We can switch between users through the su and sudo commands. Also, we can use these two commands to perform certain command operations with the privileges of other users.

su

Here are two arguments for mesg command:

Option Meaning
- or -l or ‑‑login Start a shell as a login shell and switch to the specified user’s home directory.

Stay on the Current Working Directory After Switching User

By default, the su command replaces the current user with the root user.

1
2
3
4
5
whoami
pwd
su    # This is equivalent to su root
pwd
whoami
img

Stay on current working directory after replacing the user

When we replace root with user, we don’t need to enter a password.

Change Current Working Directory to the Switched User Home Directory

With the - or -l or -login option, we can use the new current user’s home directory as the working directory after replacing the user:

1
2
3
4
5
whoami
pwd
su -    # This is equivalent to su -l or su --login
pwd
whoami
img

Change to root's current working directory after replacing the user

sudo

Edit Sudoers File

Locked Before Editing

A more rigorous approach, which locks the /etc/sudoers file and then opens it:

1
visudo    # After marking as occupied, open the /etc/sudoers file through the vi editor

At this point, if a user logged in via another terminal also wants to edit the / etc/sudoers file via visudo, the following alert will appear:

img

When a user is editing the / etc/sudoers file through the visudo command, there is no way for other users to use the visudo command at this point.

Naked Editing

One less rigorous approach is to open the /etc/sudoers file directly and others can edit it at the same time:

1
vi /etc/sudoers

Editing the Content

1
2
# 1. Safely open the /etc/sudoers file through visudo command
visudo
1
2
# 2. Paste this line of setting in that file
usropt ALL=(root) PASSWD:/usr/sbin/userdel,/usr/sbin/usermod, NOPASSWD:/usr/sbin/useradd
img

The line that starts with usropt is our newly added configuration to the sudoers file

1
2
3
# 3. Let's create a user with the same name as the configuration
useradd usropt
echo "opt123" | passwd --stdin usropt    # Set password to opt123

Run the Command as Another User

Let’s replace the current user with the newly created user:

1
2
su - usropt
useradd
img

We can't run the administrator's command directly

We need to use the sudo command to run the administrator’s command:

1
sudo useradd
img

With the sudo command, we ran the administrator's command

When configured, if the command is assigned under passwd, you need to enter the user’s password when using the command to prevent malicious abuse of account permissions by others:

1
sudo userdel    # Needs to provide the current user's password
img

After entering the password of the usropt user, the command can be executed

Alias

We can subdivide each as a part through alias:

1
2
su -    # Replace the current user with root
visudo    # Open the /etc/sudoers file again
1
2
3
4
5
6
7
# Replace the previous setting with below settings
User_Alias USROPT = usropt
Host_Alias USROPTHOST = ALL
Runas_Alias USROPTRUNAS = root
Cmd_Alias USROPTCMDNOPIN = /usr/sbin/useradd
Cmd_Alias USROPTCMDPIN = /usr/sbin/usermod,/usr/sbin/userdel,!/usr/bin/passwd root,/usr/bin/passwd [A-Za-z]*
USROPT USROPTHOST=(USRRUNAS) PASSWD:USROPTCMDPIN,NOPASSWD:USROPTCMDNOPIN
img

Replace the newer settings with the older one

wheel group

We can configure a user’s privileges the same as root through the wheel group:

1
2
su -    # Replace the current user with root
visudo    # Open the /etc/sudoers file again
1
%wheel ALL=(ALL) ALL
img

The default setting that comes with the sudoers file

Create a new user to append a wheel supplementary group to that user:

1
2
3
4
5
6
useradd wheelopt
echo "opt123" | passwd --stdin wheelopt    # Set password to opt123
usermod -a -G wheel wheelopt    # Append wheel to user's supplementary group
su - wheelopt
id
sudo useradd    # Needs to provide the current user's password
img

Enables users to have root permissions by appending the wheel group to the user's supplementary group

References 22.5 su: Run a command with substitute user and group id, SU(1), Sudoers Manual, Visudo 1.8.23 Manual

Buy me a coffeeBuy me a coffee