Ubuntu Wiki

   1 18:00 <MichaelGodawski> Education Focus Group:
   2 18:00 <MichaelGodawski> Introduction to Root and Sudo
   3 18:01 <MichaelGodawski> by Michael.Godawski and forestpixie
   4 18:01 <MichaelGodawski> Short Introduction
   5 18:01 <MichaelGodawski> Welcome to the first course prepared by the Education Focus Group; a group from the Beginners Team on the Ubuntuforums.org. As mentioned this is our first course so we are glad to hear your feedback afterwards.
   6 18:01 <MichaelGodawski> First I wanted to ask how many of your are here for the course
   7 18:01 <linkmaster03>    me
   8 18:01 <Bodsda>  me
   9 18:01 <forestpixie>     o/
  10 18:02 <diogenes>        o/
  11 18:02 <MichaelGodawski> good not much but better then none :)
  12 18:03 <MichaelGodawski> Let's go quickly over the formalities:
  13 18:03 <MichaelGodawski> here is our site: https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education
  14 18:03 <MichaelGodawski> new courses, articles, and resources will be published here.
  15 18:03 <MichaelGodawski> We are going to work with the terminal a bit so open it ( Applications > Accessories > Terminal )and also open a web-browser.
  16 18:03 <MichaelGodawski> Root and Sudo
  17 18:03 <MichaelGodawski> This course is aimed at the very beginners of Ubuntu/Linux; during the course we will cover some very basic terminal commands. So for some of you it might be boring, but for some still new and exciting
  18 18:03 <MichaelGodawski> Please bear in mind, we have to cover as much as possible and as easy as possible.
  19 18:03 <MichaelGodawski> Let's start.
  20 18:04 <MichaelGodawski> The root is the administrator of the system. He can change, edit, delete everything. He/she has absolute power over the system.
  21 18:04 <MichaelGodawski> But doing basic stuff like browsing the Internet, using applications etc. does not require the root access, it can be even harmful. The argument which often comes up, is that Ubuntu is restricting the user.
  22 18:04 <MichaelGodawski> The root account password is indeed locked as default in Ubuntu. This means you cannot login as root directly. Sometimes however you need root privileges for instance to install a piece of software or do some administrative tasks.
  23 18:04 <MichaelGodawski> Here is the grand entrance of sudo; "since the root account physically exists it is still possible to run programs with root-level privileges."
  24 18:04 <MichaelGodawski> So you can just add sudo in front of a command, type in your user password, and execute it as root.
  25 18:04 <MichaelGodawski> Sudo gives you root privileges temporally.
  26 18:05 <MichaelGodawski> Sudo can be split into: You do the command as super-user, as root.
  27 18:05 <MichaelGodawski> Let's do some basic terminal tasks now. We will create a new directory in your /home folder first. Sounds easy? It is.
  28 18:05 <MichaelGodawski> command:     mkdir ~/test
  29 18:05 <MichaelGodawski> The ~ is a symbol for /home/user-name. Open your home folder with Nautilus. And check if the test folder is there.
  30 18:06 <MichaelGodawski> is it?
  31 18:06 <linkmaster03>    yes :D
  32 18:06 <MichaelGodawski> To delete it we can use the rm command. On the forums there are many users who cannot operate with this command properly and they delete their whole system because they execute it with sudo and with a wrong syntax.
  33 18:06 <MichaelGodawski> The syntax is as follows:
  34 18:06 <MichaelGodawski> rm [OPTION]... FILE...
  35 18:06 <MichaelGodawski> Always specify a path to directory or folder after the rm command,
  36 18:07 <MichaelGodawski> command:    rm ~/test
  37 18:07 <MichaelGodawski> What happens? You get an error:
  38 18:07 <MichaelGodawski> rm: cannot remove `/home/michael/test': Is a directory
  39 18:07 <Bodsda>  yes
  40 18:07 <MichaelGodawski> rm is for removing files. We will use rm -r to delete recursively.  rm -r removes directories and their contents recursively so be careful with it.
  41 18:08 <MichaelGodawski> command:    rm -r ~/test
  42 18:08 <MichaelGodawski> Everything is fine? Than we proceed.
  43 18:08 <linkmaster03>    yep
  44 18:08 <MichaelGodawski> So for instance you want to create a directory in /usr.
  45 18:08 <MichaelGodawski> Let us check if there is no folder called test in /usr
  46 18:08 <MichaelGodawski> command:    ls /usr/
  47 18:09 <MichaelGodawski> command:     sudo mkdir /usr/test
  48 18:09 <MichaelGodawski> Navigate into the /usr directory with
  49 18:09 <MichaelGodawski> command:     cd /usr
  50 18:09 <MichaelGodawski> Use the command ls to list the directories located there. The test directory should be visible.
  51 18:09 <MichaelGodawski> Now we want to remove the test directory. Using the rm command via the terminal and especially with root privileges is very dangerous and must be executed with alertness and a cautious mind.
  52 18:10 <MichaelGodawski> The correct command to remove the test directory we have just created is:
  53 18:10 <MichaelGodawski> command:     sudo rm -r /usr/test
  54 18:10 <MichaelGodawski> Always remember to specify a path to the directory or file after the rm command or you are in big trouble.
  55 18:10 <MichaelGodawski> Questions so far? I hope your system is still there :)
  56 18:11 <linkmaster03>    a ton of text is scrolling by and it is removing /boot
  57 18:11 <linkmaster03>    is that good?
  58 18:11 <MichaelGodawski> not good
  59 18:11 <linkmaster03>    just kidding lol
  60 18:11 <MichaelGodawski> i was dying
  61 18:11 <linkmaster03>    :P
  62 18:11 <MichaelGodawski> next point then ::))))) no jokes :)
  63 18:11 <coolbhavi>       MichaelGodawski, I have a doubt
  64 18:12 <MichaelGodawski> next point then:
  65 18:12 <MichaelGodawski> Advantages/Disadvantages of Sudo
  66 18:12 <MichaelGodawski> Pros:
  67 18:12 <MichaelGodawski> You have only one password. This is a good thing when you are a forgetful person.
  68 18:12 <MichaelGodawski> Your actions are somewhat supervised by the precondition to enter your sudo/root password.
  69 18:12 <MichaelGodawski> Brute-force attacks on the root-account become meaningless because there is no root-account.
  70 18:12 <MichaelGodawski> The transfer of rights is very flexible and highly customizable. (via sudoers file)
  71 18:13 <MichaelGodawski> The default authentication is limited to a specific amount of time - 15 min (can be changed). So if you leave the machine, you do not leave an open root-terminal forever.
  72 18:13 <MichaelGodawski> Basically you can say using sudo is safer than a root account by default. The "restriction" to type in the password each time after sudo gives you a break to really think about the consequences of your next actions. Sudo can save you from your own genius.
  73 18:13 <coolbhavi>       MichaelGodawski, for removing/ making files of the user you dont need sudo in general right?
  74 18:13 <Bodsda>  coolbhavi, you can remove and make files/folders in your /home dir because you own it
  75 18:14 <MichaelGodawski> everything what happen in your /home folder is done without sudo
  76 18:14 <MichaelGodawski> yes Bodsda thx :)
  77 18:14 <linkmaster03>    we have two MichaelGodawski's cool
  78 18:14 <MichaelGodawski> feel free to jump in and help me out if you know better :)
  79 18:14 <MichaelGodawski> Cons
  80 18:14 <Bodsda>  if you did chown -R <username> /    then you would a) bugger everything up, and b) be able to create files folders anywhere without sudo -- i think :)
  81 18:14 <coolbhavi>       MichaelGodawski, yup that was what I was trying to tell :) Thanks
  82 18:15 <MichaelGodawski> Ok now the cons:
  83 18:15 <MichaelGodawski> A real life example:
  84 18:15 <MichaelGodawski> http://ubuntuforums.org/showthread.php?t=1001804
  85 18:15 <MichaelGodawski> Basically it can be summarized with: "Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents. You could also pass the whole command to a shell process run under sudo to have
  86 18:15 <MichaelGodawski>  the file written to with root permissions, such as sudo sh -c ls > /root/somefile.
  87 18:15 <MichaelGodawski> This is just an info to be complete; you have not to understand the syntax of these commands now. Perhaps it is a topic for another course. For now it is sufficient to say that sudo needs a specifiic syntax when more than one command is executed at once.
  88 18:16 <easwar>  or when you are redirecting,as in this case
  89 18:16 <MichaelGodawski> Let's proceed we have some more topics ..... true easwar
  90 18:17 <MichaelGodawski> next point then:
  91 18:17 <MichaelGodawski> auth.log and .bash_history
  92 18:17 <MichaelGodawski> All your commmands started with sudo, executed with root privileges are stored in this log:
  93 18:17 <MichaelGodawski> /var/log/auth.log
  94 18:17 <MichaelGodawski> You can either access it by System - Administration - System Log - auth.log, or by typing into the terminal
  95 18:17 <MichaelGodawski> nano /var/log/auth.log
  96 18:17 <MichaelGodawski> This log is very useful if you messed something up, and want to look up the commands executed with sudo.
  97 18:17 <easwar>  MichaelGodawski, wouldn't be easier with cat /var/log/auth.log
  98 18:17 <Bodsda>  or nano can be replaced by any editor
  99 18:18 <MichaelGodawski> yes cat / less what you want :)
 100 18:18 <linkmaster03>    ooh i didn't know that one
 101 18:18 <easwar>  neither I
 102 18:18 <MichaelGodawski> wanted just to introduce one cli editor at this point
 103 18:18 <coolbhavi>       or more also some times I think :)
 104 18:18 <linkmaster03>    so will that log contain all commands execute as sudo?
 105 18:18 <MichaelGodawski> we all should no gedit and vim is complex
 106 18:18 <Bodsda>  coolbhavi, more is primitive less
 107 18:19 <MichaelGodawski> linkmaster03, The usual entry login and usage of a sudo command looks as follows:
 108 18:19 <coolbhavi>       :)
 109 18:19 <easwar>  emacs!I don't know anything about it though,I prefer vim
 110 18:19 <MichaelGodawski> Dec 4 10:35:37 michael-laptop sudo: michael : TTY=pts/0 ; PWD=/home/michael ; USER=root ; COMMAND=/usr/bin/apt-get install ubuntu-restricted-extras
 111 18:19 <forestpixie>     can we cut the chat please
 112 18:19 <MichaelGodawski> thx forestpixie
 113 18:19 <linkmaster03>    ah yes i see it thank you MichaelGodawski
 114 18:19 <MichaelGodawski> you see the command executed and the user in this example the root
 115 18:19 <MichaelGodawski> There is also a log which stores every command you type into the terminal. It is located here:
 116 18:20 <Bodsda>  MichaelGodawski, may i ask a question?
 117 18:20 <easwar>  linkmaster03, that file contains all the commands with executed as sudo
 118 18:20 <MichaelGodawski> can we wait till the end of this section with questions and remarks?
 119 18:20 <MichaelGodawski> thx
 120 18:20 <Bodsda>  sure, sorry
 121 18:20 <MichaelGodawski> There is also a log which stores every command you type into the terminal. It is located here:
 122 18:20 <MichaelGodawski> ~/.bash_history
 123 18:20 <MichaelGodawski> So open it with nano ~/.bash_history and have a look at all your commands used so far. Notice that you do not need the sudo in front of the nano command, because the .bash-history is located in your home directory. In this directory the user has read, write and execute permissions.
 124 18:21 <MichaelGodawski> Other possibilities to open the log are:
 125 18:21 <MichaelGodawski> cat .bash_history |grep sudo
 126 18:21 <MichaelGodawski> If it was recent use tail as well
 127 18:21 <MichaelGodawski> cat .bash_history |grep sudo |tail
 128 18:21 <MichaelGodawski> Questions so far?
 129 18:22 <Bodsda>  MichaelGodawski, does auth.log store unsuccessful sudo attempts?
 130 18:22 <MichaelGodawski> good question let's try it out :) what do you mean by unsuccessful?
 131 18:22 <MichaelGodawski> wrong password?
 132 18:22 <MichaelGodawski> command not found?
 133 18:22 <Bodsda>  wrong password > 3 times -- or wrong password once
 134 18:23 <forestpixie>     I will try and report back
 135 18:23 <MichaelGodawski> we can solve this here I guess... just try it out everybody
 136 18:23 <Bodsda>  iirc sudo will re-prompt three times, if still unsuccessful it just doesnt run the command
 137 18:23 <MichaelGodawski> run this command: sudo apt-get installl foo
 138 18:23 <MichaelGodawski> does it occur in the log?
 139 18:24 <forestpixie>      1 incorrect password attempt
 140 18:24 <forestpixie>     so yes it does Bodsda :)
 141 18:24 <MichaelGodawski> Jan 17 19:24:14 michael-laptop sudo:  michael : TTY=pts/0 ; PWD=/home/michael ; USER=root ; COMMAND=/usr/bin/apt-get installl f
 142 18:24 <Bodsda>  Jan 17 18:24:03 bod sudo:      bod : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/bod ; USER=root ; COMMAND=/usr/bin/apt-get install foo
 143 18:24 <Bodsda>  bod@bod:~
 144 18:24 <linkmaster03>    yup it does
 145 18:24 <Bodsda>  yep :)
 146 18:24 <MichaelGodawski> nice question empirically solved
 147 18:25 <Bodsda>  so if you wanted to see if anyone had tried to use your computer while you were away
 148 18:25 <Bodsda>  you could
 149 18:25 <easwar>  I didn't enter anything as password,and it just reported an authentication failure
 150 18:25 <easwar>  not an "incorrect password attempt"
 151 18:25 <Bodsda>  cat /var/log/auth.log | grep incorrect
 152 18:25 <Bodsda>  or tail it first for recent incorrect attempts
 153 18:25 <easwar>  zilch results
 154 18:26 <easwar>  of course,I was only running sudo apt-get update
 155 18:26 <Bodsda>  easwar, it doesnt matter about the command
 156 18:26 <linkmaster03>    can we let the course go on :P
 157 18:26 <Bodsda>  easwar, the authentication error was still logged, but not as an incorrect attempt because you didnt attempt anything
 158 18:26 <MichaelGodawski> Jan 17 19:26:20 michael-laptop sudo: pam_unix(sudo:auth): authentication failure; logname=michael uid=0 euid=0 tty=/dev/pts/1 ruser= rhost=  user=michael
 159 18:27 <easwar>  Bodsda, hmm
 160 18:27 <easwar>  MichaelGodawski, exactly
 161 18:27 <MichaelGodawski> so you see everything is somehow logged. Especially useful while helping new users on the forums
 162 18:28 <MichaelGodawski> who have executed commands, and cannot remember how they nuked their system :)
 163 18:28 <MichaelGodawski> Let's come back to the theory. When you are asking yourself "what does this and that command actually do" run man commandname in the terminal for details.
 164 18:28 <MichaelGodawski> So for instance :
 165 18:28 <MichaelGodawski> man sudo
 166 18:28 <MichaelGodawski> There we read:
 167 18:29 <MichaelGodawski> DESCRIPTION
 168 18:29 <MichaelGodawski> sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file.
 169 18:29 <MichaelGodawski> Next question: what is the sudoers file?
 170 18:29 <MichaelGodawski> "The sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what)."
 171 18:29 <MichaelGodawski> Here is an example of a sudoers file:
 172 18:29 <MichaelGodawski> http://www.gratisoft.us/sudo/sample.sudoers
 173 18:29 <easwar>  MichaelGodawski, one point I would like to make(later if you say so)
 174 18:30 <forestpixie>     later
 175 18:30 <MichaelGodawski> sure at the end of every sections is time to aks and speak
 176 18:30 <MichaelGodawski> And this is our default Ubuntu sudoers file:
 177 18:30 <Bodsda>  just a quick fyi, the sudoers file is located here: /etc/sudoers
 178 18:30 <MichaelGodawski> https://help.ubuntu.com/community/Sudoers#The Default Ubuntu Sudoers File
 179 18:31 <MichaelGodawski> good Bodsda
 180 18:31 <MichaelGodawski> Editing the sudoers file should be only done when you know what you are doing. A usual user, who just wants to work with the system, will never have to open this file if he/she does not want to.
 181 18:31 <MichaelGodawski> If you want more info on how to change the sudoers file ( but it is a rather rare task to do and some changes like removing the prompt for the sudo password are not supported by Canonical) have a look at:
 182 18:31 <MichaelGodawski> http://www.wlug.org.nz/SudoHowto
 183 18:31 <MichaelGodawski> https://help.ubuntu.com/community/Sudoers
 184 18:32 <MichaelGodawski> ok questions and remarks
 185 18:32 <MichaelGodawski> now
 186 18:32 <MichaelGodawski> :)
 187 18:32 <easwar>  [23:57]<MichaelGodawski> so you see everything is somehow logged. Especially useful while helping new users on the forums[23:58]<MichaelGodawski> who have executed commands, and cannot remember how they nuked their system :)<--If they have run sudo rm -rf /,even /var/log/auth.log won't be able to tell you what they've done
 188 18:32 <Bodsda>  lol, correct
 189 18:32 <MichaelGodawski> worst case scenario
 190 18:32 <linkmaster03>    /var is one of the last directories to be removed though
 191 18:32 <MichaelGodawski> true
 192 18:32 <forestpixie>     but I assume that they will be able to remeber that one :)
 193 18:33 <MichaelGodawski> questions to the audience from me if you run the sudo rm -rf command is there anything you can do to stop it??
 194 18:33 <easwar>  forestpixie, not,if they've run one of those "hex code gibberish" ways
 195 18:33 <linkmaster03>    Ctrl+C
 196 18:33 <Bodsda>  ctrl+c
 197 18:34 <MichaelGodawski> anybody tried this out ?  joke please do not try to replicate this :)
 198 18:34 <easwar>  linkmaster03, I don't know that,but why would /var be one of the last directories to be removed?
 199 18:34 <Bodsda>  easwar, those should never be run untill you can personally read all of the code (usually)
 200 18:34 <linkmaster03>    easwar: because it is alphabetically after most other directories in /
 201 18:34 * Bodsda sets up VM to disobey orders :)
 202 18:34 <forestpixie>     yes on a vm MichaelGodawski 
 203 18:34 <forestpixie>     it works ;)
 204 18:34 <linkmaster03>    easwar: so /boot, /bin, /etc, /home and stuff would be removed before it even got to /var
 205 18:34 <easwar>  Bodsda, I know,but those things were (unfortunately) disguised as help
 206 18:34 <MichaelGodawski> virtualization heaven :)
 207 18:35 <easwar>  linkmaster03, citation needed
 208 18:35 <forestpixie>     there are I believe some safeguards in jaunty 
 209 18:35 <Bodsda>  easwar, yes, the forums will catch them pretty quick now, and kmandla has posted a harmful commands sticky thread explaining some of them
 210 18:35 <linkmaster03>    eh google it
 211 18:35 <easwar>  Bodsda, I know that,that's where I found out
 212 18:36 <MichaelGodawski> ok next point then: :)
 213 18:36 <easwar>  and I wrote a thread too,asking exactly how they were disguised
 214 18:36 <MichaelGodawski> The Standards
 215 18:36 <MichaelGodawski> sh sh sh
 216 18:36 <MichaelGodawski> To enhance the security of Linux-Systems administrative tasks can only be executed with super-user (Administrator) privileges.
 217 18:36 <MichaelGodawski> With the prefix sudo the user can run a command with these privileges and change the system freely and without restrictions.
 218 18:36 <MichaelGodawski> Root is the Super-user in Linux. The Root can be compared to the Administrator in Windows. The root may do everything. The root may nuke his system, Linux/Ubuntu will kindly ask if the user really wants this to happen, and then it will explode.
 219 18:36 <MichaelGodawski> The Root can edit every single file on the system. Therefore it is rather dangerous to act as root the whole time.
 220 18:36 <MichaelGodawski> Root privileges are bound to time. So if the task at hand is accomplished, the super-user becomes a "normal" user again. This is reasonable, because every attacker which might somehow gain control over the system gains also the normal user rights, and not the root privileges.
 221 18:37 <MichaelGodawski> The Linux Standard
 222 18:37 <MichaelGodawski> During the installation a root account with a corresponding root password was created. Additional users with restricted rights were also set up. To do administrative tasks the user had use the Terminal: he/she had to switch with su (substitute user identity) and the root password into the role of the root. With exit the root became a normal user again.
 223 18:37 <MichaelGodawski> For a long period of time this was the usual procedure - but this method has some disadvantages:
 224 18:37 <MichaelGodawski> When you forget to exit the root mode, the system becomes vulnerable.
 225 18:37 <MichaelGodawski> You have to remember two different passwords: the root and the user password.
 226 18:38 <MichaelGodawski> The root account can be very seducing and can entice to do real damage
 227 18:38 <MichaelGodawski> The Ubuntu Standard
 228 18:38 <MichaelGodawski> of that the first user is able to activate root rights temporally.
 229 18:38 <MichaelGodawski> sry
 230 18:38 <MichaelGodawski> The Ubuntu developers followed a different path. A root account does exist, but it is disabled by default. Instead of that the first user is able to activate root rights temporally.
 231 18:38 <MichaelGodawski> This happens with the help of the terminal: sudo (super-user, do) in front of a command executes it with root right. Graphical applications are launched with gksudo or kdesudo respectively.
 232 18:38 <MichaelGodawski> So when Ubuntu asks you for a password, it is always the user (login) password. You won't see the password when you type it in into the Terminal; you have to type blindly, so to speak.
 233 18:39 <MichaelGodawski> Only users which belong to the admin group can gain root privileges. More precisely "for sudo, you do not need to be in the admin group; you only need access in the sudoers file, or in a group specified in the sudoers file; for su, you need to be in the admin group."
 234 18:39 <MichaelGodawski> More info on this topic can be found here:
 235 18:39 <MichaelGodawski> https://help.ubuntu.com/community/AddUsersHowto
 236 18:39 <MichaelGodawski> One disadvantage of this method might be the time-limited effect of the sudo command. You can extend the period however:
 237 18:39 <MichaelGodawski> https://help.ubuntu.com/community/RootSudoTimeout
 238 18:39 <MichaelGodawski> But it definitely has its advantages:
 239 18:40 <MichaelGodawski> More than once super-user can exist; they can have different rights.
 240 18:40 <MichaelGodawski> Time-limitations is set to 15 minutes, after this period of time the password must the re-entered.
 241 18:40 <MichaelGodawski> You have to remember only one password.
 242 18:40 <MichaelGodawski> The educational effect is bigger, because every time you do an important administrative task, the sudo password reminds you of it.
 243 18:40 <MichaelGodawski> Another advantage of sudo, it allows a graded access to root. The commands su (root environment) is all or none; but you can configure sudo such that a user may run some commands , but not others.
 244 18:40 <MichaelGodawski> To increase the time in which one have root privileges, for instance to run several commands, you can enter a pseudo-root-shell:
 245 18:40 <MichaelGodawski> command :     sudo -i
 246 18:41 <MichaelGodawski> and you can exit the root environment with the command :     exit
 247 18:41 <MichaelGodawski> END