Guide to Unix/Explanations/Becoming Root

From Wikibooks, open books for an open world
Jump to: navigation, search

Most user accounts have only limited access to Unix. For example, it is common that users cannot delete files of other users or parts of system. Users can typically install new software in their home directories, but not into system directories like /usr. To install such software, change permissions on system files, start servers on the reserved ports < 1024, or do any other tasks from which normal users are banned, one must become the superuser. The superuser has a username of root, user ID of zero, and is allowed to do anything regardless of system permissions - restrictions on user activity never apply to root.

NOTE: For Ubuntu and Kubuntu, see this.

Login as Root[edit]

The oldest way to access the superuser account is to login as root, using the root password. For security reasons, and because many crackers on the net seem to know root's username, root logins are normally only permitted on local consoles. (Some systems allow root to login through ssh because that is the only way in. A good system administrator would disable root logins when they are no longer necessary, for example by uncommenting the "PermitRootLogin no" line in /etc/ssh/sshd_config on systems running OpenSSH.)

In general, it is bad to use root logins. One should require using su or sudo instead, so that a user must authenticate with a normal user account before becoming root. The only good reason to use a root login is during the initial setup of a Unix system, before another user account is created and "su" or "sudo" are tested. After this, root logins should be disabled on local consoles too.

Some installation programs let you create the first user account during installation. You never get a root password or make a root login, but the first user account can use sudo. Ubuntu Linux and Mac OS X are both distros which do this.

Use su[edit]

The su command allows anyone who knows the root password to get a root shell, and thus have all of the powers of root:

$ su
Password:
#

The acronym "su" means switch user or substitute user. One can specify a user (su USERNAME) but by default it switches you to root.

If su is followed by a "-" (su -); shell-type, working directory, environmental-variables and shell-aliases will be as if the user you switch to (root) had logged-in normally (at the "user"-prompt of a virtual-terminal).

Some systems require that you join the wheel group to have access to su. The requirement is that your username be listed in /etc/group on the line for group "wheel", group id zero. This requirement does not exist on some systems.

When one finishes with the root shell created by su, one should exit the root shell, so that it is not accidentally used later for normal user activity:

# exit
exit
$

Use sudo[edit]

There is a very configurable command called sudo which several Unix-like distros include. This allows one to run individual commands as root. In most cases, running sudo prompts one for one's own user account password instead of a root password, so sudo is good for administrators that prefer not to memorize a separate root password, especially if they rarely use root.

The syntax to run a COMMAND as root is:

$ sudo COMMAND

For example, we try to view the log for email sent through a Unix-like system:

$ less /var/log/maillog
/var/log/maillog: Permission denied

Because the permission was denied, we use sudo to run the command as root:

$ sudo less /var/log/maillog

Another way to so that would be to use the !! command. The "bang-bang" expands to re-print the last command entered to the shell, and then executes it.

$ sudo !!
sudo less /var/log/maillog

Note that this is a bash feature. The feature doesn't work in sh. By default, most modern unix-like systems tend to use bash. Just don't use it for shell scripts!

Configuring sudo[edit]

On some systems, sudo must be configured before you can use it. This is a useful configuration line to put in /etc/sudoers. It might already be there, but commented out.

%wheel  ALL=(ALL)       ALL

What does it mean? The first word, "%wheel" is the user allowed to use sudo for something. The percent sign indicates that all users in group "wheel" can do this. The first "ALL" means this is allowed on all computers. (That is useful if you copy the same sudoers file to several different Unix-like systems.) The "(ALL)" is the user for which the commands will have privileges. We could say "(root)", but someone who can use root can use all other accounts anyway, so we just say "(ALL)". The last "ALL" indicates which commands are allowed.

Thus, the line provides that every user in group wheel can run any command as any user, including root. The only requirement is that the user enter a password: their own password, not root's password.

Useful defaults[edit]

This line in /etc/sudoers disables two options.

Defaults        !insults, !lecture

The "insults" feature would give a random insult to any user entering an incorrect password. The "lecture" gives a message to a user that uses "sudo" for the first time (after each boot of the system). It is intended for systems where the administrator grants (possibly limited) sudo access to many users; if only administrators use sudo, then this option is not necessary.