Linux/Unix: Authentication Tools β passwd, su, sudo, /etc/sudoers Explained
Introduction β Why Learn Linux Authentication Tools?
Authentication is the first line of defense in Linux security. Whether itβs setting user passwords, switching identities, or granting privilege escalation, tools like passwd, su, sudo, and /etc/sudoers form the foundation of secure user management.
In this guide, youβll learn:
- How to set and manage passwords
- How to switch user identities
- How to configure and use
sudofor secure privilege elevation - How to edit and safely manage the
/etc/sudoersfile
1. passwd β Change User Passwords
What is passwd?
The passwd command allows users and admins to change user account passwords and set password aging policies.
Syntax:
passwd [username]
Example 1: Change your own password
passwd
Output:
Changing password for user bob.
Current password:
New password:
Retype new password:
Example 2: Change another user’s password (as root)
sudo passwd alice
2. su β Switch User Identity
What is su?
su stands for substitute user. It lets you switch to another user account (including root) by authenticating with their password.
Syntax:
su [username]
Example 1: Switch to root user
su -
Output:
Prompts for the root password. The - starts a full login shell.
Requires root password. Not preferred for shared access environments.
3. sudo β Run Commands as Another User
What is sudo?
sudo lets permitted users run commands as root or another user, without knowing their password, using rules defined in /etc/sudoers.
Syntax:
sudo command
Example 1: Run a privileged command
sudo apt update
Output:
Prompts for your user password (not root’s) and executes the command as root.
Sudo Features:
- Logs all commands (auditability)
- Enforces role-based access
- Can restrict or allow specific commands
After entering your password once, sudo grants a 5-minute grace period by default.
4. /etc/sudoers β Sudo Permissions File
What is /etc/sudoers?
It defines which users can run which commands as root. Must be edited carefully using visudo to avoid syntax errors that can lock out all users.
Open with:
sudo visudo
Common Syntax:
username ALL=(ALL) ALL
Grant john root privileges:
john ALL=(ALL:ALL) ALL
Allow deploy to restart nginx only:
deploy ALL=NOPASSWD: /bin/systemctl restart nginx
Group-based Access:
%sudo ALL=(ALL:ALL) ALL
Anyone in the sudo group has root privileges via sudo.
Tool Comparison Table
| Command/File | Purpose | Requires Password | Role-Based Access | Logging Support |
|---|---|---|---|---|
passwd | Change passwords | Yes | No | No |
su | Switch users (usually root) | Yes (targetβs pw) | No | No |
sudo | Run commands as another user | Yes (your pw) | Yes | Yes |
/etc/sudoers | Configure sudo permissions | Not a command | Yes | Yes (via sudo) |
Summary β Recap & Next Steps
Authentication tools like passwd, su, and sudo are vital for secure access control in Linux. Properly managing /etc/sudoers ensures that only authorized users can perform sensitive operations without compromising system integrity.
Key Takeaways:
- Use
passwdto manage user authentication securely. - Prefer
sudooversufor better control and auditing. - Use
visudoto safely edit/etc/sudoers. - Grant fine-grained privileges without exposing root passwords.
FAQs
Whatβs the difference between su and sudo?
su requires the target user’s password. sudo uses your own password to run commands as root or another user based on /etc/sudoers.
How can I give a user sudo access?
Add the user to the sudo group:
sudo usermod -aG sudo username
Why should I use visudo instead of editing /etc/sudoers directly?
visudo checks for syntax errors and prevents file corruption that could lock you out.
Can I limit what commands a sudo user can run?
Yes. In /etc/sudoers, assign specific commands:
bob ALL=NOPASSWD: /usr/bin/systemctl restart apache2
Where are sudo logs stored?
Typically in:
/var/log/auth.log # Debian/Ubuntu
/var/log/secure # RHEL/CentOS
Share Now :
