go ‘off topic’ again (not on purpose, anyway)! :X

well, imo anytime you are trying to help folks in a help forum you are
pretty much close to topic, if not exactly on topic…

you are a pretty good writer and it was not my intention to shut you
down, rather to just (maybe) point toward another, more beneficial path…


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

6

@jqball2u the command not found is more likely to do with path env, sometimes you find it is not in the default path but though not in the path you may find sudo /path/to/command works where sudo command didn’t.

This is really related to the path env also sometimes sudo solutions are generally a little newer or generic where as Suse has really started to use sudo more recently(Certainly as default, it is why you will generally find the old timers using su - or su -c “…”).

If you look at the man sudo

snip…minimal environment containing TERM, PATH, HOME,
SHELL, LOGNAME, USER and USERNAME in addition to variables from the
invoking process …snip

the other one to read is man sudoers.

I have to admit for the env reasons alone and not coming from an Ubuntu background I’ll tend to recommend su - or su -c

7

This leads me to a question that has bugged me for a while, (so perhaps this can lead to a suport situation?) . I’m weak on security in Linux, mainly because I have not needed any security in Linux other than standard.

With sudo or openSUSE’s default of using the users pasword for su, to me it appearers that if some one was to break into a system with that users details they could easily get complete control. I posed this question when using another distro but was simply told they know what they are doing, that did not answer the question .

8

I can’t offer any empirical advice mainly as I do know I tweaked mine from default in helping someone.

But IMO yes I would consider sudo has the potential to punch holes in a security model but this is covered slightly in man sudoers. Really if the password is strong then there is nothing to fear. Personally I like the abstraction of root/admin over a user and will only use sudo for commands I want the user to run(Generally passwordless i.e pm-suspend for cli)

But really there is little difference OK so they manage to get the system as user, now they need to escalate privs. To do this they still would need to know the users password(I thought Suse defaulted to root), in comparison to knowing that su then roots password. So the weakness is the password, if the user password is weak then yes I guess it is poor but the same is applicable for root and su.

9

I’m one of the old fashioned ones, that unchecks the option during install for using the user’s password as the root password. I have had a not so nice experience when being root after su, these days I use


su -c '*command*'

Sudo does the same.

10

My question there is, we are running these processes as a user, if there is a problem that allows someone to take control of that process, should they also be able to get root privileges on it, (and can they).

11

That seems a bit difficult to answer more so as this thread is really about 2 things and more…

su and sudoers and escalation of privs.

It is highly unlikely that if you keep up with updates that a priv escalation would happen from a user run app. My understanding is suid(Or is it sticky bits) protects this to some extent and unless I’m mistaken escalation would of happened to start it then it will drop to user process(**** am I vague on that little lot).

Then from man sudoers

or use a shell escape from an editor or other program
but this way beyond my scope I’m afraid. Beyond what I’ve read in man sudoers and SECURITY NOTES section.

The only real way is to check for attacks on certain apps is to look at exploit sites, security advisories not to mention they’ll need a way in first like an insecure ssh attack vector.

Edit really by the time you’re talking priv escalation the horse has bolted.

12

dvhenry wrote:
> With sudo or openSUSE’s default of using the users pasword for su

if they had let me be king on that decision the install process would
demand the user and root passwords:

-be different
-be at least ten characters long
-include not less than one number (and they be nonsequential)
-include not less that one punctuation
-include not less than one special character
-include not less than one upper and one lower case alpha characters
-not include dictionary words
-etc

and written on a sticky attached to the bottom of the keyboard :wink:


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

13

One of my concerns has to do with the fact that this is a home network, as such getting the wife and kids to use a “secure” password is not easy.

It still looks to me as though using “su -” with its own password, and not sudo, or su having a normal users password, appearers more secure, well at least it won’t hurt, so I think I will continue doing so.

Thanks for your replies, they are appreciated.

14

For wife and kids: the trick is to find a password they will remember. My 7 year old daughter uses the first chars of a line of a song, where “is” is written “=”. She loves it, just has to think of the song. It’s length is 14 chars.

Disadvantage of ‘su’ and ‘su -’ is, that you are still root after running a command.
You can also force sudo to have a different password for root:


sudo passwd root

after changing the password for root, sudo will need the new password as well.

So, for safety, only be root for the one command you need it for.

15

dvhenry wrote:
> getting the wife and kids to use a “secure” password is not easy

why should the wife and kids need the root pass?


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

16

why should the wife and kids need the root pass?

Why should sduo allow it? That is one of the points.

17

AFAIK sudo is only for the first created user, the rest does not belong to the sudoers. This makes it easy to only let the kids have root access.

18

dvhenry wrote:
>> why should the wife and kids need the root pass?
> Why should sduo allow it? That is one of the points.

i guess we are not communicating…or more likely either i’m not
understanding or not expressing myself clearly enough, so let me try
again:

in my opinion the wife and kids are users and should never have access
to administrator privileges (aka: root)…

to make sure that happens you set your system to have a different
password for each user (including yourself) and a different, strong
password for root which only you know…then only you have access to
root powers through any of su, su -, sudo, kdesu or gnomesu…which
is, as it should be (imo)…


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

19

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+1

and this is not about being an oppressive tyrant or anything; chances are,
by your being in this forum, that you understand (or are willing to learn)
the risks around privileged access to a system where your kids perhaps
cannot yet and your wife may not want to (situations vary). 99.99% of
things done on the machine do not require ‘root’ and for those things that
do delaying a few minutes is often okay (applying patches, installing new
software that requires system access for some reason, changing hardware or
hardware drivers, etc.).

Good luck.

On 06/08/2010 07:59 AM, DenverD wrote:
> dvhenry wrote:
>>> why should the wife and kids need the root pass?
>> Why should sduo allow it? That is one of the points.
>
> i guess we are not communicating…or more likely either i’m not
> understanding or not expressing myself clearly enough, so let me try
> again:
>
> in my opinion the wife and kids are users and should never have access
> to administrator privileges (aka: root)…
>
> to make sure that happens you set your system to have a different
> password for each user (including yourself) and a different, strong
> password for root which only you know…then only you have access to
> root powers through any of su, su -, sudo, kdesu or gnomesu…which
> is, as it should be (imo)…
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMDlKpAAoJEF+XTK08PnB5n3sP/jkDMptOESNfRFGrJ6IIIl9Q
45hXSN3ISdgu/+Xem8hBwRdBDpPWm2G140W0QIriUKCsFEtcG1uBPIENPR5wVMyM
uiq3huHnYBpcMptsooxpKkOmdteM7oaOCtVzj83JbvubP0XniOcsTUbN4AI9Wat6
DeGKbgoYgZriohjbF50+5QO+nYo/ENE+I7zl2PFBsIAX5knxPiBr6tEIqbL+HCIf
dZby0d1I0PhmTKnGc7TibWDgo9Ru8rdDwiABs1Tjdr0vpzU0EG8fj1MN1SQbXlSB
3N0rCRqQBR0yYqsAUXVVBFEP3WkmTQUsm/kbUJzta9g3+kAdjw1uWUVpqojvFYTf
i7NvXDGhk4twuOTyCou/XBJ+ogrRLmL24WS09TmKayZGwJLA5Xz1PiuaEiOnkOtp
B80QxcrmrhQ8cSLJqvjKPbUlRbHTKiNdkOUYRroIk85SDT9RchXt6zG21bO02E4T
UQCMp92wzB/kJliBGNG50xqvMMHaoxUjOq7ALzDvtiY4gsN+BMe2sI7tFkzN6VsQ
XPPdOlqe9dvsHRkAfGUnffvwnD7SJRF1FMM4MGFPooemhhf4lYb8LwNv6e6ZXc3B
huKy0ncNbwo2ZRHN2ZUKpvtKaP/8xZDDPFx3W44g6UQmrMmLjb6+TMpSlIPlzUwH
gnawUTGjJIWchgv9dMVI
=12W/
-----END PGP SIGNATURE-----

20

AFAIK sudo is only for the first created user

Now, there I had not checked and just made an (incorrect) assumption,

Thanks to all for your replies, you have cleared up some misconceptions I had on this subject.