These systems exist to protect a system from the case where a malicious user manages to obtain root access. Under Apple's System Integrity Protection (SIP) (aka "rootless") system, certain files and directories are locked down so that only applications on the appropriate whitelist can access them. Under SELinux (Security Enhanced Linux), there's effectively an access control list that determines which program can do what, and even root can't get past those restrictions. ¹ One more thing: modern Unix versions can now restrict even what the root user can do. An automated process would add you to the sudoers files of those servers you were authorized to access, and remove you when your authorization expired. Instead, there was a database of who was allowed to work on which servers. In fact, in organizations where someone else administers your computer for you, it's quite common to not know the root password of your own computer - as long as you're in the sudoers file, it doesn't matter.Īt one company I worked for, with a ginormous server farm, only a very, very small number of people knew the root passwords. Without the sudoers file, the only administrator is root. Effectively, your administrators are root, plus everybody listed in the sudoers file. The sudoers file is what gives you multiple administrators⁴. The sudoers file determines who can use the sudo command and what they can do with it. The result is the same as if you had logged in as root or executed the su command, except that you don't need to know the root password but you do need to be in the sudoers file. You don't even need the root password, just your own login password.Īnd of course, sudo su would allow you to simply become root. sudo vi /etc/hosts would allow you to edit the hosts file as if you were running as root. The "sudo" command lets you execute commands with superuser privileges as long as your user id is in the sudoers file, giving you the necessary authorization. So the "sudo" command (short for "substitute user do") was invented. That's a bit of a hassle, and also doesn't let you give users partial administrative powers. Prior to the invention of the "sudo" command, if you wanted to perform administrative tasks, you had to login as root, either by getting a login prompt² somehow, or with the su command ("su" being short for substitute user.)³ Root can access any file, run any program, execute any system call, and modify any setting. Root user has user id 0 and nominally has unlimited privileges. The origins of the name are a little archaic, but that doesn't matter. "root" (aka "superuser") is the name of the system administrator account. "sudo" is a command which allows ordinary users to perform administrative tasks. So, to wrap this up, when you pass only - to su it is basically ignoring the - and acting like you did not pass any option at all.Executive summary: "root" is the actual name of the administrator account. This is true of many command-line tools ( ls -R will do a recursive ls whereas ls -R will perform an ls on a file or directory named -R. For example, if you run touch -R you'll receive an error saying that -R is not an option to touch, but if you run touch -R it will create a file named -R. Passing a double-hyphen to a command is typically used to mark the end of command-line flags and the beginning of non-flag arguments. This includes setting your directory to your home directory and setting a bunch of other environment variables. Provide an environment similar to what the user would expect had the user logged in directly. The man page for su describes the behavior as: Passing a single hyphen is identical to passing -l or -login. When you provide a double-hyphen the experience you will have is identical to if you had just executed sudo su without any hyphen.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |