0

I was trying to understand why "su" fails and "sudo " is successful.

So, since the root account is disabled by default, the "su" command fails. fair enough.

But the thing that I can't get my grip on is the following:

When a user is trying to execute a command with root privileges a "sudo" is required. I would expect the prompt password to be asking for the "root password" (which at this point, by default, is not set) - as the root privileges are about to be given temporarily to the user.

However, what actually happens is that the user is asked to enter his own password. Could someone explain the logic in this process?

Yaniv G
  • 127
  • 1
  • 4
  • Does this answer your question? [How can I determine the sudo password?](https://askubuntu.com/questions/297046/how-can-i-determine-the-sudo-password) – N0rbert Dec 07 '21 at 11:00
  • Actually no. I'm not trying to understand "how to", but "why" sudo command is asking for the user password rather than the root password, considering root privileges are about to be given to the user. – Yaniv G Dec 07 '21 at 11:05
  • 1
    That is how `sudo` is configured by default - you're trusting the user, so ask for the user's password to verify that it is indeed them. You can use `targetpw` to ask for the target user's password if you want – muru Dec 07 '21 at 11:13
  • 1
    Does this answer your question? [Sudo is also user login password - why? how to change?](https://askubuntu.com/questions/490746/sudo-is-also-user-login-password-why-how-to-change) – Martin Thornton Dec 07 '21 at 12:38

1 Answers1

12

Any user that has been granted permissions by a system administrator can use the sudo command to perform actions with root privileges. su, on the other hand, can be accessed only by users knowing the password of the target account.

  • sudo allows a privileged user to execute a command as another user. If no user is specified, then that other user will be root. The user needs to give his/her password. The security system then checks whether that user has permission to act as root.
  • su allows to temporarily become another user to execute commands. If no user is specified, then the user will be root. Thus, the password of the target user needs to be entered. On Ubuntu, a su to become root will not work, because the root account is by default not enabled - you can't login to it. You can however open a root shell with sudo -i, if you have the priviledges. This way, you run a shell with root privileges without being logged in to a root account.

The first user created on a freshly installed Ubuntu system, user 1000, automatically is allowed to use sudo to gain root privileges. Any other user must explicitly be granted "sudo" permissions by a user that already has such permissions. Users without such permission will not be able to use sudo to execute commands with root privileges.

vanadium
  • 82,909
  • 6
  • 116
  • 186
  • My point is that any user knows his password, so practically any user can gain root permission when he desires. – Yaniv G Dec 07 '21 at 12:14
  • @YanivG how did you come by that conclusion? You have to specify which users or groups you trust and with what in `sudoers` - do you just blindly allow all users to use `sudo` for anything? – muru Dec 07 '21 at 12:50
  • Thanks for the clear explanation. Perhaps the OP is overlooking the fact that *an administrator had to allow the user to use sudo in the first place* (grant the permissions) – Organic Marble Dec 07 '21 at 13:26
  • I emphasized that aspect, and included some detail. – vanadium Dec 07 '21 at 13:42