Snow Crash Snow Crash -4 years ago 88
Bash Question

sudo -i: why does this give a root shell?

Running

sudo -i
I end up with a root shell on my Linux box.

But reading up on the
-i
option it says:

-i, --login
Run the shell specified by the target user's password database entry as a login shell. This means that
login-specific resource files such as .profile or .login will be read by the shell. If a command is
specified, it is passed to the shell for execution via the shell's -c option. If no command is speci‐
fied, an interactive shell is executed. sudo attempts to change to that user's home directory before
running the shell. The command is run with an environment similar to the one a user would receive at
log in. The Command Environment section in the sudoers(5) manual documents how the -i option affects
the environment in which a command is run when the sudoers policy is in use.


I'm not clear.

Why is the
target user
root?

And how is this different from
sudo su
?

Answer Source

Because 'root' is the default user. Emphasis is from me.

-u user, --user=user

Run the command as a user other than the default target user (usually root). The user may be either a user name or a numeric user ID (UID) prefixed with the ‘#’ character (e.g. #0 for UID 0). When running commands as a UID, many shells require that the ‘#’ be escaped with a backslash (‘\’). Some security policies may restrict UIDs to those listed in the password database. The sudoers policy allows UIDs that are not in the password database as long as the targetpw option is not set. Other security policies may not support this.

sudo su is effectively executing the su command as the user specified (or root by default).

The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser.

As you are running su as 'root' (due to the use of sudo), you aren't then asked to prove your identity with a password - many systems do not permit 'root' to login with a password, by placing a ! in field 2 of /etc/shadow.

"!" – the account is password locked, user will be unable to log-in via password authentication but other methods (e.g. ssh key) may be still allowed

Additionally, even if root does have password access, then on a system with multiple administrators, or a shared development system, then sharing a password is not ideal.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download