su vs sudo on SmartOS

For as long as there have been multi-user operating systems, there has been the need to switch between those users.  Clearly, this can be done by directly starting a session as a given user, or even logging in again through localhost, but this approach tends to break down when manipulating system users (which are never meant to be directly logged into) or performing complex cross-user automation.

Today we will be exploring the command-line methods available on SmartOS for executing commands as other users, namely su and sudo.

su

The switch user (su) command executes a new shell owned by the specified user (or root if no user is specified).  This effectively allows the ownership of a session to be changed without logging off to assume the role of the new user.

Non-superusers attempting to switch users will be prompted for the login credentials of the user being switched to, just as they might be if they were logging in directly from a terminal.  Superusers are never prompted for login credentials when using su.

A few examples:

# su - brian
$ su -
Password:
#

The - parameter before the username further configures the login environment with the following additional changes:

  • The LC*, LANG and TZ environment variables from the specified user's environment are also propagated to the new shell.
  • Sets the MAIL environment variable to /var/mail/new_user.

Any parameters after the user will be passed to the executing shell, effectively emulating sudo's general functionality:

# su - brian -c whoami
brian

Additionally, the behavior of su can be modified by altering configuration parameters in /etc/default/su, specifically the following:

  • SULOG all attempts to use su are logged to the specified file.
  • CONSOLE if defined, all attempts to su to the superuser are logged to the console.
  • PATH sets the default path of a shell spawned by su.
  • SUPATH sets the default path of a superuser shell spawned by su.
  • SYSLOG uses syslog to log all su attempts.

This command is the original and the simplest of the three, but you still may want to read the man page for su for additional information.

sudo

The sudo command permits users to execute commands as other users as allowed by a sudo specific security policy.  This effectively allows the ownership of a single command to be changed without disrupting the rest of the session to assume the role of the new user.  The major differences between su and sudo are as follows:

  • sudo allows any command to be run as a trailing parameter, not just the user's shell.  sudo can also be passed the -i parameter to open an interactive shell, effectively emulating the functionality of su.
  • sudo checks escalations against a security policy, allowing for fine-grained control over privilege escalation.
  • sudo prompts users for the originating user's credentials while su prompts users for the credentials of the user being switched to.

By default, the security policy is configured in /opt/local/etc/sudoers.

Notice: the sudoers file should always be edited with visudo instead of directly.

Beyond global parameters, the sudoers file specifies host, user and command aliases:

User_Alias ADMINS = brian, notbrian, alsonotbrian
Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, /usr/bin/pkill
Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff

As well as user privilege specifications:

root ALL=(ALL) ALL

This specification allows root to run any command as any user.

%sudoers ALL=(root) /bin/kill, (operator) /bin/ls

This specification allows a member of the sudoers group to run /bin/kill as root and /bin/ls as the operator user.

If the included flexibility wasn't enough, sudo is also a plugin-based architecture, which can be extended in many different ways.  I would recommend thoroughly reading the sudo and sudoers manpages, as sudo is as complicated as su is simple, and the entire scope of its functionality is way beyond the scope of this brief post.

Conclusion

If you need to escalate yourself to a superuser role or need to quickly and simply switch into another role, su should be your go-to command.  It's simple, direct, and requires very little additional configuration or tweaking.

If you're working in a more complex multiuser environment and finer grained access control is a requirement, sudo is going to be your weapon of choice.  Additionally, I find sudo more convienent if I need to perform a single command as a different user rather than entirely switching my context to them.

Ultimately, depending on the context, I use both.

Additionally, SmartOS supports an additional privilege escalation framework in profiles and Role Based Access Control (RBAC), however that is significantly more complicated than even sudo, and will be the topic of a future article.