Gather round, my nerds, and I shall tell you a tale. A tale of wonders, a tale of brave heroes, a tale of world-breaking powers.
Once upon a time, back in the misty dawn of history before the Creation of Linux, two mighty archdruids of Unix cast a spell of Very Puissant Nerdliness with which they tunneled down, down, down … deep into the unknown fundament of our cyberworld, System. They searched for Root, the transcendent supreme deity of *nix, to tap his all-encompassing power for use by mere mortals.
Those daring wizards, Coggeshall and Spencer, never achieved their goal. But in their attempt, they unleashed Root's fearsome offspring, the omnipotent Sudo, who taught them how to shape and control the very existence of System itself.
And that, my nerdlings, is why we invoke the holy name of Sudo when we attempt our most dangerous spells in Linux. We borrow power from the very gods themselves and pray that our efforts will yield success instead of annihilation.
Okay, maybe I embellished sudo and its history just a tad.
Okay, maybe more than a tad.
Okay, already, it's 99% pure fantasy, are you happy now?
But keep reading and I will reveal to you the truth about sudo and other useful Linux tricks. We will delve into the mysterious realm that is indeed potentially dangerous—but we'll find that it's actually kind of fun.
Remember when you installed Linux Mint, several weeks and several articles back? You created a username and password for yourself. Later, we created another account, with username and password, for guests and we designated its type as Standard. The other choice we could have made is the Administrator type and you probably noticed that your own account details show you as an Administrator.
Do you notice anything odd or missing?
If you change the guest account type to Administrator, that person would be your peer—able to demote your own account to Standard! At that point, you would have to beg to be reinstated as an Administrator because you would be powerless to change your account back on your own.
What the heck?!? Why isn't your account of the Padishah Emperor type, master of your cyber-universe, before whom all Standards and Administrators tremble with fear?
Here's where our real story begins.
The root of the matter
Long ago, before Linux was created, Unix was a powerful operating system for mini-computers and large mainframe types (and it still is). When installing Unix, the first account created is the omnipotent Padishah Emperor type (we call that a "superuser") and by default its username is root (but we'll capitalize it to Root for easier reading). All other users can be considered children of Root, some perhaps more favored than others with greater privileges, but none its equal.
Root has unlimited privileges on the system. It can wipe the hard disk clean, erase all other user accounts, modify critical system files, and execute many other powerful and dangerous functions. For that reason, most Unix users logged in with personal accounts, whose limited privileges prevented them from accidentally damaging anything other than their own personal files.
Of course, system administrators and engineers and others sometimes needed to login with the root account to work on the system. Being like the rest of us—sometimes forgetful or lazy or careless—they might even go off on a coffee break, leaving a terminal logged in as Root, potentially a huge risk to the security of the system.
Also, the more people who knew Root's password, the greater headache to change it and inform everyone when an employee quit or was fired. Who wants a disgruntled employee to have complete system access, including via remote connection?
Get superpowered with sudo
So two programmers (Robert Coggleshall and Cliff Spencer) came up with a novel idea. They created a program that could be incorporated into Unix systems which would allow designated users to gain superuser privileges temporarily without logging in as Root. That program is known as sudo, an abbreviation of "superuser do".
Such users could gain Root's power simply by confirming their own password after entering sudo in a terminal; they didn't need to know Root's password at all. That meant that the only change necessary when an employee left was to delete his or her account—because the employee never even knew Root's password.
Another advantage of using sudo is that the system can log all commands correctly, pinpointing which user issued a command that caused a problem—if the log just showed Root, but dozens of users could login as Root, it would be unclear who had messed things up.
Also, using sudo requires the users to supply his or her personal password the first time it is used; that grants the user a "grace period" (usually 10-15 minutes) when he or she can use sudo with other commands without having to enter the password again. That makes it convenient for the user but lessens the risks compared to going off to lunch or home for the night while still logged in as Root.
When Linus Torvald created Linux, he used many of the concepts and much of the terminology of Unix even though the underlying computer code was different. The Root account and the sudo command to temporarily use its powers are legacies from Unix's influence.
Most Linux distros have moved to using sudo as a safer alternative to logging in as Root. In fact, most of them do not set up a Root password nor provide any way to log in as Root. Instead, the primary account created when installing Linux is designated as an Administrator, meaning someone allowed to use sudo (a Root account is created but it is hidden and not directly accessible to users).
Working with sudo
So how do you use sudo? It's really pretty simple.
Certain commands that are potentially dangerous to the system as a whole, or which might impact the files and folders of other users, require Root privileges. For those commands, you simply prefix the command with sudo.
You can think of sudo as a grownup version of the children's game, Simon Says. If the leader says "Hop on one leg" nothing happens; if he or she says "Simon says hop on one leg" then the other kids start hopping. Instead of invoking Simon's authority with the magic phrase, we invoke Root's authority with sudo.
When we left things in a cliffhanger in the last article, we were stumped trying to copy a file into the guest user's Home folder. The command cp sample-1.txt /home/guestuser failed to copy the file and reported that permission was denied.
Let's try it again, using our sudo temporary superpowers.
Start Terminal and change to the directory with our sample files by entering cd ~/testfolder2. Now type the same command, but prefixing it with sudo: sudo cp sample-1.txt /home/guestuser (substitute the name you used for the guest account) and when you press Enter, you will be asked to type in your password. No asterisks or anything else will show (so nobody looking over your shoulder will know how long your password is), but if you enter it correctly the command will be executed with Root privileges.
Notice that your prompt, yourname@yourcomputer, hasn't changed. You aren't logged in as root when you use sudo; you are still using your own account. For example, cd ~ would still take you to your own Home folder. When you preface a command with sudo, you merely request the system to handle that single command as though Root were entering it.
Enter ls -l /home/guestuser and you should see the copied file there.
But wait, something is different. Notice that it now shows root as the owner and group of the file. When we execute commands via sudo, we are temporarily acting as Root so it is as though Root created the file by copying it, not you as your own user account.
Once again, we can use sudo to fix things.
As the all-powerful Root, whether logged in that way or using its powers temporarily, we can change a file or folder's owner and group. We do that with chown command, in the format chown newowner:newgroup file_or_foldername (note that there are no spaces on either side of the colon).
So change to the guest's Home by entering cd /home/guestuser. Then type chown yourusername:yourgroupname sample-1.txt. Terminal will report an error that permission is denied, reminding you that you need to preface that command with sudo. So, use the up arrow to repeat the command and the home key to go to the beginning of it so you can insert sudo at the start of the command. If your "grace period" for sudo is still in effect, the file's owner and group will be changed. If it has expired you will need to confirm your password again.
If you want to force your grace period to expire, perhaps while you take a coffee break, just enter sudo -k. Do that now and I will show you another trick.
Let's go back to the directory of sample files with cd ~/testfolder2. Now let's try, and fail, to copy another file: cp -vi sample-2.txt /home/guestuser. Oops, foiled again—good!
Well, we could use up arrow/home arrow and edit the command to add sudo or we could do it the easy way. Just enter sudo !! (that's a space and two exclamation points). That funny way of entering sudo means "repeat the last command I entered but do it with sudo."
Again, we can repeat and slightly edit the commands we used earlier to change the file's owner and group from root to our own account.
Be clear that sudo is used in a context-specific way. In other words, the very same command may require you to use sudo sometimes but not at other times. For example, you can chmod the permissions for your own files without sudo, as we did in the last article. But, in a different context, changing the permissions of other users' files would require you to use sudo with chmod.
Similarly, you previously copied files to your own folders freely but you needed sudo to copy them to the guest user's folder. So it's not so simple as "this command needs sudo but this other one does not." It's how you use a command that matters: if you are encroaching on someone else's territory (or that of the system itself), then root privileges and sudo are necessary.
Sudo as a different user
Sudo has another trick up its sleeve. You can use it to execute commands not as Root but as another user, by adding -u username to it. Let's give it a whirl.
Switch to the guest Home with cd /home/guestuser (substituting the actual name of your guest user account). Change the owner and group of the file to the guest user's account with sudo chown guestuser:guestuser sample-1.txt. Verify the new owner and group with ls -l.
Now kill the sudo grace period with sudo -k and then try to rename (move) the file with mv sample-1.txt new-sample.txt. Naturally, since you are not the owner, you can't rename the file.
But you can do so by temporarily acting as the owner, the guest user account. Enter sudo -u guestuser mv sample-1.txt new-sample.txt and confirm your own password and it is as though the guest user is actually doing the renaming of his or her own file.
This is very handy at times. For example, perhaps your website has some folders that are owned by the http process for serving up web pages. That process uses an account name like www and you need to copy the files and folders to another location. If you do it as the temporary Root, the default behavior of sudo, then those files get assigned to Root as the owner. By using sudo with the -u username option, you can temporarily become www and copy the files, retaining their original owner assignment.
Su, the revved-up predecessor of sudo
Another related command, which historically preceded sudo, is su, which stands for "switch user." By default, su switches you to acting as Root but like sudo it lets you specify a different user as a option, using the format su username.
Su doesn't have an automatic expiration of the password like sudo nor does it require you to prefix each command with su; instead, your "outer" session (your desktop and running programs) continues under your own account but in Terminal you temporarily become Root or another user. So some people, like system administrators, sometimes prefer it if they plan to work for a long period as Root or another user. Also, actions that can be carried out with sudo are usually constrained to some degree by configuration settings in your system; su has no such limits when you use it to become Root.
To use su, you simply enter su in Terminal or optionally su username, if desired. For Root, you enter your own password (which acts like the Root password if yours was the primary account created during installation of Linux Mint); to act as another user, you enter that person's password. That makes su less useful for acting as a non-Root user because sharing passwords is typically not a good idea.
Using su changes the prompt in Terminal. Do you remember the password you chose for the guest account you created? If not, click the main Menu, then Administration, and Users and Groups; change the guest password as you wish.
In Terminal, enter su guestuser (subsitute the username of your guest account). Enter the guest password when asked and you will notice the prompt changes to show it is the guest user account. The use of the ~ symbol representing Home even changes, reflecting the guest's Home, not your own.
Now you can perform tasks on the guest's files and folders as you please, without having to log out of your Linux session and log in under the guest account. When finished, just enter exit and you will be returned to your own prompt and resume acting under your own account.
Enter su without any option and confirm your own password. The prompt changes more radically, showing that it is Root now operating in Terminal; the user is displayed in bright red and the $ changes to # (symbol for Root). This prompt should always remind you that anything you enter here has potential for causing major changes and problems to the system, so be careful. Again, type exit to return to your own prompt and account.
A few thoughts before powering back down
Note that sudo and su only affect the commands you enter in Terminal. Unlike actually logging out of your account and logging back in as Root or another user, your desktop and programs and settings all remain the same and are still running under your own account.
Linux has some variations on su and sudo, many of which operate behind the scenes but which you will recognize because they require you to enter your password to continue. For example, there are gksu and gksudo which let a graphical program (instead of a command line) operate with Root privileges. Others, such as visudo and vipw, let you modify critical system configuration files with elevated privileges while ensuring that the file's format and syntax are correct.
Su, sudo, and the related commands give you great flexibility and power to work in Linux. With great power comes great responsibility. Always be cautious when you see an instruction in an online article or comment that has su, sudo, or similar "power-me-up!" syntax; sadly, there are people who find it amusing to lead people to believe that a command will do something benign but which actually does something terrible, like erasing the hard drive.
If you gained nothing else from today's article, at least you will now understand why Linux nerds find this cartoon hilarious...and everyone else is completely puzzled.
In previous articles, we took a quick tour of Linux Mint to get an overview; learned how to test drive it on our computers free of commitment or cost; went step by step through the process of installing Linux Mint; learned about users, groups, and permissions; and began to use the command line. If you missed those articles, you can catch up by reading our group blog of Linux users, Tuxville. Visit the blog regularly to keep abreast of future articles in this series.