In Linux systems, there are two concepts that everyone may be familiar with, one is the sudo command and the other is the root account. The sudo command allows us to execute commands with the highest permissions. Under the root account, all commands have the highest permissions, which is equivalent to all commands having sudo added by default.
So, What is the difference between sudo and root? Why do we recommend using sudo instead of using the root account directly? In this tutorial, you will learn about root access, sudo command, how to run commands using sudo, and the difference between sudo access and root.
root refers to the superuser account in Unix-like systems such as Linux. It is the privileged account with the highest access rights on the system used for system administration. This root/superuser account has a user identifier (UID) of zero, regardless of the account name.
The root user has full authority over the entire system (root privileges). It can do things like modify core parts of the system, upgrade the system, change system configuration, and start, stop, and restart all running system services.
When logged in as root (using su -), the terminal command prompt symbol changes from
$ echo 'You are in a normal shell'
become
# echo 'This is a root shell'
On some systems (such as Ubuntu), the root user is locked by default. (Note: Bricklayer will not be locked, but Tencent Cloud will lock it by default).
sudo
(superuser do) command is a command line utility
that allows a user to execute commands as root or other users. It provides an efficient way to grant appropriate permissions to certain users to use specific system commands or run scripts as the root user.
Although somewhat similar to the su command, sudo differs in that it requires the user's password for authentication by default, rather than the target user's password that su requires. Sudo also does not spawn a root shell; instead, it runs a program or command with elevated privileges, unlike su, which spawns a root shell.
Using sudo, system administrators can perform the following operations:
Sudo logs all commands and parameters executed in the /var/log/auth.log file, which can be analyzed in the event of a failure.
sudo uses the default sudoers security policy and maintains a special configuration file /etc/sudoers. This file can be used to control access permissions and password prompt timeouts.
Note: You must have elevated permissions to view the sudoers file
Open the /etc/sudoers file; it should look like this:
# This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/ sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "@include" directives: @includedir /etc/sudoers.d
This line:
root ALL=(ALL:ALL)ALL
means that the root user has unlimited permissions and can run any command on the system.
%sudo ALL=(ALL:ALL)ALL
Allow all members of group sudo to execute any command.
Note
: The ‘%’ in the sudoers file represents a group, not a comment.
As can be seen from the first line of the /etc/sudoers file:
# This file MUST be edited with the 'visudo' command as root
Do not attempt to edit the sudoers file directly. Use the visudo command with root privileges.
Running a command using sudo is very simple, just add sudo in front of the command:
$ sudo command
Generally speaking, you will be prompted to enter a password. Enter the password and press Enter.
$ sudo command [sudo] password for user:
最小权限原则是一种信息和计算机安全概念,它认为授予程序和用户执行任务所需的最少或最低限度的权限。
以 root 用户登录后,输入到终端的每一条命令都以系统最高权限运行,违反了最小权限原则。像 rm 这样的简单命令可用于删除核心根目录或文件,而不会在意外时提示用户。例如,如果您尝试使用以下命令删除 /etc 之类的根目录:
$ rm -rf /etc
当您以普通用户身份登录时,您将被拒绝许可。当以 root 身份登录时,不会显示任何提示,并且整个文件夹将被删除 – 这很可能会破坏您的系统,因为运行系统所需的特殊配置文件存储在 /etc 目录中。您也可能最终错误地格式化磁盘,并且系统不会提示您。
此缺陷还扩展到以 root 身份运行代码或应用程序;应用程序中的一个小错误可能会删除一些系统文件,因为该应用程序是在最高权限下运行的。
Sudo 提供细粒度的访问控制。它仅向需要它的特定程序授予提升的权限。您知道哪个程序以提升的权限运行,而不是使用 root shell(以 root 权限运行每个命令)。
Sudo 也可以配置为以另一个用户身份运行命令,指定允许哪些用户和组使用 sudo 运行命令,或者通过编辑 sudoers 文件设置以 root 权限运行程序的超时。
因此,不建议使用 root shell 运行命令,因为您破坏系统的机会要高得多。如果您需要更高权限或 root 权限来运行命令,请使用 sudo 确保只有该命令以 root 权限运行。
The above is the detailed content of So many people are confused about the usage and difference between root and sudo in Linux!. For more information, please follow other related articles on the PHP Chinese website!