5

My user account on Ubuntu is olivier.

When I type the command groups olivier it returns:

olivier : olivier adm cdrom sudo dip plugdev lpadmin sambashare

So I am deducing I belong to the sudo group.

I have the following lines in my /etc/sudoers file:

#Allow members of group sudo to execute any command
%sudo    ALL=(ALL:ALL) ALL

If the members of group sudo can execute any commands, why do I need to use the sudo command when I want to execute a command with privileges (for example, a rm on a folder where I am not the owner) whereas I am logged with the user olivier?

Peter Mortensen
  • 884
Olivier Boissé
  • 153
  • 1
    Because that is the mechanism to escalate privileges to root, If you do not enter sudo, your command will run as your user and not as root. See https://help.ubuntu.com/community/RootSudo. If you still have a question after reading that page, post back =) – Panther Nov 18 '17 at 15:27
  • 1
    It is a simple security measure, so that when you leave your computer while logged in no one can access those commands and mess stuff up for you. If you want to change that we have already some great answers on this site on how to do so. Q&A: Sudoers file, enable NOPASSWD for user, all commands for example and from there are so many cross linked that you probably will find a solution. – Videonauth Nov 18 '17 at 15:27
  • in my sudoers file I have these line : # User privilege specification root ALL=(ALL:ALL) ALL I don't understand what is the difference with %sudo ALL=(ALL:ALL) ALL. When I am logged as root with sudo su I type any command – Olivier Boissé Nov 18 '17 at 15:32
  • 3
    You can type any command when you're root, because root is the owner for almost the whole file-system. – Videonauth Nov 18 '17 at 15:42
  • 2
    Let's ask a different question... why would the contents of the sudoers file have any effect on what you can and can't do, if you aren't using sudo? Osmosis? – hobbs Nov 19 '17 at 00:34
  • 1
    Basically, that comment should say #Allow members of group sudo to execute any command via sudo. I guess whoever wrote it thought that the last two words are implied by the comment being in the sudoers file, i.e. the config file for sudo. – Paŭlo Ebermann Nov 19 '17 at 01:46

1 Answers1

16

Having one's userid (or a group one is a member of) in the sudoers file gives one the capability to run commands as root (or other users, but that's advanced sudoers). It does NOT make one root all the time, which is what you seem to be assuming.

Speaking from a half century's experience with computers, being root all the time is too dangerous. Having to type sudo in front of the command gives one extra time to consider - will this shoot me in the foot?

Please read man sudo, man sudoers, man sudo_root.

waltinator
  • 36,399
  • What I don't understand are these lines in my sudoers file # User privilege specification root ALL=(ALL:ALL) ALL and # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL, the lines are exactly the same so why the members of sudo group can't do the same thing as the root user ? – Olivier Boissé Nov 18 '17 at 15:36
  • The members of the sudo group can do the same things as root user. This is accomplished via the sudo tool, which is what the sudoers file controls. – dobey Nov 18 '17 at 15:38
  • Please read man sudo, man sudoers, man sudo_root. – waltinator Nov 18 '17 at 15:38
  • Ok so this is the basic behavior of ubuntu, only the root user can do everything he wants on the system, What I still don't understand is why are there an admin an a sudo group on ubuntu, if the group sudo can execute every command on the system, the admin group is useless ? – Olivier Boissé Nov 18 '17 at 15:53
  • 1
    AskUbuntu comments are not for extending questions or conversations. – waltinator Nov 18 '17 at 15:58
  • 3
    Also, since I never like the "We do this so you won't mess up your own system" argument, here's one with more reason: Sometimes you want to run the command as your user, and other times you want to run it as root. This gives you flexibility. Could you imagine, not knowing what commands are going to run as your user ID, and what would run as root? How would you know if you didn't have to put sudo before it? – Dan Chase Nov 18 '17 at 22:52
  • 1
    @DanChase: David Richerby's answer on Is it 'OK' to use the root user as a normal user? makes a pretty good argument (with funny but good analogies) for the avoiding breakage from typos argument. – Peter Cordes Nov 19 '17 at 03:53