James's Ramblings

sudo and su

Created: February 19, 2020

sudo

Common Options

  • sudo -s: opens an interactive non-login shell.
  • sudo -i: opens an interactive login shell.
  • sudo -u USER: execute command as USER, rather than root.
  • sudo -H: set $HOME to the target user’s.
  • sudo -E: preserve original environment variables.

Common Options Explained

  • sudo -s: opens an interactive non-login shell.

    Only bashrc files are executed. Doesn’t change working directory.

  • sudo -i: opens an interactive login shell.

  • Profile files are executed.

  • Usually profile files source the contents of bashrc files as well.

  • As a profile file is executed, will change working directory to /root/ and change environment variables, including $PATH.

  • Nevertheless, there may be something useful or necessary set in the profile file.

Notes

  • The real and effective uid and gid of the issuing user are then set to match those of the target user account as specified in the passwd file.

  • The sudoers config file is /etc/sudoers and must be edited with visudo.

  • sudo suand sudo su - are bad practice because subsequent commands log as root, rather than per user, the root user has to be enabled, and they launch an additional process.

  • su: switch user.

  • sudo’s name: “su” + “do” = sudo

Extended Options

  • -V: version. When root, prints out the default sudo was compiled with, as well as the local machine’s IP addresses.

  • -l: list allowed and forbidden commands for the invoking user.

  • -v: extend the sudo timeout. The default timeout extension is 5 minutes.

  • -k: revoke (kill) sudo privileges by resetting the sudo timestamp.

  • -K: revoke (surekill) sudo privileges by removing the sudo timestamp.

  • -b: run in the background. Cannot control the process with the usual job control processes.

  • -p: override the default password prompt. See sudo man page.

Interactive versus login shells

  • A login shell is one whose first character of argument zero is a -, or one started with the –login option.

  • An interactive shell is one started without non-option arguments. This is a simplication.

  • /etc/bash.bashrc and ~/.bashrc are processed for interactive shells (that aren’t login shells).

  • /etc/profile, ~/.bash_profile, ~/.bash_login, and ~/.profile are only processed for login shells.

    By convention, a profile file sources the corresponding bashrc as well, otherwise bashrc contents would not be processed for login shells.

  • The contents of ~/.bash_logout is executed on logout.

  • Shells launched by a terminal emulator are usually interactive.

  • If su [USER] is used, then this is an interactive shell and .bash_profile will not be processed.

  • If su - [USER] is used, then this is a login shell; .bash_profile will be processed. This will also cause the shell to use USER’s $PATH because .bash_profile sets $PATH.

  • This is a simplication and missing some detail. Further reading: the man bash INVOCATION section.

Repair a corrupt /etc/sudoers file

  • pkexec visudo

su

  • su: opens an interactive non-login shell. Read sudo -s section for implications.

  • su -: opens an interactive login shell. Read sudo -i section for implications.