Command-line myths (3 Part Series)
You remind me of the babe.
The babe with the power.
The power of sudo.
Remind me of the babe.
-- David "root" Bowie.
su is short for "substitute user". It's generally pronounced "ess-you". It's almost always used to switch to the root user (the default if you don't specify anyone), but it doesn't have to.
If I was on the same system as you, and I had the necessary access, I could switch to you. Here I demonstrate trying to
su to someone else, but not having their password and getting the push-off:
$ whoami sarah $ ls /home sarah/ toby/ goblinking/ $ su toby Password: ******** su: Sorry $ whoami sarah $ # nuts.
Of course, if I'm root, then anything goes:
$ su Password: ******** # whoami root # su toby $ whoami toby $ # Rock on.
sudo is really an alternative to allow users to run stuff as other people - usually root - without knowing the root password or having to start an entire interactive shell as someone else.
It's pronounced "sue doo". Not like "pseudo", though that kind of fits the purpose if you tilt your head and squint at the world I guess.
$ cd /var $ touch this touch: this: Permission denied $ # U can't touch this. $ # Now that song is in your head. My, my, my. $ # You are welcome. $ sudo touch this $ ls this -rw-r--r-- 1 root wheel 0 9 Apr 12:42 this $ # Rock on.
Like I said, it's mostly used to become root.
People tend to leave themselves as root for way too long without logging back out. It's too easy to become root to perform one action and then to carry on and run all your next commands as root too. They might be perfectly innocent commands, but there's always the chance...
- your commands touch files in your home directory and from that point any application which needs to write to them silently fails
- an installation of a package suddenly hoses your environment because your system depends on one version of a package and now you've globally overwritten it with another
- an errant
rm -rfnukes your system from orbit
I think the blame for a lot of the problems with becoming root lies with MacOS, to be honest. It's a multi-user system (UNIX) that is pitched as a single-user system (everyone has their own laptop with just one account on it). What this means is that people get used to there being no terrible side-effects.
As an example, the word from the horse's mouth regarding fixing problems with homebrew is:
sudo chown -R $USER:admin /usr/local
Well, it's ok if nobody else is ever going to share your computer (like your MacBook) but this sort of hack is absolutely terrible if you run it on a multi-user system (like your webserver).
I'm also jumping ahead, so let's back up a little...
su won't let you become root without root's password. That means everyone who needs root access has to know - i.e. share - the password, and it means that if it changes, all those users have to be told what it's changed to, and that generally means a whole heap of insecurity because people have a habit of sending slack messages like,
Yo tobes, the root password to my-secure-box is now 'thirt33n0clock'
su behaves differently depending on your environment. If you run
su - goblinking then you'll effectively log in as that user and have access to all their aliases and the things they've set up in their shell configuration. If you miss out the minus sign, you won't. Unexpected things happen, and unexpected things are dangerous things.
If your name's not down, you're not coming in:
$ whoami goblinking $ sudo run-malicious-script Password: ******** goblinking is not in the sudoers file. This incident will be reported.
sudo command is in your history, and it's logged as being run by you.
If toby and goblinking were both logged in as root, how could we tell which user had run the malicious script? We couldn't. Well, not easily. Ok, ok, we could check ttys and look under doormats and fiddle with knobs in our surveillance van. Shh. For the purposes of this article, we couldn't tell.
sudo gives us an audit trail. It also means that each user can examine their own history and remember what they did last week, without that history being muddled up with every other person who shared the root experience.
sudo exists to fix that problem with
sudo will edit (
-e) the file with whatever editor is configured. See the environment variables
VISUAL, which are fun to have configured anyway.
$ # Instead of this... $ sudo nano /etc/nginx/sites-available/default $ # Do this... $ sudo -e /etc/nginx/sites-available/default
sudo can give you a root shell, without having to run an extra process.
$ # Instead of this... $ sudo su $ # Do this... $ sudo -i
sudo lets you run a single command as another user.
$ # Instead of this... $ su Password: ******** # su goblinking $ ./my-hilarious-jape.sh $ exit $ # Do this... $ sudo -u goblinking ./my-hilarious-jape.sh Password: ********
I know what I said earlier.
If some command you've copied and pasted from the Interweb doesn't work, don't just shove
sudo in front of it and hope; search for the name of the program and the error message you saw instead.
Sure, it might be that you should run it as root, but there's also a pretty good chance you don't need to, and that you're trying to beat your problem into submission rather than fix it.
The Introduction to sudo from its official site.
Cover image by Jimi Filipovski on Unsplash.
Hammer time image by me.
Bowie image by... erm... I found it somewhere.