0

I've been using Linux on and off (almost exclusively off) for over a year. From everything I've read, including this, you can only get temporarily elevated privileges if your account is an "sudoer". But you enter the password for the account from which you are using sudo. There is no extra knowledge that you have to provide in order to get access to the elevated privilege.

I can see how this prevents users who already have access to elevated privileges from making serious mistakes, since they spend most of the time in a mode without elevated privileges. But it doesn't really serve the same purpose as (say) in Windows, where you can initiate elevated operations from an unelevated account, as long as you provide the login information of an elevated account. I like the greater barrier that this offers to the execution of privileged operations compared to making an account into an sudoer account.

While posting to ask if there a simple way to accomplish this in Ubuntu, I was provided hints that led me to a possible solution: Adding Defaults targetpw to /etc/sudoers using sudo visudo [1]. I don't want to blithely do this without confirming that it accomplishes the above without compromising security in some unanticipated way. Can those experienced with the use of /etc/sudoers please confirm this?

Afternote

I responded to the question of whether this answers my question, and I clicked "Yes". My question became marked as a duplicate question. But the question is not duplicate, it's just that the answer applies to my question. I don't ask how to use sudo from a standard account. I ask how to perform elevated functions, which could be using sudo or some other means. As it turns out, one answer isn't to use sudo from a standard account, but to transfer to a sudoer account. So the answer doesn't even address the question that I'm presumably duplicating. Another answer uses pkexec, which also answers my question, but again, not the question that I'm presumably duplicating. Therefore, my question adds value because people will not find those two answers unless they specifically search for sudoing from a nonsudoer account, which those answers do not answer (and which the user might not be seeking).

Notes

[1] E.g., here and here

user2153235
  • 163
  • 2
    I'm not sure what you're asking (you also didn't specify a Ubuntu product/release thus I'm speaking generically) but you can login using a root account which has full privileges in Ubuntu; it's just disabled by default on most Ubuntu product/release installs. – guiverc Feb 10 '23 at 04:05
  • I'm on Ubuntu 20.04.5 LTS. Regarding making Ubuntu like Windows, that's not what I'm seeking. I am seeking a specific behaviour that just happens to come from Windows, but the rest of the OS behaviour, no. And it's not because it comes from Windows that I want it. I said in my originally posted question that the reason is that it offers a greater barrier to execution of elevated operations, since you have to provide the password of an elevated account. I'll keep in mind your suggestion to su to a sudoer account. I'm not that familiar with su, but it's just a matter of Googling. Thanks – user2153235 Feb 10 '23 at 04:59
  • Your su sudoer-account does exactly what I was looking for. sudo by itself doesn't seem to because the login password is exactly the same as the password of the account from which sudo is being used. Did you want to post your suggestion to use su as the answer? It dispelled a lot of preconceptions of mine. For one thing, I thought that the sudoer list somehow played into who could use su (or possibly what account you can su to). As well, from online readings, I thought it clobbered the unelevated shell, e.g., like exec bash, when in fact, it acts more like a subshell. – user2153235 Feb 10 '23 at 06:15
  • You did read my answer in the dupe? There is a system to get admin rights without switching to another account, and that is Polkit (whose command line tool is pkexec). There is no need to su to another user. – muru Feb 12 '23 at 10:21
  • @muru: Sorry, I did see it, but it looked so foreign to me that I thought it may require installation of a non-default package. As it turns out, however, I was able to successfully issue pkexec --user lnxadmin whoami, where lnxadmin is a sudoer account. I will modify my "Afternote" to reflect this. Thanks. – user2153235 Feb 12 '23 at 18:11
  • As for the rest of the note, you're taking things too literally - most users here conflate "root", "sudo", "admin privileges" (like you yourself) - and since the OP of the dupe accepted my answer, it's pretty clear they didn't care about sudo itself, just admin privileges like you. And closing a question as a duplicate != deleting it. – muru Feb 13 '23 at 00:26
  • The rest of the note doesn't say that your answer doesn't meet the need of the poster. It says that the answer might be hard to find if people are searching for a means to perform elevated operations rather than to sudo from a non-sudoer account. I appreciate your clarification that closing a question as a dupe doesn't mean it is deleted. But for ease of finding a solution, I believe that it matters whether the question is really a dupe. – user2153235 Feb 13 '23 at 12:52
  • "that the answer might be hard to find if people are searching ..." And that is why duplicates exist, so that question asking for the same thing but phrased differently can act as sign posts. Your question is really a duplicate, and the useful kind (because it phrased things differently). – muru Feb 14 '23 at 11:12
  • OK, thanks for that explanation. As I see it, the nature of dups aren't clearly reflected in the message that I was given. It referred to the question as a dup when in fact, it's the answer that is a dup. The posted question is not asking the same thing, though user may seek the same end effect. – user2153235 Feb 14 '23 at 15:27

2 Answers2

2

If you're looking for something like this:

initiate elevated operations from an unelevated account, as long as you provide the login information of an elevated account.

Using su to temporarily run commands as another user is very similar.

To use this command, open a terminal and run:

su username

Replace username with the user you want to run commands from temporarily.

This will switch the open shell to that user. Run the commands you want to run.

When you're finished, type exit to finish the session and return the shell to the original user.

Nmath
  • 12,333
1

It's not at all clear to me why sudo can't do what you want.

Create a separate user with a strong password for everyone who needs sudo access. This is much more secure than sharing an admin password between users.

Give them sudo access to the commands they need.

If someone with sudo access needs to be root for more commands, you can run sudo -s to get a root shell.

Artur Meinild
  • 26,018