Learn › Linux Foundations › User Switching
sudo - a hands-on Linux lab on a real virtual machine.
See who you are with whoami and id, then borrow the root account for exactly one command with sudo. Read a root-only file, open a root shell with sudo -i, and prove every identity change in the practice terminal.
Every command you have run so far, you ran as you: an ordinary account named student. An account is just the identity Linux hands a person, with its own home folder and its own limits. Ordinary accounts are fenced in on purpose. They cannot read another person's private files, install software for everyone, or change how the whole machine runs. That fence is what keeps one person's mistake from breaking the box for everybody.
This lesson is about crossing that fence safely, for one command at a time, using a tool called sudo. But before you borrow power, you need to see exactly which identity you are holding right now.
The black boxes in this lesson are a practice terminal: a safe sandbox that only checks the one command each step teaches, so you cannot break anything. Switching accounts for real needs a live machine, so the practice terminals replay the exact output the real command prints. You do all of this for real on the machine at the end of the module.
The command whoami prints the name of the account you are currently acting as. It is the most direct question you can ask the machine: who am I? Type it and press Enter:
whoami
prompt: student@linuxcamp:~$ answer: whoami output: student hint: Six letters, one word, then press Enter: whoami
The machine answered student, the same name sitting on the left of your prompt: student@linuxcamp:~$. That is your ordinary, fenced-in account. Hold on to that answer. By the end of this lesson you will run one command that makes whoami say something very different.
whoami gives you a name. The id command gives you the whole ID card: your account, the numeric label behind that name, and every group you belong to. A group is a named set of accounts that share the same permissions, the way a keycard opens every door assigned to your team.
Run it with no arguments to read your own card:
id
prompt: student@linuxcamp:~$ answer: id output: uid=1001(student) gid=1001(student) groups=1001(student),2000(recon) hint: Just two letters, then press Enter: id
Read the card left to right. uid=1001(student) is your user id: the number 1001 is how the machine really tracks you, and student is the friendly name for it. gid=1001(student) is your primary group, the main team you belong to. groups=1001(student),2000(recon) lists every group you are in, so here you are also a member of recon (group number 2000). The names and numbers you see are the identity this machine gave your account. Numbers are handed out per machine, so on a different box the same person might read uid=1000 or carry a different group list. Read the shape of the card, not the exact digits.
whoami and id never change anything. They only report. That makes them the two commands you run before and after any switch, to prove who you were and who you became.
Your fence is not just an idea. You can walk straight into it. In your home folder is a directory called handoff, and inside it sits a file named root-orders.txt that belongs to the machine's most powerful account, not to you.
That most powerful account is called root: the administrator identity that owns the machine and can read, change, or delete anything on it. The root-orders.txt file is locked so that only root may open it. Try to read it as yourself with cat, the command that prints a file's contents:
cat ~/handoff/root-orders.txt
prompt: student@linuxcamp:~$ answer: cat ~/handoff/root-orders.txt output: cat: /home/student/handoff/root-orders.txt: Permission denied hint: Type cat, a space, then the path: cat ~/handoff/root-orders.txt
Permission denied. There is the fence, in plain words. The file exists and you named it correctly, but your ordinary student account has no right to open it, because it belongs to root. Nothing is broken. This is Linux protecting a file exactly the way it is supposed to. The next step is the key.
sudo means "do this one command as the root account." You keep your own login, your own home, your own everything. For the length of a single command, sudo lends you root's power, then hands the identity straight back. The name is short for "superuser do", and superuser is another word for root.
The proof is cleanest with a command you already know. Ask whoami, but this time run it through sudo:
sudo whoami
prompt: student@linuxcamp:~$ answer: sudo whoami output: root hint: Put sudo in front of the command you already know: sudo whoami
Plain whoami said student. sudo whoami said root. Same question, but the sudo in front ran that one command as the superuser, so the machine reported root as the identity doing the asking. The moment that command finished, you were back to being student. sudo did not log you in as root. It borrowed root for exactly one command.
Borrowing root is powerful, so sudo guards it. The very first time an account runs sudo, it prints a short warning, then asks for your own password (not root's) to confirm it is really you at the keyboard. The warning reads like this:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
For security reasons, the password you type will not be visible.
Then it prompts, using your account name:
[sudo] password for student:
As you type your password nothing appears on screen, no dots and no stars. That is deliberate, so no one reading over your shoulder can count the characters. You type it blind and press Enter.
This is the one part of sudo the practice terminal cannot act out. Whether it asks depends on machine state: sudo remembers you for a few minutes after a correct password, so a second sudo right away stays silent. On the module's real machine the setup skips the password entirely, so you can focus on the identity change. That is why sudo whoami above returned root with no prompt at all. Learn the lecture and prompt as the text you will meet on other machines.
Time to collect the payoff the lesson promised. Two steps back, cat ~/handoff/root-orders.txt slammed into Permission denied. The file never changed. Your permission did, for one command, the instant you put sudo in front. Run the exact same read, with the borrowed key this time:
sudo cat ~/handoff/root-orders.txt
prompt: student@linuxcamp:~$ answer: sudo cat ~/handoff/root-orders.txt output: CLASSIFIED HANDOFF -- ROOT EYES ONLY Only the root account may open this file. Prove you are root, then read it. hint: Same cat command as before, with sudo in front: sudo cat ~/handoff/root-orders.txt
The drawer opened. The very same file that answered Permission denied a moment ago just handed you its contents, because sudo cat ran the read as root, and root may open anything. Line for line, this is the whole idea of sudo. You do not become the administrator. You borrow the administrator's reach for one command that needs it, then drop straight back to your fenced-in student account.
Putting sudo in front works beautifully for a single command. But sometimes you have a whole run of administrator work to do, and typing sudo before every line gets old fast. For that, sudo -i opens a root shell: a session where every command you type is already running as root, until you leave it.
You can see the switch two ways. The prompt changes its last character from $ to #. That # is the classic Linux signal for "you are root now, be careful." And whoami, run inside that shell, reports the new identity:
sudo -i, then whoami
prompt: root@linuxcamp:~# answer: whoami output: root hint: Once the prompt ends in #, ask the same question as always: whoami
Inside the root shell, whoami says root: not for one command, but for the whole session. To leave and return to your own account you type exit, and the prompt drops back to student@linuxcamp:~$ with its ordinary $. That is the trade-off in one picture: sudo <command> borrows root for a single line, while sudo -i opens a root session you must remember to close. There is a close cousin of this, su -, which opens the same kind of login shell for root or for another account. It has a lesson of its own in this module.
Scaffolding off. No command is shown from here on. You have every piece you need.
You have read your own ID card, and you know how to borrow root for exactly one command. Combine the two: make the machine print root's full ID card, without opening a root shell.
prompt: student@linuxcamp:~$ answer: sudo id output: uid=0(root) gid=0(root) groups=0(root) hint: Put the borrowing command in front of the ID-card command, the same way you did with whoami.
uid=0(root). Root's user id is the number 0, and that zero is the real source of its power: to Linux, uid 0 is the account the fences do not apply to. You built that command from memory by stacking two tools you learned separately, which is exactly the move the real machine will ask of you.
The locked file is still sitting in ~/handoff/root-orders.txt, and plain cat still gets Permission denied. Read its contents anyway, from memory this time.
prompt: student@linuxcamp:~$ answer: sudo cat ~/handoff/root-orders.txt output: CLASSIFIED HANDOFF -- ROOT EYES ONLY Only the root account may open this file. Prove you are root, then read it. hint: The reading command is cat, the file lives at ~/handoff/root-orders.txt, and only root may open it. You know what goes in front.
The drawer opened again, and this time nobody showed you the key first. Borrow root, do the one thing, drop back: that reflex is the whole lesson, and you just proved you own it.
One last check, and it matters more than it looks. You just ran two commands as root. Ask the machine who you are right now, and predict the answer before you press Enter.
prompt: student@linuxcamp:~$ answer: whoami output: student hint: The very first command of this lesson. One word.
student. The borrowed power ended the instant each sudo command finished, and you are back behind your own fence with nothing left over. Checking your identity after administrator work is the habit that keeps engineers from running the next command as the wrong person.
You earned this cheat sheet. Every row is something you just ran on this machine:
The one idea under all of it: whoami and id tell you which identity you hold. sudo lends you root's power for exactly as long as you ask, no more. Reach for sudo <command> for a single administrator task, and sudo -i only when you have a stretch of them.
Root has no fence, so sudo has no undo. A delete run as root is gone for good. Read the command before you press Enter, and prefer sudo <command> over a root shell so the borrowed power ends the moment the command does.
The practice terminal has shown you the shape: whoami and id to see who you are, sudo to borrow root for one command, and sudo -i to open a root shell. Every one of those you typed yourself and watched the identity change in the output.
The User-Switching module ends with one real Linux machine, booted just for you. There a live handoff folder is waiting, with a root-orders.txt you cannot read as student until you prove you can become root. The mission shows no commands. You read each objective, recall the tool, and run it. Use whoami and id to confirm your identity, and sudo to reach past your fence, then confirm the identity change the same way you did here. That recall is what makes it stick.
If the module's su lesson is still waiting for you, take that too. Then go borrow the keys for real.
Practice sudo: Borrow Root for One Command in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.