RH199 - ch03s04

Use the sudo command to switch to the root user and access the interactive shell as root without knowing the password of the superuser.
Explain how the su and su - commands affect the shell environment through running or not running the login scripts.
Use the sudo command to run other commands as the root user.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start users-superuser

Instructions

From workstation, open an SSH session to servera as the student user.

[student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

Explore the shell environment of the student user. View the current user and group information and display the current working directory. Also view the environment variables that specify the user's home directory and the locations of the user's executable files.
1. Run id to view the current user and group information.
```
[student@servera ~]$ id
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
2. Run pwd to display the current working directory.
```
[student@servera ~]$ pwd
/home/student
```
3. Print the values of the HOME and PATH variables to determine the home directory and user executables' path, respectively.
```
[student@servera ~]$ echo $HOME
/home/student
[student@servera ~]$ echo $PATH
/home/student/.local/bin:/home/student/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
```
Switch to the root user in a non-login shell and explore the new shell environment.
1. Run the sudo su command at the shell prompt to become the root user.
```
[student@servera ~]$ sudo su
[sudo] password for student: student
[root@servera student]#
```
2. Run id to view the current user and group information.
```
[root@servera student]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
3. Run pwd to display the current working directory.
```
[root@servera student]# pwd
/home/student
```
4. Print the values of the HOME and PATH variables to determine the home directory and user executables' path, respectively.
```
[root@servera student]# echo $HOME
/root
[root@servera student]# echo $PATH
/root/.local/bin:/root/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
```
  When you use the su command to become the root user, you do not keep the current path of the student user. As you can see in the next step, the path is not the root user path either.
  What happened? The difference is that you do not run su directly. Instead, you run the su command as the root user by using sudo because you do not have the password of the superuser. The sudo command overrides the PATH variable from the environment for security reasons. Any command that runs after the initial override can still update the PATH variable, as you can see in the following steps.
5. Exit the root user's shell to return to the student user's shell.
```
[root@servera student]# exit
exit
[student@servera ~]$
```
Switch to the root user in a login shell and explore the new shell environment.
1. Run the sudo su - command at the shell prompt to become the root user.
  The sudo command might or might not prompt you for the student password, depending on the time-out period of sudo. The default time-out period is five minutes. If you authenticated to sudo within the last five minutes, then the sudo command does not prompt you for the password. If more than five minutes elapsed since you authenticated to sudo, then you must enter student as the password for authentication to sudo.
```
[student@servera ~]$ sudo su -
[root@servera ~]#
```
  Notice the difference in the shell prompt compared to that of sudo su in the preceding step.
2. Run id to view the current user and group information.
```
[root@servera ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
3. Run pwd to display the current working directory.
```
[root@servera ~]# pwd
/root
```
4. Print the values of the HOME and PATH variables to determine the home directory and the user executables' path, respectively.
```
[root@servera ~]# echo $HOME
/root
[root@servera ~]# echo $PATH
/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
```
  As in the preceding step, after the sudo command resets the PATH variable from the settings in the student user's shell environment, the su - command runs the shell login scripts for root and sets the PATH variable to yet another value. The su command without the dash (-) option does not have the same behavior.
5. Exit the root user's shell to return to the student user's shell.
```
[root@servera ~]# exit
logout
[student@servera ~]$
```
Verify that the operator1 user can run any command as any user by using the sudo command.
```
[student@servera ~]$ sudo cat /etc/sudoers.d/operator1
operator1 ALL=(ALL) ALL
```

Become the operator1 user and view the contents of the /var/log/messages file. Copy the /etc/motd file to /etc/motdOLD. Remove the /etc/motdOLD file. As these operations require administrative rights, use the sudo command to run those commands as the superuser. Do not switch to root by using sudo su or sudo su -. Use redhat as the password of the operator1 user.

Switch to the operator1 user.

[student@servera ~]$ su - operator1
Password: redhat
[operator1@servera ~]$

Try to view the last five lines of /var/log/messages without using sudo. It should fail.

[operator1@servera ~]$ tail -5 /var/log/messages
tail: cannot open '/var/log/messages' for reading: Permission denied

Try to view the last five lines of /var/log/messages by using sudo. It should succeed.

[operator1@servera ~]$ sudo tail -5 /var/log/messages
[sudo] password for operator1: redhat
Mar 9 15:53:36 servera su[2304]: FAILED SU (to operator1) student on pts/1
Mar 9 15:53:51 servera su[2307]: FAILED SU (to operator1) student on pts/1
Mar 9 15:53:58 servera su[2310]: FAILED SU (to operator1) student on pts/1
Mar 9 15:54:12 servera su[2322]: (to operator1) student on pts/1
Mar 9 15:54:25 servera su[2353]: (to operator1) student on pts/1

Note

The preceding output might differ on your system.

Try to copy /etc/motd as /etc/motdOLD without using sudo. It should fail.

[operator1@servera ~]$ cp /etc/motd /etc/motdOLD
cp: cannot create regular file '/etc/motdOLD': Permission denied

Try to copy /etc/motd as /etc/motdOLD by using sudo. It should succeed.

[operator1@servera ~]$ sudo cp /etc/motd /etc/motdOLD
[operator1@servera ~]$

Try to delete /etc/motdOLD without using sudo. It should fail.

[operator1@servera ~]$ rm /etc/motdOLD
rm: remove write-protected regular empty file '/etc/motdOLD'? y
rm: cannot remove '/etc/motdOLD': Permission denied
[operator1@servera ~]$

Try to delete /etc/motdOLD by using sudo. It should succeed.

[operator1@servera ~]$ sudo rm /etc/motdOLD
[operator1@servera ~]$

Return to the workstation system as the student user.

[operator1@servera ~]$ exit
logout
[student@servera ~]$ exit
logout
Connection to servera closed.
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish users-superuser

Revision: rh199-9.3-8dd73db

Click CREATE to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.

If you DELETE your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.