Using sudo is a good idea that has been around for decades, but it’s only in the last few years that it’s caught on as an alternative to logging in as root. Using sudo is such an improvement that some Linux distributions, such as Amazon’s Linux-based VMs, have made it compulsory. Working with AWS has reminded me of the importance of sudo -- and knowing when and how to use it.
Logging in as root is easier and quicker. Why use sudo?
The root account is an explosive
The Linux system treats everything like a file. You can make a file, stick things in it, and delete it. It’s pretty straightforward. The Linux security system is also pretty straightforward -- if you own the file, you can do what you like to it. If you want someone else to do things to the file, you can give them permission to read it, write in it, or even run it (if it is a program).
There’s one person that operates above the law of the security system -- the root user. The master administrator. The super-user. It’s a privileged account -- the root user is the only one allowed to do many useful things, like start a web server, reset a forgotten password, and install security patches.
Anyone can use the root user’s account, if they know the password. If you can log in as root, you can ride roughshod over everyone else’s files. It’s dangerous, but not so much because bad guys will abuse the privilege to spy on users, launch attacks on other systems, and steal data. The big problem with using the root account is that you are only one unfortunate command away from disaster. The longer you work as root, the closer you get to accidentally blowing a big hole in your operating system.
sudo is a stabilizer
The sudo command lets you use the root account to run a command. You can still do the system magic, but you are not permanently playing with the explosive power of root.
Not logging in as root -- like not mixing spots and stripes, not smoking, and not walking around with a gun down your trousers -- is a good idea because it lessens the chance of unpleasant consequences. There is less chance of accidentally stopping a customer service, unmounting critical data, or deleting all the commands.
sudo brings its own set of annoyances
The trouble with sudo is you have to remember to stick it in front of the command you run. Everyone forgets to use sudo from time to time. Sometimes the mistake of forgetting sudo is harmless. You are forbidden from doing your work, but that’s all.
[ec2-user@ip-10-167-15-124 ~]$ yum install httpd Loaded plugins: priorities, security, update-motd, upgrade-helper
You need to be root to perform this command.
Sometimes forgetting sudo is disturbing but still harmless.
[ec2-user@ip-10-167-15-124 ~]$ service httpd status httpd dead but subsys locked [ec2-user@ip-10-167-15-124 ~]$
What? HTTPD (the web server) is dead? What about my customer service? And what on earth is subsys? Try it again with sudo and a more reassuring message appears.
[ec2-user@ip-10-167-15-124 ~]$ sudo service httpd status httpd (pid 1409) is running... [ec2-user@ip-10-167-15-124 ~]$ sudo su –
A sysadmin often types in many commands that all need root privileges. It’s tempting to just log in as root and do the work. If you are really intent on using the root account, sudo can arrange that.
[ec2-user@ip-10-167-15-124 ~]$ sudo su - [root@ip-10-167-15-124 ~]#
The prompt changes to remind you that the system will let you do anything you want. Do you know what gets blown away by this command?
rm –rf /
If you just shuddered from the bad memories of that awful day, go ahead and use the root account. Once bitten, twice shy.
Use sudo. And don’t blow stuff up.
Nick Hardiman builds and maintains the infrastructure required to run Internet services. Nick deals with the lower layers of the Internet - the machines, networks, operating systems, and applications. Nick's job stops there, and he hands over to the designers and developers who build the top layer that customers use.