Loading...

VONDS ©

Lab 28: Switching Users and Sudo Access

Lab Index

Practice privilege escalation the way it looks on a real host: run targeted commands with sudo, enter a root login shell, switch users with a full login environment, then verify sudo access through group membership.

users core security

Scenario

You are training a junior admin on switching users and using sudo correctly. The goal is to demonstrate safe escalation patterns: run a single privileged command, open a root login shell for multi-step work, create a temporary admin user, grant them sudo via the correct group, validate access, then clean everything up.

Operator context

The difference between “I can run sudo” and “I understand privilege boundaries” shows up in the command choices you make under pressure.

Objective

  • Run a privileged command with sudo.
  • Enter a root login shell using sudo -i.
  • Create a temporary user account.
  • Grant sudo access using group membership (sudo or wheel).
  • Switch into the new account with a full login environment.
  • Prove sudo works and clean up the account.

What You’ll Practice

  • Targeted escalation with sudo <command> versus opening a root shell.
  • Root login shell behavior using sudo -i.
  • Creating a user with useradd and setting a password with passwd.
  • Granting sudo via group membership: sudo (Debian/Ubuntu) vs wheel (RHEL family).
  • Switching users correctly with su - to load the target user's login environment.
  • Validating effective identity with sudo whoami.
  • Cleanup discipline with userdel -r.

Walkthrough

Step 1 : Run a single privileged command with sudo.
Command 
sudo ls /root

Use sudo for one-off privileged commands. It limits blast radius and keeps a clean audit trail. 

[sudo] password for lab:
file1.txt  backup.tar.gz
Step 2 : Open a root login shell for multi-step admin work.
Command 
sudo -i

sudo -i simulates a root login shell. Use it when you have several admin tasks to perform and want consistent root environment behavior.

Step 3 : Create a temporary user for sudo testing.
Command 
useradd tempsudo

Creating a temporary account is a safe way to validate group rules and sudo policy without touching production users.

Step 4 : Set a password for the new user.
Command 
passwd tempsudo

This makes the account usable for su - and for interactive sudo prompts.

Step 5 : Grant sudo via group membership.
Command 
# Debian/Ubuntu:
usermod -aG sudo tempsudo
Command 
# RHEL family:
usermod -aG wheel tempsudo

Many systems delegate sudo authorization through a privileged group. The group name differs by distro family, so you need to recognize both patterns.

Step 6 : Exit the root login shell back to the regular user.
Command 
exit

Dropping back to an unprivileged context is part of clean operational discipline.

Step 7 : Switch to the new user with a full login environment.
Command 
su - tempsudo

su - loads the target user’s login environment, which matters when you are testing PATH, profiles, and group membership behavior.

Step 8 : Prove sudo works from the new account.
Command 
sudo whoami

This is the quick identity proof: if sudo is working, the output should be root. 

root
Step 9 : Clean up the temporary user and home directory.
Command 
sudo userdel -r tempsudo

Always remove training accounts and test access once the verification is complete.

Reference

  • sudo <command> : Runs a single command with elevated privileges.
  • sudo -i : Starts a root login shell (root environment).
  • useradd <user> : Creates a new user.
  • passwd <user> : Sets or changes a user password.
  • usermod -aG sudo <user> : Grants sudo on Debian/Ubuntu by adding to the sudo group.
  • usermod -aG wheel <user> : Grants sudo on RHEL family by adding to the wheel group.
  • su - <user> : Switches to another user and loads their login environment.
  • sudo whoami : Prints the effective user when running under sudo.
  • userdel -r <user> : Removes a user and their home directory.