Score:0

Ubuntu

Temporary admin/root privilege from non-sudoers account?

user2153235

2/10/24, 4:01 AM

I've been using Linux on and off (almost exclusively off) for over a year. From everything I've read, including this, you can only get temporarily elevated privileges if your account is an "sudoer". But you enter the password for the account from which you are using sudo. There is no extra knowledge that you have to provide in order to get access to the elevated privilege.

I can see how this prevents users who already have access to elevated privileges from making serious mistakes, since they spend most of the time in a mode without elevated privileges. But it doesn't really serve the same purpose as (say) in Windows, where you can initiate elevated operations from an unelevated account, as long as you provide the login information of an elevated account. I like the greater barrier that this offers to the execution of privileged operations compared to making an account into an sudoer account.

While posting to ask if there a simple way to accomplish this in Ubuntu, I was provided hints that led me to a possible solution: Adding Defaults targetpw to /etc/sudoers using sudo visudo [1]. I don't want to blithely do this without confirming that it accomplishes the above without compromising security in some unanticipated way. Can those experienced with the use of /etc/sudoers please confirm this?

Afternote

I responded to the question of whether this answers my question, and I clicked "Yes". My question became marked as a duplicate question. But the question is not duplicate, it's just that the answer applies to my question. I don't ask how to use sudo from a standard account. I ask how to perform elevated functions, which could be using sudo or some other means. As it turns out, one answer isn't to use sudo from a standard account, but to transfer to a sudoer account. So the answer doesn't even address the question that I'm presumably duplicating. Another answer uses pkexec, which also answers my question, but again, not the question that I'm presumably duplicating. Therefore, my question adds value because people will not find those two answers unless they specifically search for sudoing from a nonsudoer account, which those answers do not answer (and which the user might not be seeking).

Notes

[1] E.g., here and here

666

2 + 9

sudo

guiverc

2/10/24, 4:05 AM

I'm not sure what you're asking (*you also didn't specify a Ubuntu product/release thus I'm speaking generically*) but you can login using a *root* account which has full privileges in Ubuntu; it's just *disabled* by default on most Ubuntu product/release installs.

user2153235

2/10/24, 4:59 AM

I'm on Ubuntu 20.04.5 LTS. Regarding making Ubuntu like Windows, that's not what I'm seeking. I am seeking a specific behaviour that just happens to come from Windows, but the rest of the OS behaviour, no. And it's not because it comes from Windows that I want it. I said in my originally posted question that the reason is that it offers a greater barrier to execution of elevated operations, since you have to provide the password of an elevated account. I'll keep in mind your suggestion to `su` to a sudoer account. I'm not that familiar with `su`, but it's just a matter of Googling. Thanks

user2153235

2/10/24, 6:15 AM

Your `su sudoer-account` does exactly what I was looking for. `sudo` by itself doesn't seem to because the login password is exactly the same as the password of the account from which `sudo` is being used. Did you want to post your suggestion to use `su` as the answer? It dispelled a lot of preconceptions of mine. For one thing, I thought that the sudoer list somehow played into who could use `su` (or possibly what account you can `su` to). As well, from online readings, I thought it clobbered the unelevated shell, e.g., like `exec bash`, when in fact, it acts more like a subshell.

muru

2/12/24, 10:21 AM

You did read [my answer in the dupe](https://askubuntu.com/questions/641099/how-to-use-sudo-from-a-standard-user)? There is a system to get admin rights without switching to another account, and that is Polkit (whose command line tool is `pkexec`). There is no need to `su` to another user.

user2153235

2/12/24, 6:11 PM

@muru: Sorry, I did see it, but it looked so foreign to me that I thought it may require installation of a non-default package. As it turns out, however, I was able to successfully issue `pkexec --user lnxadmin whoami`, where `lnxadmin` is a sudoer account. I will modify my "Afternote" to reflect this. Thanks.

muru

2/13/24, 12:26 AM

As for the rest of the note, you're taking things too literally - most users here conflate "root", "sudo", "admin privileges" (like you yourself) - and since the OP of the dupe accepted my answer, it's pretty clear they didn't care about sudo itself, just admin privileges like you. And closing a question as a duplicate != deleting it.

user2153235

2/13/24, 12:52 PM

The rest of the note doesn't say that your answer doesn't meet the need of the poster. It says that the answer might be hard to find if people are searching for a means to perform elevated operations rather than to sudo from a non-sudoer account. I appreciate your clarification that closing a question as a dupe doesn't mean it is deleted. But for ease of finding a solution, I believe that it matters whether the question is really a dupe.

muru

2/14/24, 11:12 AM

"that the answer might be hard to find if people are searching ..." And that is why duplicates exist, so that question asking for the same thing but phrased differently can act as sign posts. Your question *is* really a duplicate, and the useful kind (because it phrased things differently).

user2153235

2/14/24, 3:27 PM

OK, thanks for that explanation. As I see it, the nature of dups aren't clearly reflected in the message that I was given. It referred to the *question* as a dup when in fact, it's the *answer* that is a dup. The posted question is not asking the same thing, though user may seek the same end effect.

Score:2

Ubuntu

Nmath

2/10/24, 6:31 AM

If you're looking for something like this:

initiate elevated operations from an unelevated account, as long as you provide the login information of an elevated account.

Using su to temporarily run commands as another user is very similar.

To use this command, open a terminal and run:

su username

Replace username with the user you want to run commands from temporarily.

This will switch the open shell to that user. Run the commands you want to run.

When you're finished, type exit to finish the session and return the shell to the original user.

+ 0

Score:1

Ubuntu

Artur Meinild

2/10/24, 7:05 AM

It's not at all clear to me why sudo can't do what you want.

Create a separate user with a strong password for everyone who needs sudo access. This is much more secure than sharing an admin password between users.

Give them sudo access to the commands they need.

If someone with sudo access needs to be root for more commands, you can run sudo -s to get a root shell.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Temporary admin/root privilege from non-sudoers account?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.