Usually known as root in my Unix-like systems is the first user created at the installation of the Linux system.

Users in Linux systems usually have their User ID, known as UID in Linux – this is the ID of each user in the system. Linux recognize user by their ID, so root is the first user which makes it bear the ID 0.

The Superuser has all the privileges in the Linux systems – can create, modify, execute and delete ANY file in the system.

How to Use Superuser

It is not safe to root your system, don’t always login as root. Seen couple of friends that rooted their system, making them login as root on system boot with their Desktop Environment. This is not safe, granting all applications root access is not advisable as applications can edit some files without permission and this may damage some system files making it unable to run Linux properly.

SU Command: This command is use to log into the Superuser account in the CommandLine Interface (CLI) and then perform any actions as a Superuser.

But being in the account for a long time, you might sometimes forget to log out leaving the Superuser account logged in and someone somehow seats on your system; he has all access he needs! This is why sudo command was introduced.

SUDO

This is a Linux package that runs a command as another user per command and returns back to the currently logged in account. This package mainly is for running commands as root at a time but also supports running it as another user if any provided.

Installing SUDO

In most Linux Distributions, SUDO comes pre-installed, checking if SUDO is already installed:

Debian/Ubuntu:

$ dpkg -s sudo

Red Hat/CentOS:

$ rpm -qa | grep sudo

Returns the package file name or nothing as not installed

If SUDO is not installed in your system, you can install it using this:

Debian/Ubuntu

# apt-get install sudo

Red Hat/CentOS

# yum install sudo

When installation is done, you have SUDO installed successfully!

Configuring SUDO

SUDO configuration files are located at /etc/sudoers and /etc/sudoers.d. Please do not edit this files with normal text editors like nano or vim; rather use visudo which is a package for editing sudoers file so when you have a syntax error, it will tell you other than just ignoring the configuration and you face a permission problem in your system.

Before we continue, lets look at what the configuration syntax means.

orji ALL=(ALL:ALL) ALL

The configuration is a rule set for the user orji.
First ALL applies to all hosts
Second ALL – Can run command as all user
Third ALL – Can run command as all group
Fourth ALL – Can run all commands

This summarizes that the user orji can run any command as root as long as he provides his password. Pasting this in the /etc/sudoers gives orji the privilege.

Adding a Group

Similar to giving a user a permission, you can also give same permission to a group. The only thing you will do is adding % at the beginning of the rule.

%sshusers ALL=(ALL:ALL) ALL

Giving a User Privilege

I have a user who is ikenna by username and want to give root privilege, it is easy! Just add the user ikenna to the sudo group by typing:

Debian/Ubuntu:

# gpasswd -a ikenna sudo

Red Hat/CentOS

# gpasswd -a ikenna wheel

The user ikenna will now be able to use full root permission with sudo because he has been added to the sudo group. In CentOS, the group name for sudo users is wheel

Giving more Complex Privileges

SUDO package comes with more advance way of privileging users, a complex way of restricting to commands, users and groups.

You create an array of users, groups or commands into a variable and they are being reference with the variable, below I will show example of giving 2 users privilege of shutting down the system only.

  • User_Alias: Use to define variable to hold users
  • Cmnd_Alias: Use to define variables to hold commands
  • Runas_Alias: Use to define variable to hold list of alias users can run
  • Host_Alias: Use to define variable of hosts users can run sudo

Before that, SUDO has  a default place permission files can be kept, which is /etc/sudoers.d. I will be creating a file group1 and the content is:

User_Alias  GROUPONE = ikenna, orji

GROUPONE    ALL = /sbin/shutdown

From the above configuration, save it and you find out ikenna and orji can not run any other command with sudo except shutdown only.

You can specify file system groups too:

User_Alias  GROUPONE = %ftpgroup, orji, %sshgroup

If I want to allow multiple command, I can create a command alias too:

Cmnd_Alias  GONECOMMAND = /sbin/shutdown, /bin/ls, /sbin/reboot
GROUPONE    ALL = GONECOMMAND

Limiting Run as users

Runas_Alias GONERUNAS = www-data, apache
GROUPONE    ALL = (GONERUNAS) GONECOMMAND

Some Tricks with SUDO

Switching to Root: If you are given the whole permission in sudo, you could switch to root itself or any user by typing:

$ sudo su

Switch to the user donjajo

$ sudo su donjajo

Run command as a user or group:

$ sudo -u donjajo ls /

$ sudo -g root ls /