Linux Superusers
From bib. source
Logging on with a standard user account and then changing your identity to one with administrative privileges is referred to as privilege escalation. There are two ways of managing privilege escalation:
suandsudo.
The method of privilege escalation using primary command su, or that involves switching to a root user account, should already be familiar. Authentication under su is authentication into the target user account, which means the password required is that of the user being switched into (Garn 2022, 48). The exception is if one is already the root user account and then using su to switch users–in that case, no authentication is needed (Ibid).
The alternative method of using the primary command sudo works best in cases where the root user account is disabled, as standard user accounts in that case can no longer switch to root user accounts and require previously delegated administrative abilities or powers accessible via the sudo primary command (Ibid).
Delegating by sudo
The delegation of administrative abilities or powers for users that use sudo is determined by a file at path /etc/sudoers (Ibid). In this file, users and groups may be given specific commands that can be run only when using the sudo primary command (Ibid). The file /etc/sudoers can be edited using a CLI text editor, but it is recommended that the special text editor Visudo is used due to its ability to verify or validate the syntax of a changed /etc/sudoers prior to actually writing changes to it (Garn 2022, 48-49). Using visudo would look something like:
visudo /etc/sudoersThe visudo primary command also comes with some command options (Garn 2022, 49):
short-form visudo command option | purpose |
|---|---|
| c | Check existing sudoers file for errors |
| f | Edit or check a sudoers file in a different location than the default |
| s | Check the sudoers file in strict mode–any aliases that are used before being defined will result in errors. |
| x | Output the sudoers file to the specified file in JavaScript Object Notation (JSON) format. |
Any error or mistake in an actively used sudoers file (typically the one at path /etc/sudoers) can lead to issues in escalating privileges (Ibid).
The sudoers file has its own syntax for single-line entries, wherein each position has meaning and its own syntax itself (Garn 2022, 50). The positions are separated by the initial space between them, though each position may itself make use of spaces. This can be tabled the following way:
| position / field | meaning |
|---|---|
| 0 | Name of a user account, or the name of a group prefixed by a percentage sign (Ibid). |
| 1 | Specifies the hostname on which the anticipated command can be run, and the user that it may be run as or whose domain or scope one has access to (Ibid). It does this in the following syntax: $HOSTNAME=($PROVIDED_USER) (Ibid). |
| 2 | A command or an alias for a collection of commands that may be run under the previous constraints. There are some default aliases that exist to be used here. This position may itself contain spaces. |
Some examples of entries that may be written in /etc/sudoers (Ibid):
# Allow user kaigarcia to run any commands on any hostname as any user
kaigarcia ALL=(ALL) ALL.# Allow user kaigarcia to run any commands related to shutting down the system on any hostname as any user, without a password
kaigarcia ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS.# Allow any user in group 'editors' to use the 'sudoedit' command for a specific file on any hostname
%editors ALL= sudoedit /path/to/fileThen, when logged in as these users on the appropriate hostname, the delegated command line or command lines can be run as follows in the shell:
sudo $COMMAND_LINEAfter which the current user that executed this will be prompted for their own password (Garn 2022, 48).
Administrative file editing
As an aside, the sudoedit primary command (Garn 2022, 50):
From bib. source
[…] permits a user to edit a file with their own credentials, even if the file is only available to the root user. In addition, the user can use their preferred text editor.
This is particularly important considering Linux is configured through files rather than a registry, i.e. rather than a hierarchical database.
Group-based privilege escalation via sudo
A common practice across Linux distributions or distros, especially those that disable the root user account, is to assign all administrative powers or abilities otherwise possessed by the root user account to a group by adding an entry to the /etc/sudoers file (Ibid). This group is typically named either “wheel” or “sudo” depending on the distro (Ibid). Giving a user total administrative privileges gatekept behind the sudo command is then as easy as making them a member of the group wheel or sudo (Ibid).
system_administration superuser_do privilege_escalation sudoers_file administrative_account administrative_accounts administrative_user_account administrative_user_accounts root_user primary_command administrators administrator filepath file_path filepaths file_paths power password_authentication command_option command_options command_flag command_flags alias command_alias command_aliases error error_handling JavaScript_Object_Notation JSON editing_mode editing_modes text_editor text_editors formats file_format file_formats privilege_escalation privilege Linux percentage_sign gatekeeping
bibliography
- Garn, Damon. The Official CompTIA Linux+ Student Guide (Exam XK0-005). 1.0. Downers Grove, IL: CompTIA, 2022.