In details it works the following way:
/usr/bin/sudo
executable file has setuid bit set, so even when executed by another user, it runs with the file owner's user id (root in that case).
sudo
checks in /etc/sudoers
file what privileges do you have and whether you are permitted to run the command you are invoking. Saying simply, /etc/sudoers
is a file which defines which users can run which commands using sudo
mechanism.
That's how that file look on my Ubuntu:
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
The third line is what presumably interests you. It lets anybody in the "sudo" group to execute any command as any user.
When Ubuntu sets up the first account during installation it add that account to the "sudo" group. You can check which groups which users belong to with group
command.
sudo
asks you for a password. Regarding the fact that it needs user's password, not the root's one, that is an excerpt from sudoers manual:
Authentication and logging
The sudoers security policy requires that
most users authenticate themselves before they can use sudo. A
password is not required if the invoking user is root, if the target
user is the same as the invoking user, or if the policy has disabled
authentication for the user or command. Unlike su(1), when sudoers
requires authentication, it validates the invoking user's credentials,
not the target user's (or root's) credentials. This can be changed via
the rootpw, targetpw and runaspw flags, described later.
However, in fact, sudo
does not need your user password for anything. It ask for it just to ensure that you are really you and to provide you some kind of warning (or chance to stop) before invoking some potentially dangerous command. If you want to turn off password asking, change the sudoers entry to:
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
After authentication sudo
spawns child process which run the invoked command. The child inherits the root user id from its parent -- the sudo
process.
So, answering your questions precisely:
I thought I was switching over to the root user for a command.
You were right. Each command preceded with sudo
runs with the root user id.
Is there a root user?
Yes, there is a root user account, separate from your user account created during system installation. However, by default in Ubuntu you are not allowed to login to interactive terminal as root user.
Am I root?
No, you are not a root. You only have privilege to run individual commands as a root, using the sudo
mechanism described above.
So why am I allowed to run root commands with my user's password?
You have to enter user's password only due to sudo
internal security mechanism. It can be easily turned off. You gain your root powers because of setuid bit of /usr/bin/sudo
, not because of any passwords you enter.
The major difference between sudo
and su
is the mechanism used to authenticate. With su
the user must know the root
password (which should be a closely guarded secret), while with sudo
the user uses his/her own password. In order to stop all users causing mayhem, the priviliges discharged by the sudo
command can, fortunately, be configured using the /etc/sudoers
file.
Both commands run a command as another user, quite often root
.
sudo su -
works in the example you gave because the user (or a group where the user is a member) is configured in the /etc/sudoers
file. That is, they are allowed to use sudo
. Armed with this, they use the sudo
to temporarily gain root
privileges (which is default when no username is provided) and as root
start another shell (su -
). They now have root
access without knowing root
's password.
Conversely, if you don't allow the user to use sudo
then they won't be able to sudo su -
.
Distros generally have a group (often called wheel
) whose members are allowed to use sudo
to run all commands. Removing them from this group will mean that they cannot use sudo
at all by default.
The line in /etc/sudoers
that does this is:
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
While removing users from this group would make your system more secure, it would also result in you (or other system adminstrators) being required to carry out more administrative tasks on the system on behalf of your users.
A more sensible compromise would configure sudo
to give you more fine grained control of who is allowed to use sudo
and who isn't, along with which commands they are allowed to use (instead of the default of all commands). For example,
## Allows members of the users group to mount and unmount the
## cdrom as root
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
(only useful with the previous %wheel line commented out, or no users in the wheel
group).
Presumably, distros don't come with this finer grained configuration as standard as it's impossible to forecast what the admin's requirements are for his/her users and system.
Bottom line is - learn the details of sudo
and you can stop sudo su -
while allowing other commands that don't give the user root
shell access or access to commands that can change other users' files. You should give serious consideration to who you allow to use sudo
and to what level.
WARNING: Always use the visudo
command to edit the sudoers
file as it checks your edits for you and tries to save you from the embarrassing situation where a misconfigured file (due to a syntax error) stops you from using sudo
to edit any errors. This is especially true on Debian/Ubuntu and variants where the root
account is disabled by default.
Best Answer
You can use the
-c
option ofsu
to pass a single command.