What determines which Linux commands require root access?
It's mainly a matter of what the tool or program does. Keeping in mind that a non-superuser can only touch files that it owns or has access to, any tool that needs to be able to get its fingers into everything will require superuser access in order to do the thing which it does. A quick sample of Things that might require superuser access include, but are not limited to:
- Opening a listening TCP socket on a port below 1024
- Changing system configurations (e. g. anything in
/etc
) - Adding new globally-accessible libraries (
/lib
and/usr/lib
) or binaries (/bin
,/usr/bin
) - Touching any files not owned by the user who is doing the touching which don't have a sufficiently permissive mode
- Changing other users' files' ownership
- Escelating process priorities (e. g.
renice
) - Starting or stopping most services
- Kernel configuration (e. g. adjusting swappiness)
- Adjusting filesystem quotas
- Writing to "full" disks (most filesystems reserve some space for the root user)
- Performing actions as other users
In linux, the privileges of root were at one point divided into "capabilities", so you can get a full listing of root's special privileges by looking into that documentation: man 7 capabilities
.
To answer your question, a command will require running as root when it needs one of these privileges, and its non-script executable does not have the relevant capability set in its file metadata (e.g. if a python script requires the capability, then the capability would need to be in the python interpreter specified in the shebang line).
Do note that some commands that need root access do not need something like sudo
because they have the SUID bit set in their executable. This bit causes the executable to run as the owner (typically root) when executed by anyone that has execute access. An example is sudo
itself as changing users is a privileged action it needs to do.
EDIT: I note from your question that you might have the idea that you can determine if a command will need root access before running it. That's not the case. A program may sometimes require root privileges and other times not, and this could be a decision made by the program because of data it's provided during runtime. Take for example, calling vim
, just like that without arguments, and then through a series of keypresses and pasting, telling it to write something to a file it has no permission to write, or maybe executing another command that itself will require root privileges. Nothing about the command before executing could indicate that it would eventually require root access. That's something that can only be determined at the point it tries to do something that requires it.
Anyway, here are very few examples from the referenced manpage of the privileges of root:
- Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2));
- Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".)
- Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.
- Perform various network-related operations:
- interface configuration;
- administration of IP firewall, masquerading, and accounting;
- modify routing tables;
- Bind a socket to Internet domain privileged ports (port numbers less than 1024).
- Load and unload kernel modules (see init_module(2) and delete_module(2));
- Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.
- Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2);
- Use reboot(2) and kexec_load(2).
- Use chroot(2).
- Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes;