Switch User Accounts

With the su command, users can switch to a different user account. If you run the su
command

from a regular user account with another user account as a parameter, then you must
provide the

password of the account to switch to. When the root user runs the su command, you do not
need

to enter the user’s password.

RH199-RHEL9.0-en-4-20221003 79

Chapter 3 | Manage Local Users and Groups

This example uses the su command from the user01 account to switch to the user02
account:

[user01@host ~]$ su - user02

Password: user02_password

[user02@host ~]$

If you omit the user name, then the su or su - command attempts to switch to root by
default.

[user01@host ~]$ su -

Password: root_password

[root@host ~]#

The command su starts a non-login shell, while the command su - (with the dash option)
starts

a login shell. The main distinction between the two commands is that su - sets up the shell

environment as if it is a new login as that user, while su starts a shell as that user, but uses
the

original user’s environment settings.

In most cases, administrators should run su - to get a shell with the target user’s normal

environment settings. For more information, see the bash(1) man page.

Note

The most frequent use for the su command is to get a command-line interface
(shell prompt) that runs as another user, typically root. However, you can use it

with the su command -c option to run an arbitrary program as another user. This

behavior is similar to the Windows runas utility. Run info su to view more details.

Run Commands with Sudo

For security reasons, in some cases system administrators configure the root user not to
have

a valid password. Thus, users cannot log in to the system as root directly with a password.

Moreover, you cannot use su to get an interactive shell. In this case, you can use the sudo

command to get root access.

Unlike the su command, sudo normally requires users to enter their own password for

authentication, not the password of the user account they are trying to access. That is, users
who

use the sudo command to run commands as root do not need to know the root password.

Instead, they use their own passwords to authenticate access.

The next table summarizes the differences between the su, su -, and sudo commands:

su su - sudo

Become new user Yes Yes Per escalated command

Environment Current user’s New user’s Current user’s

Password required New user’s New user’s Current user’s

Privileges Same as new user Same as new user Defined by configuration

Activity logged su command only su command only Per escalated command

80 RH199-RHEL9.0-en-4-20221003

Chapter 3 | Manage Local Users and Groups

Additionally, you can configure the sudo command to allow specific users to run any
command

as some other user, or only some commands as that user. For example, if you configure the
sudo

command to allow the user01 user to run the usermod command as root, then you can run
the
following command to lock or unlock a user account:

[user01@host ~]$ sudo usermod -L user02

[sudo] password for user01: user01_password

[user01@host ~]$ su - user02

Password: user02_password

su: Authentication failure

[user01@host ~]$

If a user tries to run a command as another user, and the sudo configuration does not permit
it,

then bash blocks the command, logs the attempt, and sends by default an email to the root
user.

[user02@host ~]$ sudo tail /var/log/secure

[sudo] password for user02: user02_password

user02 is not in the sudoers file. This incident will be reported.

[user02@host ~]$

Another benefit of sudo is to log by default all the executed commands to /var/log/secure.

[user01@host ~]$ sudo tail /var/log/secure

...output omitted...

Mar 9 20:45:46 host sudo[2577]: user01 : TTY=pts/0 ; PWD=/home/user01 ;

USER=root ; COMMAND=/sbin/usermod -L user02

...output omitted...

In Red Hat Enterprise Linux 7 and later versions, all members of the wheel group can use
sudo to

run commands as any user, including root, by using their own password.

Warning

Historically, UNIX systems use membership in the wheel group to grant or control

superuser access. RHEL 6 and earlier versions do not grant the wheel group any

special privileges by default. System administrators who have previously used this

group for a non-standard purpose should update a previous configuration, to avoid

later systems.

Get an Interactive Root Shell with Sudo

To access the root account with sudo, use the sudo -i command. This command switches to

the root account and runs that user’s default shell (usually bash) and associated interactive
login

scripts. To run the shell without the interactive scripts, use the sudo -s command.

For example, an administrator can get an interactive shell as root on an AWS Elastic Cloud

Computing (EC2) instance by using SSH public-key authentication to log in as the ec2-user

normal user, and then run the sudo -i command to access the root user’s shell.

RH199-RHEL9.0-en-4-20221003 81

Chapter 3 | Manage Local Users and Groups

[ec2-user@host ~]$ sudo -i

[sudo] password for ec2-user: ec2-user_password

[root@host ~]#

Configure sudo

The /etc/sudoers file is the main configuration file for the sudo command. To avoid problems

if multiple administrators try to edit the file at the same time, you can edit it only with the
special

visudo command. The visudo editor also validates the file, to ensure no syntax errors.

For example, the following line from the /etc/sudoers file enables sudo access for wheel

group members:

%wheel ALL=(ALL:ALL) ALL

• The %wheel string is the user or group that the rule applies to. The % symbol before the
word

wheel specifies a group.

• The ALL=(ALL:ALL) command specifies that on any host with this file (the first ALL), users in

the wheel group can run commands as any other user (the second ALL) and any other group

(the third ALL) on the system.

By default, the /etc/sudoers file also includes the contents of any files in the

/etc/sudoers.d directory as part of the configuration file. With this hierarchy, you can add

sudo access for a user by putting an appropriate file in that directory.

Note

Placing configuration files under the /etc/sudoers.d directory is convenient. You

can enable or disable sudo access by copying a file into the directory or removing it

from the directory.

In this course, you create and remove files in the /etc/sudoers.d directory to

configure sudo access for users and groups.

To enable full sudo access for the user01 user, you can create the /etc/sudoers.d/user01

file with the following content:

user01 ALL=(ALL) ALL

To enable full sudo access for the group01 group, you can create the /etc/sudoers.d/

group01 file with the following content:

%group01 ALL=(ALL) ALL

To enable users in the games group to run the id command as the operator user, you can
create

the /etc/sudoers.d/games file with the following content:

%games ALL=(operator) /bin/id

82 RH199-RHEL9.0-en-4-20221003

Chapter 3 | Manage Local Users and Groups

You can also set up sudo to allow a user to run commands as another user without entering
their

password, by using the NOPASSWD: ALL command:

ansible ALL=(ALL) NOPASSWD: ALL

While obvious security risks apply to granting this level of access to a user or group, system

administrators frequently use this approach with cloud instances, virtual machines, and

provisioning systems for configuring servers. You must carefully protect the account with this
access and require SSH public-key authentication for a user on a remote system to access it
at all.

For example, the official Amazon Machine Image (AMI) for Red Hat Enterprise Linux in the

Amazon Web Services Marketplace ships with the root and the ec2-user passwords locked.

The ec2-user account is set up to allow remote interactive access through SSH public-key

authentication. The user ec2-user can also run any command as root without a password

because the last line of the AMI’s /etc/sudoers file is set up as follows:

ec2-user ALL=(ALL) NOPASSWD: ALL

You can re-enable the requirement to enter a password for sudo or introduce other changes
to

tighten security as part of the system configuration.

References

su(1), sudo(8), visudo(8), and sudoers(5) man pages

info libc persona (GNU C Library Reference Manual)

• Section 30.2: The Persona of a Process

(The glibc-doc package must be installed for this info node to be available.)

RH199-RHEL9.0-en-4-20221003 83

Chapter 3 | Manage Local Users and Groups

Guided Exercise

Gain Superuser Access

In this exercise, you practice switching to the root account and running commands as root.

Outcomes

• Use the sudo command to switch to the root user and access the interactive shell as

root without knowing the password of the superuser.

• Explain how the su and su - commands affect the shell environment through running or

not running the login scripts.

• Use the sudo command to run other commands as the root user.

Before You Begin

As the student user on the workstation machine, use the lab command to prepare your
system for this exercise.

This command prepares your environment and ensures that all required resources are

available.

[student@workstation ~]$ lab start users-superuser

Instructions

1. From workstation, open an SSH session to servera as the student user.

[student@workstation ~]$ ssh student@servera

...output omitted...

[student@servera ~]$

2. Explore the shell environment of the student user. View the current user and group

information and display the current working directory. Also view the environment variables

that specify the user’s home directory and the locations of the user’s executable files.

2.1. Run id to view the current user and group information.

[student@servera ~]$ id

uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)

context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

2.2. Run pwd to display the current working directory.

[student@servera ~]$ pwd

/home/student

2.3. Print the values of the HOME and PATH variables to determine the home directory and

user executables' path, respectively.

84 RH199-RHEL9.0-en-4-20221003

Chapter 3