- enables escalation/substitution of privileges - `su` stands for substitute user (root by default) but can impersonate another user - `su -` is short for `su --login` switches to interactive root shell after entering root password - `su -` switches to root login shell after entering root password - `su user_name` impersonate user after entering root password - `sudo` stands for substitute user do - defaults to root user - prompts current user's password and if current user is in sudoers file they can run the command as the substitute user - based on user or group that user belongs to - `sudo su -` or `sudo -i` gives interactive bash prompt as root user as if logged into system as root user - `/etc/sudoers` - typically initial user setup during installation is added here - can edit directly but its dangerous b/c if syntax is incorrect you can get locked out of system - best to use `visudo` to edit as it checks syntax - `sudo visudo` opens `/etc/sudoers` in nano - adding the entry `user_name ALL=(ALL:ALL) ALL` enables user to perform all commands for all user:groups - `policykit` is a security framework - `pkexec` is based on rules associated with a program - change rules for a specific program the associated file in `/usr/share/polkit-1/actions/program_policy` - edit `/etc/polkit-1` to override default policy settings - if locked out of system because you didn't use `visudo`, you can usually use `plexec` to get back to a steady state - `pkexec ls /root` has a gui dialog box that requires current user to enter their password to run `ls /root`