sudo vs su

mt_arch_user · 2023-01-20 00:43:37

Obviously new to Arch.

I am used to doing anything requiring root privileges by using su - .
Arch instructions all seem to recommend using sudo.

Is there a difference in the end result of a command?

At this point, I prefer su - as I get the root environment which gets me out of the user directory, changes the prompt and I can do all the work I want without having to precede a command with sudo over and over. BUT! I'm using Arch now, and wonder if I could introduce some problems by doing it my way.

ratcheer · 2023-01-20 01:01:04

I've been using UNIX since the early 80s, and I'm with you.

WorMzy · 2023-01-20 01:04:28

Use whatever mechanism you want to become root, any is fine.

...except 'sudo su'. >_>

Trilby · 2023-01-20 01:42:38

mt_arch_user wrote:

Arch instructions all seem to recommend using sudo.

Which instructions? Not any of the well curated wiki pages. Sudo is part of base-devel (which I find silly ... and annoying) and it is almost certainly the most common way for users to run root commands, but wiki pages simply use '#' as the prompt for commands that need to be run as root and do not generally (and probably should not) explicitly include sudo.

jasonwryan · 2023-01-20 03:12:41

mt_arch_user wrote:

Arch instructions all seem to recommend using sudo.

Nope: https://www.google.com/search?hl=en&sou … org%20sudo

Bradley · 2023-01-20 03:45:44

I use sudo su but I can explain.

I use nvidia drivers which don’t load when lockdown mode is enabled through the kernel parameter. My root account is locked and you can’t enable lockdown mode with sudo, but su works.

bulletmark · 2023-01-20 05:28:18

ratcheer wrote:

I've been using UNIX since the early 80s, and I'm with you.

So have I but we didn't have sudo back in those days. The first time I encountered sudo (after it was popularized by Ubuntu if I recall correctly) I thought it was a great idea and have used it ever since. I pretty much never use su.

growler · 2023-01-20 05:35:42

sudo -i
?
You can operate with root privileges (without sudo) until you issue the "exit" command.

mpan · 2023-01-20 06:04:49

In general Arch Wiki doesn’t require either. The reader is often asked to have root privileges. Any way they want. Even by authenticating as root in the console, which requires neither sudo nor su.

mt_arch_user wrote:

Is there a difference in the end result of a command?

Some:

With su one remains root after issuing the single command, which required elevated privileges. One must type `exit` each time.
If there are any subshells invoked or commands piped, with su they are also run as root.
Sudo leaves a detailed entry in the journal.
Sudo offers `sudoedit`command, which runs the editor in user’s unprivileged environment.

Last edited by mpan (2023-01-20 06:07:36)

Head_on_a_Stick · 2023-01-20 06:34:51

doas ftw!

seth · 2023-01-20 08:37:28

mpan wrote:

mt_arch_user wrote:
Is there a difference in the end result of a command?
Some:
With su one remains root after issuing the single command, which required elevated privileges. One must type `exit` each time.
If there are any subshells invoked or commands piped, with su they are also run as root.
Sudo leaves a detailed entry in the journal.
Sudo offers `sudoedit`command, which runs the editor in user’s unprivileged environment.

* "su -c ls"
* "su -c ls"
* https://www.tenable.com/audits/items/CI … 82049d67e2 (simply 1st google result)
* yes

The biggest difference hasn't been pointed out, though:
"su" requires you to authenticate w/ the password of the target user (root), "sudo" allows to leverage all or selected commands w/ the creds of the source user (your moth… password) - or any interactive authentication at all.

Next to also doas, there's also pkexec (think sudo/doas, but needlessly complicated and sorta broken in weird ways wrt the internal password agent…)

mpan · 2023-01-20 13:48:28

seth: cheater! mt_arch_user asked about a command executed from within su session!

One may list many differences between su and sudo — I limited my answer to the on-topic one. In general: from su perspective sudo may indeed seem like a “weird su”. Looking the opposite direction, sudo is a versatile tool with the scenario discussed here being merely a single, specific use case. A configurable Swiss Army knife of privilege escalation.

Irets · 2023-01-20 15:31:18

I prefer su & doas but with my time on Arch I chose to use su & sudo as base-devel and few other things depended on it.

Head_on_a_Stick · 2023-01-20 17:24:43

Irets wrote:

I chose to use su & sudo as base-devel and few other things depended on it

base-devel is a group so sudo is still optional with that. The makepkg command falls back to su if sudo isn't present but it should really check for doas as well (IMO).

Trilby · 2023-01-20 17:52:07

Another advantage of sudo or doas over su is the only thing that keeps me using either one rather than just using su: if you pipe into a command with su, it (attempts to) read the password from stdin rather than from the actual terminal. So, for example, I have a tiny pacman wrapper (called "pac"):

#!/bin/sh

case $1 in
	-Ss) pacman $@ || aur $@ ;;
	-S|-Sy*|-R*|-D|-U|-Fy*) doas pacman $@ ;;
	*) pacman $@ ;;
esac

That works with sudo or doas on the line requiring privilege escalation, but replacing that with `su -c "pacman $@"` would work for simple commands, but fail with `pac -Qdtq | pac -Rsn -` or any other command that pipes into "pac" when the privilege escalation is needed. I don't believe there is a way to get `su` read the password from the actual terminal device (i.e., keyboard) rather that from the stdin pipe.

Last edited by Trilby (2023-01-20 17:53:09)

WorMzy · 2023-01-20 18:22:42

Head_on_a_Stick wrote:

base-devel is a group

For now...

Head_on_a_Stick · 2023-01-20 18:56:58

Well I suppose metapackages are just a convenience.

To stay (vaguely) on topic:

?: the best sudo replacement

Unfortunately these boards won't print the emoji correctly, which ruins the joke. Click on the link for the full effect.

Warning: furries ahoy!

mt_arch_user · 2023-01-20 20:45:34

I guess an explanation of the reason for my question is reasonable here.

I have been using and recommending openSUSE for years. I have been asked by Windows using friends to install linux on their machines. I've always been happy to do so. However... There's always a really good chance they'll trash the entire system if they have access to the root password. So, after an install, I always set up a user account for myself and do not give them the root password until I feel they are ready. openSUSE's version of sudo requires the actual root password, not the user password, so although they can, and have, trashed their user account, the system is still there and I can log in using my account and straighten out their mess. Any other distro I have tried uses the user password for sudo and allows a new user to gain root permissions.

So, for years, any time I need root permissions, I used su -. Being new to Arch, I wanted to be sure I didn't unintentionally screw things up. I hate doing re-installs!

I am truly impressed with the response I got with this relatively simple question! Thanks all who took the time to reply!

seth · 2023-01-20 20:50:27

openSUSE's version of sudo requires the actual root password, not the user password

https://man.archlinux.org/man/core/sudo/sudoers.5.en wrote:

rootpw
If set, sudo will prompt for the root password instead of the password of the invoking user when running a command or editing a file. This flag is off by default.

mt_arch_user · 2023-01-20 21:12:31

seth wrote:

openSUSE's version of sudo requires the actual root password, not the user password
https://man.archlinux.org/man/core/sudo/sudoers.5.en wrote:
rootpw
If set, sudo will prompt for the root password instead of the password of the invoking user when running a command or editing a file. This flag is off by default.

OH! I have to print this out and add it to my Arch documentation book! Thanks!

WorMzy · 2023-01-20 22:40:40

I much prefer targetpw, myself. Also timestamp_timeout=0, so I don't end up typing a password that wasn't prompted for because sudo decided to retain it somewhere...

kermit63 · 2023-01-21 00:55:48

Would a user not in the sudoers list be able to run GUI apps that require elevated privileges by using the root password?

I'm thinking of something like GParted. If I click on the launcher, a dialog shows up asking for authentication credentials, but seems to accept only sudo password and not the root password.

mt_arch_user · 2023-01-21 01:23:28

kermit63 wrote:

Would a user not in the sudoers list be able to run GUI apps that require elevated privileges by using the root password?
I'm thinking of something like GParted. If I click on the launcher, a dialog shows up asking for authentication credentials, but seems to accept only sudo password and not the root password.

As far as I know, if a user has the root password, he can do anything he wants.

But... Under what circumstances would a user have the root password and not be in sudoers?

seth · 2023-01-21 08:59:01

Under ideal circumstances (no bugs) sudo will not allow anyone not mentioned in the sudoers to elevate ther privileges through sudo.
It will then ask for the kind of password that is configured in sudoers.

In a de-facto single-user setup, most config details don't matter.
sudo is means to allow you to execute specific stuff as root w/o having to issue any credentials (eg. from a script or GUI element) and otherwise as "HEY!!! Pay some fucking attention here!" heads-up when it asks for the password (the thing that MS UAC dialog mostly sucks at…)
In that setup, I'd *never* use targetpw because when it's not equal to rootpw, you just need to memorize more passwords

In a multi-user setup, sudo can do as fine-grained control as you want - its complexity is as much its main problem.
In that setup, rootpw and targetpw are imo not a good idea, because you either remove the "HEY!!!…" part (NOPASSWD) or, for all intents and purposes, need to hand users the root password (so if there's a "su", they have a root shell)
targetpw would allow Joe to act as Jane on their terms (ie. w/o allowing this in sudoers, just sharing the password amongst each other) but that's pointless, because if Joe has Janes password, he can log or su into her account anyway.
Since sudoers can control who gets to execute what as who else, targetpw is actually my least favorite choice for any setup, but there may be specific contexts where it's reasonable.

Other than that, GParted uses polkit, not sudo.
Also Don't run GUI processes as root itfp and if you do, the sudo-pitfall is that it'll drop the environment and you'll loose access to the session but and possibly display server and will likely leave behind undesired root owned config files/directories, XAuthorities and what not stuff in your $HOME.

Do. Not. Run. GUI. Applications. As. Root. Period.
You most likely won't have to.

Google

Defaults insults

Head_on_a_Stick · 2023-01-21 11:39:14

kermit63 wrote:

I'm thinking of something like GParted. If I click on the launcher, a dialog shows up asking for authentication credentials, but seems to accept only sudo password and not the root password.

See the end of https://wiki.archlinux.org/title/Polkit … identities.

Arch Linux

#1 2023-01-20 00:43:37

sudo vs su

#2 2023-01-20 01:01:04

Re: sudo vs su

#3 2023-01-20 01:04:28

Re: sudo vs su

#4 2023-01-20 01:42:38

Re: sudo vs su

#5 2023-01-20 03:12:41

Re: sudo vs su

#6 2023-01-20 03:45:44

Re: sudo vs su

#7 2023-01-20 05:28:18

Re: sudo vs su

#8 2023-01-20 05:35:42

Re: sudo vs su

#9 2023-01-20 06:04:49

Re: sudo vs su

#10 2023-01-20 06:34:51

Re: sudo vs su

#11 2023-01-20 08:37:28

Re: sudo vs su

#12 2023-01-20 13:48:28

Re: sudo vs su

#13 2023-01-20 15:31:18

Re: sudo vs su

#14 2023-01-20 17:24:43

Re: sudo vs su

#15 2023-01-20 17:52:07

Re: sudo vs su

#16 2023-01-20 18:22:42

Re: sudo vs su

#17 2023-01-20 18:56:58

Re: sudo vs su

#18 2023-01-20 20:45:34

Re: sudo vs su

#19 2023-01-20 20:50:27

Re: sudo vs su

#20 2023-01-20 21:12:31

Re: sudo vs su

#21 2023-01-20 22:40:40

Re: sudo vs su

#22 2023-01-21 00:55:48

Re: sudo vs su

#23 2023-01-21 01:23:28

Re: sudo vs su

#24 2023-01-21 08:59:01

Re: sudo vs su

#25 2023-01-21 11:39:14

Re: sudo vs su

Board footer