sudo, su, and the Root User

ByChirag

The root user (UID 0) on Linux can do anything: delete the kernel, format any disk, read every file. This is dangerous. sudo exists so you almost never have to log in as root — instead, you do specific privileged things, with a password prompt and an audit log.

The three ways to be root

1. sudo (the right way)

Run a single command as root. Asks for YOUR password. Logged.

sudo apt update
sudo systemctl restart nginx
sudo nano /etc/hosts

2. sudo -i / sudo su (full root shell)

Open an interactive shell as root. Use sparingly. Type exit to leave.

sudo -i
# now you are root, prompt usually changes to #
whoami      # root
exit

3. su – root (the old way)

Switch user to root by entering ROOT’s password. On Ubuntu and many distros, root has no password set, so this is disabled by default.

su -        # become root (need root password)
su - alice  # become user alice (need alice's password)

Why sudo, not su

  • You don’t need to share or know the root password.
  • Every sudo invocation is logged to /var/log/auth.log (Debian) or /var/log/secure (RHEL).
  • You can grant specific commands to specific users without giving them full root.
  • Less time spent as root = fewer accidents.

Useful sudo flags

sudo -i                  # full login shell as root (loads root's env)
sudo -s                  # shell as root, but keep YOUR env
sudo -u alice cmd        # run cmd as alice (not root)
sudo -E cmd              # preserve YOUR environment variables
sudo !!                  # rerun the previous command with sudo
sudo -k                  # forget cached credentials immediately

The sudoers file

Who can sudo what is controlled by /etc/sudoers. Always edit it with visudo (which validates syntax — a broken sudoers file can lock you out):

sudo visudo

Common entries:

# Member of 'sudo' group can run anything
%sudo   ALL=(ALL:ALL) ALL

# Specific user, no password (DANGEROUS)
alice ALL=(ALL) NOPASSWD: ALL

# User can only restart nginx
deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx

Add a user to sudoers

# Debian/Ubuntu — add to 'sudo' group
sudo usermod -aG sudo alice

# RHEL/Fedora — add to 'wheel' group
sudo usermod -aG wheel alice

# User must log out and back in for group change to take effect

Common mistakes

“command not found” with sudo but not without

sudo uses a restricted PATH. Use the full path:

sudo /home/alice/.local/bin/myscript

Redirect doesn’t write to protected file

This fails — the redirect happens BEFORE sudo runs:

sudo echo "127.0.0.1 host" > /etc/hosts   # NO

Use tee:

echo "127.0.0.1 host" | sudo tee -a /etc/hosts

Or open a sudo shell:

sudo -i
echo "127.0.0.1 host" >> /etc/hosts
exit

Editing config files

Use sudoedit instead of sudo nano file. sudoedit copies the file to a temp location, opens it as YOU, then writes back as root. Safer (your editor doesn’t run as root).

sudoedit /etc/nginx/nginx.conf

Why “never log in as root”

  • One typo in rm can destroy the system.
  • Every program you run inherits root privileges — including any vulnerabilities.
  • No audit trail of who did what (if multiple admins).
  • If your shell history leaks, attackers learn root commands.

Use sudo. Always.

What to learn next

Permissions — the chmod / chown system that decides who can read, write, and execute every file — is the natural next topic.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *