Article

Table of Contents
Theme:
Was this article helpful?
Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles!

Why Use Sudo Instead of Logging in as Root?

Author: Josh Amata

Last Updated: Tue, Nov 2, 2021
Linux Guides System Admin

Introduction

In this guide, you will learn about root access, the sudo command, how to run commands using sudo, and the differences between sudo access and root.

Prerequisites

  • A system running Linux such as Ubuntu, Debian, or CentOS
  • A user account with root privileges

What is root?

root refers to the superuser account in Unix-like systems such as Linux. It is a privileged account with the highest access rights on the system used for system administration. This root/superuser account has a user identifier (UID) of zero, regardless of the name of the account.

The root user has full permissions (root privileges) to the entire system. It can do things like modifying core parts of the system, upgrading the system, changing system configuration, and starting, stopping, and restarting all running system services.

When logged in as root (using su -), the terminal command prompt symbol changes from

$ echo 'You are in a normal shell'

to

# echo 'This is a root shell'

On some systems like Ubuntu, the root user is locked by default.

What is Sudo?

The sudo (superuser do) command is a command-line utility that allows a user to execute commands as the root or a different user. It provides an efficient way to grant certain users the appropriate permissions to use specific system commands or run scripts as the root user.

Although a bit similar to the su command, sudo differs as it requires the user's password for authentication by default, rather than the target user's password that su requires. Sudo also doesn't spawn a root shell; rather it runs the program or command with elevated privileges, unlike su, which spawns a root shell.

With sudo, a system administrator can carry out the following actions:

  • Grant users or groups of users the ability to run certain commands with elevated or root privileges.
  • View a log of the user ID of each user that uses sudo.
  • Control what command a user can use on a host system.

Sudo keeps a log of all commands and arguments executed in the /var/log/auth.log file, which can be analyzed in the event something breaks.

The sudoers file

Sudo uses the default sudoers security policy and keeps a special configuration file /etc/sudoers. This file can be used to control access rights and password prompt timeouts.

Note: You must have elevated privileges to view the sudoers file

Open the /etc/sudoers file; it should look like this:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/
sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

The line:

root         ALL=(ALL:ALL)ALL

means that the root user has unlimited privileges and is capable of running any command on the system.

%sudo ALL=(ALL:ALL)ALL

Allows all members of group sudo to execute any command.

Note: '%' in the sudoers file represents a group

As you can see from the first line in the /etc/sudoers file:

# This file MUST be edited with the 'visudo' command as root

Do not attempt to edit the sudoers file directly. Use the visudo command with root privileges.

How to Run Commands as Sudo

To run commands as sudo, prepend the command with sudo:

$ sudo command

It will prompt you for a password, enter your account password, and click ENTER:

$ sudo command
[sudo]  password for user:

Now, command is going to run with elevated privileges.

Sudo Vs. Root

The principle of least privilege is an information and computer security concept that holds the idea of granting programs and users the least or bare minimum privileges required to perform a task.

When logged in as root, every command entered into the terminal runs with the highest privileges on the system, which violates the principle of least privilege. A simple command like rm could be used to delete core root directories or files without prompting the user when unintended. For instance, if you tried to delete a root directory like /etc using:

$ rm -rf /etc

You will be denied permission as you are logged in as a normal user. When logged in as root, no prompts will be shown, and the entire folder will be deleted - which may most likely break your system as special configuration files needed for running the system are stored in the /etc directory. You could also end up formatting a disk wrongly, and the system won't prompt you.

This flaw also extends to running code or applications as root; a small bug in the application could erase some system files because the application is running under the highest privileges.

Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges).

Sudo can also be configured to run commands as another user, specify which users and groups are allowed to run commands using sudo, or set timeouts for running programs with root privileges by editing your sudoers file.

Consequently, running commands with the root shell is not advised as the chances of you breaking your system are much higher. If you require higher or root privileges to run a command, use sudo to be sure only that command is running with root privileges.

Conclusion

In this guide, you have learned about root, sudo, and the drawbacks that come with running commands directly in the root shell. For more information, check out the sudo man page.

You can learn more about how to use sudo at Vultr in our documentation library.

Want to contribute?

You could earn up to $600 by adding new articles