# Responsible use of sudo

Previously, you explored authorization, authentication, and Linux commands with <var>sudo</var>, <var>useradd</var>, and <var>userdel</var>. The <var>sudo</var> command is important for security analysts because it allows users to have elevated permissions without risking the system by running commands as the root user. You’ll continue exploring authorization, authentication, and Linux commands in this reading and learn two more commands that can be used with <var>sudo</var>: <var>usermod</var> and <var>chown</var>.

## Responsible use of sudo

To manage authorization and authentication, you need to be a **root user,** or a user with elevated privileges to modify the system. The root user can also be called the “super user.” You become a root user by logging in as the root user. However, running commands as the root user is not recommended in Linux because it can create security risks if malicious actors compromise that account. It’s also easy to make irreversible mistakes, and the system can’t track who ran a command. For these reasons, rather than logging in as the root user, it’s recommended you use <var>sudo</var> in Linux when you need elevated privileges.

The <var>sudo</var> command temporarily grants elevated permissions to specific users. The name of this command comes from “super user do.” Users must be given access in a configuration file to use <var>sudo</var>. This file is called the “sudoers file.” Although using <var>sudo</var> is preferable to logging in as the root user, it's important to be aware that users with the elevated permissions to use <var>sudo</var> might be more at risk in the event of an attack.

You can compare this to a hotel with a master key. The master key can be used to access any room in the hotel. There are some workers at the hotel who need this key to perform their work. For example, to clean all the rooms, the janitor would scan their ID badge and then use this master key. However, if someone outside the hotel’s network gained access to the janitor’s ID badge and master key, they could access any room in the hotel. In this example, the janitor with the master key represents a user using <var>sudo</var> for elevated privileges. Because of the dangers of <var>sudo</var>, only users who really need to use it should have these permissions.

Additionally, even if you need access to <var>sudo</var>, you should be careful about using it with only the commands you need and nothing more. Running commands with <var>sudo</var> allows users to bypass the typical security controls that are in place to prevent elevated access to an attacker.

**Note**: Be aware of <var>sudo</var> if copying commands from an online source. It’s important you don’t use <var>sudo</var> accidentally.

## Authentication and authorization with sudo

You can use <var>sudo</var> with many authentication and authorization management tasks. As a reminder, **authentication** is the process of verifying who someone is, and **authorization** is the concept of granting access to specific resources in a system. Some of the key commands used for these tasks include the following:

### **useradd**

The <var>useradd</var> command adds a user to the system. To add a user with the username of <var>fgarcia</var> with <var>sudo</var>, enter <var>sudo useradd fgarcia</var>. There are additional options you can use with <var>useradd</var>:

<div class="rc-CML" dir="auto" id="bkmrk--g%3A-sets-the-user%E2%80%99s-"><div><div data-track="true" data-track-action="click" data-track-app="open_course_home" data-track-component="cml" data-track-page="item_layout" role="presentation"><div data-track="true" data-track-action="click" data-track-app="open_course_home" data-track-component="cml_link" data-track-page="item_layout"><div class="css-1k5v0wb" data-testid="cml-viewer">- <var>-g</var>: Sets the user’s default group, also called their primary group
- <var>-G</var>: Adds the user to additional groups, also called supplemental or secondary groups

</div></div></div></div></div>To use the <var>-g</var> option, the primary group must be specified after <var>-g</var>. For example, entering <var>sudo useradd -g security fgarcia</var> adds <var>fgarcia</var> as a new user and assigns their primary group to be <var>security</var>.

To use the <var>-G</var> option, the supplemental group must be passed into the command after <var>-G</var>. You can add more than one supplemental group at a time with the <var>-G</var> option. Entering <var>sudo useradd -G finance,admin fgarcia</var> adds <var>fgarcia</var> as a new user and adds them to the existing <var>finance</var> and <var>admin</var> groups.

### **usermod**

The <var>usermod</var> command modifies existing user accounts. The same <var>-g</var> and <var>-G</var> options from the <var>useradd</var> command can be used with <var>usermod</var> if a user already exists.

To change the primary group of an existing user, you need the <var>-g</var> option. For example, entering <var>sudo usermod -g executive fgarcia</var> would change <var>fgarcia</var>’s primary group to the <var>executive</var> group.

To add a supplemental group for an existing user, you need the <var>-G</var> option. You also need a <var>-a</var> option, which appends the user to an existing group and is only used with the <var>-G</var> option. For example, entering <var>sudo usermod -a -G marketing fgarcia</var> would add the existing <var>fgarcia</var> user to the supplemental <var>marketing</var> group.

**Note:** When changing the supplemental group of an existing user, if you don't include the <var>-a</var> option, <var>-G</var> will replace any existing supplemental groups with the groups specified after <var>usermod</var>. Using <var>-a</var> with <var>-G</var> ensures that the new groups are added but existing groups are not replaced.

There are other options you can use with <var>usermod</var> to specify how you want to modify the user, including:

<div class="rc-CML" dir="auto" id="bkmrk--d%3A-changes-the-user"><div><div data-track="true" data-track-action="click" data-track-app="open_course_home" data-track-component="cml" data-track-page="item_layout" role="presentation"><div data-track="true" data-track-action="click" data-track-app="open_course_home" data-track-component="cml_link" data-track-page="item_layout"><div class="css-1k5v0wb" data-testid="cml-viewer">- <var>-d</var>: Changes the user’s home directory.
- <var>-l</var>: Changes the user’s login name.
- <var>-L</var>: Locks the account so the user can’t log in.

</div></div></div></div></div>The option always goes after the <var>usermod</var> command. For example, to change <var>fgarcia</var>’s home directory to <var>/home/garcia\_f</var>, enter <var>sudo usermod -d /home/garcia\_f fgarcia</var>. The option <var>-d</var> directly follows the command <var>usermod</var> before the other two needed arguments.

### **userdel**

The <var>userdel</var> command deletes a user from the system. For example, entering <var>sudo userdel fgarcia</var> deletes <var>fgarcia</var> as a user. Be careful before you delete a user using this command.

The <var>userdel</var> command doesn’t delete the files in the user’s home directory unless you use the <var>-r</var> option. Entering <var>sudo userdel -r fgarcia</var> would delete <var>fgarcia</var> as a user and delete all files in their home directory. Before deleting any user files, you should ensure you have backups in case you need them later.

**Note**: Instead of deleting the user, you could consider deactivating their account with <var>usermod -L</var>. This prevents the user from logging in while still giving you access to their account and associated permissions. For example, if a user left an organization, this option would allow you to identify which files they have ownership over, so you could move this ownership to other users.

### **chown**

The <var>chown</var> command changes ownership of a file or directory. You can use <var>chown</var> to change user or group ownership. To change the user owner of the <var>access.txt</var> file to <var>fgarcia</var>, enter <var>sudo chown fgarcia access.txt</var>. To change the group owner of <var>access.txt</var> to <var>security</var>, enter <var>sudo chown :security access.txt</var>. You must enter a colon (<var>:</var>) before <var>security</var> to designate it as a group name.

Similar to <var>useradd</var>, <var>usermod</var>, and <var>userdel</var>, there are additional options that can be used with <var>chown</var>.

## Key takeaways

Authentication is the process of a user verifying their identity, and authorization is the process of determining what they have access to. You can use the <var>sudo</var> command to temporarily run commands with elevated privileges to complete authentication and authorization management tasks. Specifically, <var>useradd</var>, <var>userdel,</var> <var>usermod</var>, and <var>chown</var> can be used to manage users and file ownership.