Sudo like you want to

moopet

Ben Sinclair

Posted on April 9, 2019

Sudo like you want to

The Goblin King

You remind me of the babe.
What babe?
The babe with the power.
What power?
The power of sudo.
Who do?
You do.
Do what?
Remind me of the babe.
-- David "root" Bowie.

Backstory

su is short for "substitute user". It's generally pronounced "ess-you". It's almost always used to switch to the root user (the default if you don't specify anyone), but it doesn't have to.
If I was on the same system as you, and I had the necessary access, I could switch to you. Here I demonstrate trying to su to someone else, but not having their password and getting the push-off:

$ whoami
sarah
$ ls /home
sarah/    toby/   goblinking/
$ su toby
Password: ********
su: Sorry
$ whoami
sarah
$ # nuts.
Enter fullscreen mode Exit fullscreen mode

Of course, if I'm root, then anything goes:

$ su
Password: ********
# whoami
root
# su toby
$ whoami
toby
$ # Rock on.
Enter fullscreen mode Exit fullscreen mode

sudo is really an alternative to allow users to run stuff as other people - usually root - without knowing the root password or having to start an entire interactive shell as someone else.
It's pronounced "sue doo". Not like "pseudo", though that kind of fits the purpose if you tilt your head and squint at the world I guess.

$ cd /var
$ touch this
touch: this: Permission denied
$ # U can't touch this.
$ # Now that song is in your head. My, my, my.
$ # You are welcome.
$ sudo touch this
$ ls this
-rw-r--r--  1 root  wheel  0  9 Apr 12:42 this
$ # Rock on.
Enter fullscreen mode Exit fullscreen mode

Like I said, it's mostly used to become root.

Why is being root a problem?

People tend to leave themselves as root for way too long without logging back out. It's too easy to become root to perform one action and then to carry on and run all your next commands as root too. They might be perfectly innocent commands, but there's always the chance...

  • your commands touch files in your home directory and from that point any application which needs to write to them silently fails
  • an installation of a package suddenly hoses your environment because your system depends on one version of a package and now you've globally overwritten it with another
  • an errant rm -rf nukes your system from orbit

Modern UNIX

I think the blame for a lot of the problems with becoming root lies with MacOS, to be honest. It's a multi-user system (UNIX) that is pitched as a single-user system (everyone has their own laptop with just one account on it). What this means is that people get used to there being no terrible side-effects.

As an example, the word from the horse's mouth regarding fixing problems with homebrew is:

sudo chown -R $USER:admin /usr/local
Enter fullscreen mode Exit fullscreen mode

Well, it's ok if nobody else is ever going to share your computer (like your MacBook) but this sort of hack is absolutely terrible if you run it on a multi-user system (like your webserver).

I'm also jumping ahead, so let's back up a little...

Why is su a problem?

su won't let you become root without root's password. That means everyone who needs root access has to know - i.e. share - the password, and it means that if it changes, all those users have to be told what it's changed to, and that generally means a whole heap of insecurity because people have a habit of sending slack messages like,

Yo tobes, the root password to my-secure-box is now 'thirt33n0clock'

su behaves differently depending on your environment. If you run su - goblinking then you'll effectively log in as that user and have access to all their aliases and the things they've set up in their shell configuration. If you miss out the minus sign, you won't. Unexpected things happen, and unexpected things are dangerous things.

Why is sudo a good idea?

Accountability

If your name's not down, you're not coming in:

$ whoami
goblinking
$ sudo run-malicious-script
Password: ********
goblinking is not in the sudoers file. This incident will be reported.
Enter fullscreen mode Exit fullscreen mode

Every sudo command is in your history, and it's logged as being run by you.
If toby and goblinking were both logged in as root, how could we tell which user had run the malicious script? We couldn't. Well, not easily. Ok, ok, we could check ttys and look under doormats and fiddle with knobs in our surveillance van. Shh. For the purposes of this article, we couldn't tell.
sudo gives us an audit trail. It also means that each user can examine their own history and remember what they did last week, without that history being muddled up with every other person who shared the root experience.

You don't have to share your root password

sudo exists to fix that problem with su.

What are some good practices with sudo?

sudo will edit (-e) the file with whatever editor is configured. See the environment variables EDITOR, SUDO_EDITOR and VISUAL, which are fun to have configured anyway.

$ # Instead of this...
$ sudo nano /etc/nginx/sites-available/default
$ # Do this...
$ sudo -e /etc/nginx/sites-available/default
Enter fullscreen mode Exit fullscreen mode

sudo can give you a root shell, without having to run an extra process.

$ # Instead of this...
$ sudo su
$ # Do this...
$ sudo -i
Enter fullscreen mode Exit fullscreen mode

sudo lets you run a single command as another user.

$ # Instead of this...
$ su
Password: ********
# su goblinking
$ ./my-hilarious-jape.sh
$ exit
$ # Do this...
$ sudo -u goblinking ./my-hilarious-jape.sh
Password: ********
Enter fullscreen mode Exit fullscreen mode

It's not a hammer.

I know what I said earlier.

I've come to fix the server

If some command you've copied and pasted from the Interweb doesn't work, don't just shove sudo in front of it and hope; search for the name of the program and the error message you saw instead.
Sure, it might be that you should run it as root, but there's also a pretty good chance you don't need to, and that you're trying to beat your problem into submission rather than fix it.

See also



The Introduction to sudo from its official site.

Cover image by Jimi Filipovski on Unsplash.
Hammer time image by me.
Bowie image by... erm... I found it somewhere.

💖 💪 🙅 🚩
moopet
Ben Sinclair

Posted on April 9, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Sudo like you want to
beginners Sudo like you want to

April 9, 2019