Practice privilege escalation the way it looks on a real host: run targeted commands with sudo, enter a root login
shell, switch users with a full login environment, then verify sudo access through group membership.
You are training a junior admin on switching users and using sudo correctly. The goal is to demonstrate safe escalation patterns: run a single privileged command, open a root login shell for multi-step work, create a temporary admin user, grant them sudo via the correct group, validate access, then clean everything up.
The difference between I can run sudo and I understand privilege boundaries shows up in the command choices you make under pressure.
sudo.sudo -i.su -.sudo whoami and clean up with userdel -r.sudo for single commands when possible. A full root shell increases blast radius if you mistype.
sudo -i matters because it loads root’s login environment, not just a root UID.
su - loads the target user’s login environment, which affects PATH and profile behavior.
sudo ls /root
Use sudo for one-off privileged commands. It limits blast radius and keeps a clean audit trail.
[sudo] password for lab:
file1.txt backup.tar.gzsudo -i
sudo -i simulates a root login shell. Use it when you have several admin tasks to perform and want consistent
root environment behavior.
useradd tempsudoCreating a temporary account is a safe way to validate group rules and sudo policy without touching production users.
passwd tempsudo
This makes the account usable for su - and for interactive sudo prompts.
The privileged group name differs by distro family. Use the appropriate command for your host, then verify.
usermod -aG sudo tempsudousermod -aG wheel tempsudoGroup membership is not the same as effective capability. You still prove behavior with an actual sudo command.
exitDropping back to an unprivileged context is part of clean operational discipline.
su - tempsudo
su - loads the target user’s login environment, which matters when you are testing PATH, profiles, and group
membership behavior.
sudo whoamiThis is the quick identity proof. If sudo is working, the output should be root.
rootsudo userdel -r tempsudoAlways remove training accounts and test access once verification is complete.
Group membership may not apply to an existing session. Re-enter a full login session with su -, or log out and
back in, then test again with sudo whoami.
If you used sudo -i and forget you are root, you may accidentally run risky commands. Confirm identity with
whoami before changes, and exit back to a normal shell when you are done.
getent passwd tempsudo
ps -u tempsudosudo: Run commands with elevated privileges.sudo -i: Start a root login shell.
-i: Use a login shell environment.su: Switch user.su -: Switch user with a full login environment.
-: Load the target user’s login environment.useradd: Create a user account.passwd: Set or change a user password.usermod: Modify a user account.
-a: Append to supplementary groups.-G: Set supplementary groups.userdel: Delete a user account.userdel -r: Delete a user and remove their home directory.
-r: Remove home directory and mail spool.whoami: Print effective username.ls: List directory contents./root: Root user’s home directory.getent: Query system databases.ps: List processes.