To perform administrative tasks or test user accounts, we may need to assume the identity of another user. There are three primary methods for doing this:
Logging out and logging back in: This completely switches user sessions.
Using the su command: Provides temporary access to another user's account, including superuser privileges.
Using the sudo command: Executes specific commands with elevated privileges without fully switching users.
We'll focus on the su and sudo commands as they offer more flexibility than logging out and logging back in. The su command allows you to temporarily become another user, either starting a new shell or running a single command. In contrast, sudo permits specific users to execute commands with elevated privileges without fully switching users. The preferred method often depends on your Linux distribution, as they typically support both but may favor one over the other. We'll begin by exploring the su command.
su: Run a Shell with Substitute User and Group IDs
The su command lets you start a shell session as another user. Its basic syntax is:
$ su [-[l]] [user]
Adding the -l option (or simply -) creates a login shell for the specified user, setting up their environment and changing to their home directory. This is typically preferred. If no user is specified, it defaults to the superuser. For example, to become the superuser with a login shell, use:
[hamed@server1 ~]$ su -
Password:
[root@server1 ~]#
After entering the command, you'll be prompted for the superuser's password. If correct, a new shell opens with a # prompt, indicating superuser privileges. Your working directory will be the superuser's home directory (usually /root). You can now execute commands with superuser permissions. To return to your original shell, type exit.
[root@server1 ~]# exit
[hamed@server1 ~]$
Instead of starting a new interactive shell, you can execute a single command as another user using this syntax:
$ su -c 'command'
The command you want to execute should be enclosed in single
quotes to prevent shell expansion before it's passed to the new
shell.
sudo: Execute a Command As Another User
The sudo command offers similar
functionality to su but with enhanced
control. Administrators can configure sudo
to allow regular users to execute specific commands with elevated
privileges, typically those of the superuser. Unlike su,
sudo doesn't require the superuser's
password; instead, it uses the user's own password. For instance, if
you're permitted to run a backup script requiring root privileges,
you might use sudo to execute it without
needing the root password. To do this:
[hamed@server1 ~]$ sudo backup_script
Password:
System Backup Starting…
To use sudo, you'll be prompted for your own password, not the superuser's. Once authenticated, the specified command runs. Unlike su, sudo doesn't create a new shell or load another user's environment. This means you don't need to quote commands differently. While sudo is primarily for executing single commands, it can also start an interactive superuser session using the -i option. Refer to the sudo man page for more details.
To see what privileges are granted to your user by sudo, you can use the -l option to list them.
[hamed@server1 ~]$ sudo -l
User me may run the following commands on this host:
(ALL) ALL