How to Escalate Permissions on Linux with Sudo and Su
There comes a time in every administrator's life where you need to escalate privileges in Linux. Windows can be a lot more forgiving when you need to perform an administrative task. The Windows UAC prompt makes escalating privileges easy.
So much so that a lot of entry-level IT professionals don't even realize that just because they have an admin account doesn't mean that they still don't need to escalate user permissions to perform administrative tasks in Windows.
Linux isn't that nice, though. In Linux, escalating privileges is a very deliberate act. Let's discuss how you escalate privileges in Linux and why you would want to.
Why Escalate Privileges in Linux?
There are a lot of parts to a computer system that can be dangerous to work with. Editing those components can cause issues like preventing a computer from starting properly, disabling services, damaging hardware, or causing security issues. So, OSes like Linux and Windows require escalated privileges before those components can be changed.
Modern operating systems give systems administrators a way to secure the OS through a means of user accounts and privilege levels. This lets normal users access and use a computer to get a job done without being able to break that computer. Meanwhile, system administrators are still capable of performing the complex system administration tasks required to keep computer systems up and running.
It is assumed by these OSes that if a person can escalate privileges in an OS then they must be an administrator and they know what they are doing. The responsibility of security and maintenance is then passed from the OS itself to the system administrator.
Locking certain tasks behind user privileges is also a security measure, too. By requiring input from a user to escalate privileges, the OS can prevent malware from making changes on that system. This can prevent malware from doing things like automatically installing software on a computer.
How to Escalate Privileges in Linux
Standard user accounts in Linux cannot perform administrative tasks, at least not by default. Linux doesn't have the concept of an administrative account like Windows. Let's rewind there for a moment. All operating systems have admin profiles. Sort of.
Operating systems have user profile permissions or capabilities. These profiles and permissions designate what kinds of tasks can be performed in an operating system. Windows, by default, has three user account profile types:
Those three types of account profiles are nothing more than profiles with common permissions pre-configured for them. Those permission levels can be changed per profile or account.
This concept confuses a lot of newer IT administrators and help desk techs. It's common for someone to think that just because they have admin access in Windows that they can do everything on a computer. This can't be further from the truth, though.
In an enterprise environment, it's common for there to be admin profiles and super-admin profiles. Very few administrators in an organization will have super-admin privileges with permissions to adjust everything on a computer while techs will have a normal admin profile.
Linux does have a concept of user groups, but these perform slightly different functions in Linux. A default Linux install will have standard user profiles, a root profile (the system administrator), and various system users and groups depending on what applications are installed.
Though a standard user profile in Linux can be adjusted to have various permission levels, it's common practice to escalate privileges into the root profile to perform administrative tasks. Users would either use the SU command, the SUDO command or log into the Linux OS with the root account itself depending on which version of Linux is being used.
For example, Red Hat Linux will use the SU command. Debian or Ubuntu OSes will use the SUDO command.
Pro Tip: Though Ubuntu and Debian don't use the SU command because the root password is hidden for security reasons, you can change and set a password for the root profile to use the SU command in these versions of Linux. Simply use the 'sudo passwd root' command in the Linux terminal to set a new password for the root profile. This will also enable the ability to log in with the root profile directly. Proceed with caution, though. This can be a security risk.
An Overview of How to Escalate Permissions on Linux with Sudo, Su [VIDEO]
In this video, Shawn Powers covers how to effectively manage privileges. Specifically, you'll learn about three different Linux commands that allow you to escalate your privileges from a lower-level account to one with more permissions, up to (and including) super user rights. He'll show you which to use, how, and when to do so.
What is the SU Command in Linux?
SU stands for 'substitute user'. It's a way of escalating privileges in Linux. The SU command changes the input from your Linux profile to the root profile within the Linux terminal. This allows you to perform tasks in Linux typically limited to the root account.
Escalating privileges to the root account is easy. In the Terminal, enter the command 'su'. You will be prompted for the Root account's password. Keep in mind the password you need to enter is for the root account and not your account.
After escalating to the Root account, notice that the terminal prompt changed from your username to the Root account's name. If you are using this Linux computer locally (as opposed to connecting to it remotely), you should see something like 'root@localhost' instead of 'yourName@localhost'.
Once you use the SU command and switch to the Root account, you do not need to keep using the SU command. Every command you enter in the terminal at this point will be entered as the Root profile. Be wary of this. For example, if you enter the command to store Git credentials globally while impersonating the Root profile, those Git credentials will only work while using that Root account. Those credentials will not be accessible while using your normal Linux profile.
To stop using the Root profile, type 'exit' in the terminal.
What is the SUDO Command in Linux?
The SUDO command stands for 'substitute user do' as in 'do something as another user'. The SUDO command works similarly to the SU command in Linux but with a couple of exceptions. For instance, when you use the SUDO command, you will use the password for your Linux profile instead of the password for the Root account.
Likewise, you must use the SUDO command to escalate privileges for each command individually. Using the SUDO command does not cause you to impersonate the Root account in Linux permanently as the SU command does.
Pro Tip: You can use the SUDO command to fully impersonate the Root account by using 'sudo su' in the terminal. This would be like using the SU command by itself.
Only certain accounts in Linux can use the SUDO command. By default, the account created when Linux is installed is always configured to use the SUDO command. That is because user accounts are typically part of the Wheel user group in Linux, and the Wheel user group has permission to use the SUDO command.
The configuration file controlling the SUDO command is typically stored in /etc/sudoers. This could change depending on the version of Linux you are using, so if you cannot find the 'sudoers' file, consult the documentation for the distribution of Linux you are using for that file's location.
To edit the 'sudoers' file, you wouldn't make any changes to it directly, though. You should use an application called VISUDO for that.
What is the VISUDO Command in Linux?
VISUDO is a command to edit the configuration file for the SUDO command. Using this command will edit the 'sudoers configuration file in the '/etc' folder in Linux. Using the VISUDO command will also open the 'sudoers' file within a wrapper. This will help prevent any mistakes from being saved to that file by accident.
The 'sudoers' file has a lot of great examples inside of it for each configuration option.
Typically, when you change who can use the SUDO command, you would update the user group that can use that command and not individual users themselves. In the configuration file, there is an option that starts with '%wheel'. This is the 'wheel' group. User accounts are part of this group by default.
The percentage sign tells the configuration file that 'wheel' is a user group. You can add, modify, or change user groups by replicating the configuration option below replacing 'wheel' with the name of the user group you would prefer to use:
wheel ALL=(ALL) ALL
Below that option is an option to allow user groups to use the SUDO command without entering a password. That entry looks like this:
Same thing without a password
wheel ALL=(ALL) NOPASSWD:ALL
To enable the ability to use the SUDO command without a password, uncomment that line above (remove the # from the beginning of it) and save the 'sudoers' file. Enabling that configuration will let you run scripts without being required to enter a password. That means scripts can run unattended.
Pro Tip: Instead of making all commands accessible with the SUDO command without a password by uncommenting the line above, you can add only specific commands by replacing NOPASSWD: ALL with 'NOPASSWD:enter your command here' instead (EG. NOPASSWD:ls).
We covered a lot of information in this article for something as simple as escalating user privileges in Linux. Just in case you need a recap, here you go.
You need to escalate privileges in Linux before executing any restricted commands. Depending on the version of Linux you are using, you will either use the SU or SUDO commands. Red Hat and Fedora use SU while Debian-based versions of Linux use SUDO.
The SU command lets you impersonate the Root profile in the Linux terminal until you exit out of that profile. The SUDO command lets you impersonate the Root profile but only for a single command. You need to keep using SUDO for each subsequent command. Use the VISUDO tool to edit the 'sudoers' configuration file for the SUDO command.