Superuser and Permission Management in Linux

Learn about Linux user account types including superuser, normal user, and system user, along with privilege escalation using su and sudo commands and sudoers configuration.

3 min read

In Linux systems, different permissions are assigned to user accounts to maintain security and stability.

Types of User Accounts

  • Superuser:
    • A user account typically called root.
    • Has full administrative privileges over the system. Can perform any operation including creating, modifying, and deleting files, managing users, and changing system settings.
    • Since it can perform operations that affect the core of the system, incorrect operations may impact the entire system. It is best practice to avoid logging in directly as root and instead temporarily elevate privileges only when necessary.
  • Normal User:
    • A user account for performing everyday tasks.
    • Has limited privileges on the system, and can only operate within their own home directory and other permitted areas.
    • From a security perspective, it is recommended to use a normal user account for daily operations.
  • System User:
    • A user account automatically created to run specific services and applications (e.g., apache, mysql, daemon).
    • Not intended for direct human login; only the minimum privileges required by the service or application are granted.

Privilege Escalation Commands

These commands allow a normal user to temporarily borrow superuser privileges to execute commands.

  • su (substitute user / switch user):
    • A command to switch from the current user to another user (default is root).
    • Requires the password of the target user.
    su - [username] # The hyphen loads the target user's environment variables
# Example: su - root (switch to the root user)
# Example: su - user_name (switch to user_name)
  • sudo (superuser do):
    • A command that allows executing commands that require superuser privileges temporarily.
    • Requires the password of the user executing sudo.
    • Users who can use sudo are managed in the /etc/sudoers file.
    sudo [options] [command]
# Example: sudo apt update (update package list)
# Example: sudo systemctl restart apache2 (restart Apache service)

sudo Configuration (/etc/sudoers)

The users who can execute the sudo command and the commands they can run are defined in the /etc/sudoers file. This file is critical, and syntax errors can cause system problems. Therefore, always use the visudo command to edit it instead of editing it directly.

sudo visudo

visudo is a command for safely editing the /etc/sudoers file. It checks for syntax errors during editing and saves the file only if there are no issues.

Common configuration examples:

# The root user can execute all commands without a password
root    ALL=(ALL:ALL) ALL

# Users in the wheel group can execute all commands without a password
%wheel  ALL=(ALL:ALL) NOPASSWD: ALL

# A specific user can execute specific commands without a password
your_username ALL=(ALL) NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade

Specifying NOPASSWD: allows skipping password entry when executing those commands. It is important to configure this with minimal scope, considering security risks.

関連記事