Becoming superuser (or root)
For many tasks on Linux, you need root or superuser
authority. The root user, sometimes called the
superuser, is the user that is normally used for
administrative tasks like configuring the system or installing
root only when you
need to do administrative tasks; avoid using
root for your normal work. The
root user can do anything, including accidentally destroying your
system, which is usually not a good thing. Normal users have fewer
privileges, and the system is much more protected from being
inadvertently damaged by normal users.
Most administrative applications that have a graphical interface now ask for the root password before allowing non-root users access to the function. When you need to run commands from a terminal window as root, this doesn't help.
Your first thought may be to switch to another userid by logging out of
the current userid and logging in as the new userid. But what if you
only need to run a couple of quick commands as another user? Linux has
a solution for you: The
sudo commands allow you to
temporarily run one or more commands as another user. This is often
used for tasks that require root access. Indeed, if you connect in
remotely to a system using a terminal program such as
ssh (or the very insecure
telnet), then many Linux distributions will
prevent you from signing in as root. This is a good security practice,
and we encourage you to not try to circumvent it. Rather, you should
sign in as a non-privileged user and then use the
command to do the work you need to do with root authority.
To summarize, there are two main ways to run an arbitrary command with root authority.
- Use the
sucommand, usually with the
-option to become root.
- Use the
sudocommand to execute a single command with root authority.
On systems such as Fedora or OpenSUSE, both methods are available,
su is perhaps more common.
On Debian-based systems such as Ubuntu, the security model prevents
root login, so you can neither log in as root nor use
su to become root, so you must use
Suppose you are logged in and looking at a terminal window, and you are
not the root user but need to run a command, such as
fdisk, which requires root authority. You
switch to root using the
su command alone,
or, more commonly, add the
su command without the
- option simply switches you to become
root, but does not change your environment variables, including your
- option, which may also be typed
if you really like typing extra letters, allows the login startup
files for the substitute user to be read, thus setting things such as
the path, environment, and prompt to those of the target user. Listing 2 shows examples of these two
forms on our Fedora system. We've used the
pwd (print working directory) command to
show the current working directory in each case. Note how the prompts
differ. If you'd like to understand more about how to customize your
own prompts or what makes these prompts appear as they do, check out
the "Prompt magic" tip on developerWorks.
Listing 2. Switching to the root user
[ian@echidna ~]$ su Password: [root@echidna ian]# pwd /home/ian [root@echidna ian]# su - [root@echidna ~]# pwd /root
You will notice, not surprisingly, that you had to provide a password
to switch to root. Once you have root authority, you can use
to switch to another user or to switch to root with the login option.
If you want to switch to a non-root user, just add the id. As before,
you can use the
- option or not, according
to your needs. For example:
su - db2inst1
To return to the previous id, press
exit and press
Enter if you are using the bash shell, which is
the default on most Linux systems.
Now that we've learned how to use
put it into practice with the
Listing 3. Running the fdisk command with su
[ian@echidna ~]$ fdisk /dev/sda Unable to open /dev/sda [ian@echidna ~]$ su - Password: [root@echidna ~]# fdisk /dev/sda Command (m for help): m Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disklabel t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only) Command (m for help): q [root@echidna ~]# exit logout [ian@echidna ~]$
su command, the
sudo command allows you to run commands
with the authority of another user. The commands that a given user or
class of users may execute are listed in the /etc/sudoers file. In
contrast to the
su command, you do
not need to know the password of the root, or
other user, although you will need to provide your own password. The
/etc/sudoers file is maintained by root and can be edited using the
Usually, if you are executing multiple
commands in rapid succession, you will not need to reenter your
password for each one. An alternative is to run
sudo with the
option, which runs a shell for you, from which you can run many
commands as the target user until you close the shell. Listing 4 illustrates both of
Listing 4. Using the sudo command on Ubuntu
ian@pinguino:~$ fdisk /dev/sda Unable to open /dev/sda ian@pinguino:~$ sudo fdisk /dev/sda [sudo] password for ian: WARNING: DOS-compatible mode is deprecated. It's strongly recommended to switch off the mode (command 'c') and change display units to sectors (command 'u'). Command (m for help): p Disk /dev/sda: 120.0 GB, 120034123776 bytes 255 heads, 63 sectors/track, 14593 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x54085408 Device Boot Start End Blocks Id System /dev/sda1 * 1 2611 20972826 7 HPFS/NTFS /dev/sda2 2612 2624 104422+ 83 Linux /dev/sda3 2625 14593 96140962 5 Extended /dev/sda5 2625 2689 522081 82 Linux swap / Solaris /dev/sda6 2690 5180 20008926 83 Linux /dev/sda7 5181 9341 33423201 83 Linux /dev/sda8 9342 14593 42186658+ 83 Linux Command (m for help): q ian@pinguino:~$ sudo -s root@pinguino:~# fdisk /dev/sda WARNING: DOS-compatible mode is deprecated. It's strongly recommended to switch off the mode (command 'c') and change display units to sectors (command 'u'). Command (m for help): q root@pinguino:~# exit ian@pinguino:~$
If you are not authorized in the sudoers file, you will receive an error message similar to that in Listing 5.
Listing 5. Attempting to use sudo without authority
[ian@echidna ~]$ sudo fdisk /dev/sda [sudo] password for ian: ian is not in the sudoers file. This incident will be reported.