Subtitles of the Movie

Two very important Linux/UNIX utilities that you need to be aware of are su and sudu. Now, su and sudu basically are utilities that will allow you to become root or become another user if you like, usually though privileged users is what you will use these for and you can become those users or become root so that you can have limited, temporary use of those higher-level privileges and you might want to do system maintenance, system tasks and so forth with those privileges. The reason you want to use these is that you do not want to login as root and use the root account for things other than system maintenance or system administration, such as checking your e-mail or surfing the net. The reason this is is that while you're logged in as root, any process that is running on the system is running in the context of the root account so it has root-level privileges and so forth so a malicious script or something could conceivably run on the system without you knowing it and could do some damage to the system so you don't want to be logged in as the root account on a normal basis. You want to have a lower-level privilege account that you do typical day to day things with; check e-mail, surf the net and so forth. But there are going to be occasions where you're using your normal user account and you need to temporarily get root privileges and that's what su and sudu are used for. Now, su is a little bit different in that if you use su, you assume root and you stay that way for a while. Any command you run after you've used the su command is as root and has root-level privileges. So you know, you could su to root and then get and stay that way and then a malicious piece of software or script would have root-level privileges on a continuing basis. What's better to use is sudu and sudu basically allows you to run only specific, certain commands as root and those have to be laid out in what's called the suduer's file. So sudu uses the suduer's file as a configuration file and it basically specifies which users are allowed to sudu and to which accounts. Maybe it's a root account, maybe it's to a different account and what specific commands they can do while using sudu. Also, the use of sudu is audited so you can actually track user's actions back to them. So if someone used their sudu privileges to obtain root privileges and performed a certain action, then you would be able to look at the audit logs and see who did that. So su and sudu are very commands to use. I would recommend sudu over su. We're going to go ahead and look at the a quick demo of these commands. Now, the first thing we want to look at is how to configure sudu rules. Now, we're in the GUI of openSUSE 11 here right now and basically it allows you to add users and rules for use for sudu and I've already added my Bobby account here and basically what it's going to allow me to do is run any command that I want as root. We can specify a certain command, we can specify certain accounts that I can run as. So we're going to go ahead and leave that as it is but we could also add users if we wanted to and so forth. So we're finished with this. The other way to edit the suduer's file is actually through the file itself. We could actually go in and edit the suduer's file. It's in etc. suduers and we can do this either this way or the graphical way. It depends upon whether you like to do things at the Command Line or with the GUI and depending upon your Linux distribution, you may have other utilities you can use to edit the suduer's file. Now, it specifies in the file that you actually edit it with the visudu command as root in order to make these changes and while there's a lot more options that you can manipulate in this file than you normally can with the GUI, essentially it does the same thing; it allows you to specify which users can assume which account-level privileges, for example the root account and what commands they can actually do in while using sudu and here is the same information we saw in the GUI just a second ago. So you have those two configuration options that you can use to modify the suduer's file. Now, let's go ahead and take a look at su and sudu. OK, we're logged in as Bobby and what I want to do is go ahead and open a terminal window up and from the prompt you can see, you can get the idea that I'm logged in as an unprivileged user. So let's say I want to use a privileged command. In that I'm going to use just a normal ifconfig command but to demonstrate how to use su, basically it's just su and then if you want to, if you type in su by itself, it assumes the root command and that will put you to root. If you use that dash, that also adopts root's profile and that can be very useful in that you may not have the same profile path for example that root does so you may want to be able to use the same profile that root uses when you su just for convenience sake. So we're suing. It's going to prompt us for the root password and now as you can see from the prompt hash marks, we are root now. We can run an ifconfig, whatever we want to do. Let's go ahead and exit out of su and that puts us back out of the context of root. We're back in our normal user account. Now, let's look at sudu which I think is a much more useful command to use and something that you'd probably want to do a lot more than using su. Now, you could, for example, let's say in this openSUSE11 box, let's say we wanted to run YaST and YaST is basically the program that manages hardware and so forth in openSUSE. Your Linux distribution may have other types of programs that may do this so this is an SBin. We're going to go ahead and run it. Now, as you can see, this is a program that normally requires root privileges to run the YaST control center so we get a little pop-up message; YaST control center is not running as root. You can only see modules that do not require root privileges. And the modules that we can see don't really do a lot for us; software and network services, the browser and release notes. That doesn't do much for us so what we can do is go back and run sudu as YaST and telling it to do a sudu will allow us to run that command as root and no other command. Now, we're going to get root's password prompted for us and then it's going to open YaST up as the root user in the context of root and as you can see, our options have changed. We didn't get that little nag message about being root and now we can do basically any kind of hardware or software configuration we want to do. We can configure network devices, network security and so forth. Something that we cannot do as a normal user and we can quit out of here if we want and it will take us back to our normal user account. We won't be just still using root's privileges for other commands. So that's a security feature built in that allows you to limit what people can do as root so I highly recommend that you use sudu versus su if you're going to do this but even if you have to use su sometimes for an extended amount of time, that's still at least better than logging in directly as root and staying at root on a continuing basis. So those are the su and sudu commands that you can use in Linux and most UNIX variants; BSD, UNIX, Solaris and so forth.