8

The below fails:

sudo -u chris ls /root
ls: cannot open directory '/root': Permission denied

While the below succeeds:

sudo ls /root
...

I do not understand why. I assume -u just changes the $USER/running user to the parameter provided in addition to having root privliges. What is the cause behind this behavior?

Chris Stryczynski
  • 5,178
  • 5
  • 40
  • 80
  • Give it a look even [here](https://superuser.com/a/771523/257269). There are some additional words and tests about variables and `sudo -i`, `sudo -s`, `sudo su`... – Hastur Feb 05 '21 at 09:56

3 Answers3

23

sudo -u chris runs the given command as user chris, not as root with USER set to chris. So if chris can’t access /root, sudo -u chris won’t change that.

See man sudo:

-u user, --user=user

Run the command as a user other than the default target user (usually root).

sudo isn’t specifically a “run as root” tool; it’s a “run as some other user or group” tool.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
  • Okay from what I understand from the above, `sudo -u chris` is just running as `chris`, rather than running as `chris` with root privileges? – Chris Stryczynski Feb 03 '21 at 13:08
  • 10
    Yes, `sudo` doesn’t bestow root privileges; it’s being root that bestows root privileges. – Stephen Kitt Feb 03 '21 at 13:12
  • The advantage of `sudo` is that you can use it to become any user without needing their password (or ssh key, or whatever other authentication is in use). So `sudo -u chris echo 'I hacked you!' > ~/hacked.txt` will generate a file owned by chris and with no obvious connection to who did it. Of course the use of `sudo` will be logged. – Ross Presser Feb 03 '21 at 21:54
  • 5
    The entire permissions model is based on your user id. There's really no such thing as "me, but with someone else's permissions". (There's a distinction between real and effective user id for a process, but one or the other is used for a particular operation.) – chepner Feb 03 '21 at 22:23
  • @RossPresser, or you could just `sudo -u root 'echo hello > ~chris/hi.txt; chown chris. ~chris/hi.txt'. (Or do the same but start an interactive shell in between so the whole command doesn't end up in sudo's log. (Unless your system admin has thought it a great idea to disallow running a shell via sudo, grr.)) – ilkkachu Feb 04 '21 at 08:47
  • 3
    @RossPresser the redirection (and the `~`) in your `sudo -u chris echo 'I hacked you!' > ~/hacked.txt` example will be processed by the initial user's shell, not by sudo, and is unlikely to generate a file owned by chris. – Jeff Schaller Feb 04 '21 at 12:48
  • 1
    @chepner The baseline UNIX DAC model is, but most systems have additional permissions models built on top of that. On Linux for example, there absolutely is a concept of ‘me, but with admin privileges’ if you leverage capabilities. – Austin Hemmelgarn Feb 04 '21 at 13:01
  • @JeffSchaller My bad. My intent was clear although my off-the-cuff typing was faulty. – Ross Presser Feb 04 '21 at 14:13
  • Just a note regarding sudo not being a 'run as root' tool, this might be mistakenly assumed on Ubuntu as described here https://unix.stackexchange.com/a/91572/124109. Running `sudo bash -c 'echo $HOME'` would not echo the root user's $HOME but instead the $HOME of the user who ran the command. – Chris Stryczynski Jul 26 '23 at 13:52
  • @Chris isn’t that a red herring? `sudo bash -c 'echo $HOME'` *does* run `bash` as root, but with `$HOME` inherited from the environment `sudo` was given. – Stephen Kitt Jul 26 '23 at 16:07
  • Hmm I just thought it's useful context about why it might be assumed, or where some behavior might have lead to this. I personally had this incorrect assumption for likely years even while using Linux extensively. – Chris Stryczynski Jul 27 '23 at 16:15
  • Ah right, I see what you mean — the assumption that `sudo` preserves the user’s identity but somehow grants root privileges. That’s not what I meant by “run as root”; I meant that `sudo` isn’t only useful to run with root privileges (as the root user), it’s useful in general to run with any user’s privileges (as that user). But yes, that context is useful to understand the first assumption! – Stephen Kitt Jul 27 '23 at 16:34
2

sudo will run a command as a certain user, defaulting to root. This does not mean that it will always be root, because the -u option selects the user, not root in this case. If you want to become root you can either run a command with sudo (like sudo chown chris:chris ~) or you can use the command su to switch your user to root, then just run exit to go back to your user

PING
  • 21
  • 3
  • 2
    Of course: Even `su` may be used to change the user altogether `su john` – FelixJN Feb 03 '21 at 13:24
  • Or you could run `su root -c "some command here"` to run a single command via `su`. Or you could run `sudo -s` or `sudo -i` to start a regular or login shell interactively. It's not like one only does one thing and the other another thing, sudo just has more configurability and a more granular permission system. – ilkkachu Feb 04 '21 at 08:51
-2

sudo:Super User DO It is a way to grant users the rights to execute system commands.

If chris is the host try this

sudo -h chris  ls -l /root

-h, --help display help message and exit

-h, --host=host run command on host (if supported by plugin)

drwxr-xr-x 2 root root 4096 Jan 18 23:52 Desktop
drwxr-xr-x 2 root root 4096 Jan 18 23:52 Documents
drwxr-xr-x 2 root root 4096 Jan 18 23:52 Downloads

or you can remove "root"

sudo -u chris  ls -l /

lrwxrwxrwx 1 root root 7 Jan 18 20:32 bin -> usr/bin

From http://www.linfo.org/root_directory.html

"The root directory is the directory on Unix-like operating systems that contains all other directories and files on the system and which is designated by a forward slash ( / ).

The use of the word root in this context derives from the fact that this directory is at the very top of the directory tree diagram""

kasa
  • 89
  • 6