IRC Question and Answer Session
topic: sudo and root
date: 17th January 2009
time: start 1800 UTC end ???
location: IRC - #ubuntu-classroom on freenode.net
An Introduction to the Concept of Root and Sudo
Understanding the usage of sudo not only gives the new Linux user a powerful tool to work with the system, but also teaches him/her one of the essential concepts of Ubuntu.
The concept of Sudo and Root is linked with such themes like "Terminal Usage", "Terminal Commands" or "Linux Permissions".
During the course the ubuntu beginner will lose the fear of the terminal and learn how to operate with sudo and when better not to act as root.
- Differences between sudo and root account
- Usage and Examples
- Question Round
1 18:00 <MichaelGodawski> Education Focus Group: 2 18:00 <MichaelGodawski> Introduction to Root and Sudo 3 18:01 <MichaelGodawski> by Michael.Godawski and forestpixie 4 18:01 <MichaelGodawski> Short Introduction 5 18:01 <MichaelGodawski> Welcome to the first course prepared by the Education Focus Group; a group from the Beginners Team on the Ubuntuforums.org. As mentioned this is our first course so we are glad to hear your feedback afterwards. 6 18:01 <MichaelGodawski> First I wanted to ask how many of your are here for the course 7 18:01 <linkmaster03> me 8 18:01 <Bodsda> me 9 18:01 <forestpixie> o/ 10 18:02 <diogenes> o/ 11 18:02 <MichaelGodawski> good not much but better then none :) 12 18:03 <MichaelGodawski> Let's go quickly over the formalities: 13 18:03 <MichaelGodawski> here is our site: https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education 14 18:03 <MichaelGodawski> new courses, articles, and resources will be published here. 15 18:03 <MichaelGodawski> We are going to work with the terminal a bit so open it ( Applications > Accessories > Terminal )and also open a web-browser. 16 18:03 <MichaelGodawski> Root and Sudo 17 18:03 <MichaelGodawski> This course is aimed at the very beginners of Ubuntu/Linux; during the course we will cover some very basic terminal commands. So for some of you it might be boring, but for some still new and exciting 18 18:03 <MichaelGodawski> Please bear in mind, we have to cover as much as possible and as easy as possible. 19 18:03 <MichaelGodawski> Let's start. 20 18:04 <MichaelGodawski> The root is the administrator of the system. He can change, edit, delete everything. He/she has absolute power over the system. 21 18:04 <MichaelGodawski> But doing basic stuff like browsing the Internet, using applications etc. does not require the root access, it can be even harmful. The argument which often comes up, is that Ubuntu is restricting the user. 22 18:04 <MichaelGodawski> The root account password is indeed locked as default in Ubuntu. This means you cannot login as root directly. Sometimes however you need root privileges for instance to install a piece of software or do some administrative tasks. 23 18:04 <MichaelGodawski> Here is the grand entrance of sudo; "since the root account physically exists it is still possible to run programs with root-level privileges." 24 18:04 <MichaelGodawski> So you can just add sudo in front of a command, type in your user password, and execute it as root. 25 18:04 <MichaelGodawski> Sudo gives you root privileges temporally. 26 18:05 <MichaelGodawski> Sudo can be split into: You do the command as super-user, as root. 27 18:05 <MichaelGodawski> Let's do some basic terminal tasks now. We will create a new directory in your /home folder first. Sounds easy? It is. 28 18:05 <MichaelGodawski> command: mkdir ~/test 29 18:05 <MichaelGodawski> The ~ is a symbol for /home/user-name. Open your home folder with Nautilus. And check if the test folder is there. 30 18:06 <MichaelGodawski> is it? 31 18:06 <linkmaster03> yes :D 32 18:06 <MichaelGodawski> To delete it we can use the rm command. On the forums there are many users who cannot operate with this command properly and they delete their whole system because they execute it with sudo and with a wrong syntax. 33 18:06 <MichaelGodawski> The syntax is as follows: 34 18:06 <MichaelGodawski> rm [OPTION]... FILE... 35 18:06 <MichaelGodawski> Always specify a path to directory or folder after the rm command, 36 18:07 <MichaelGodawski> command: rm ~/test 37 18:07 <MichaelGodawski> What happens? You get an error: 38 18:07 <MichaelGodawski> rm: cannot remove `/home/michael/test': Is a directory 39 18:07 <Bodsda> yes 40 18:07 <MichaelGodawski> rm is for removing files. We will use rm -r to delete recursively. rm -r removes directories and their contents recursively so be careful with it. 41 18:08 <MichaelGodawski> command: rm -r ~/test 42 18:08 <MichaelGodawski> Everything is fine? Than we proceed. 43 18:08 <linkmaster03> yep 44 18:08 <MichaelGodawski> So for instance you want to create a directory in /usr. 45 18:08 <MichaelGodawski> Let us check if there is no folder called test in /usr 46 18:08 <MichaelGodawski> command: ls /usr/ 47 18:09 <MichaelGodawski> command: sudo mkdir /usr/test 48 18:09 <MichaelGodawski> Navigate into the /usr directory with 49 18:09 <MichaelGodawski> command: cd /usr 50 18:09 <MichaelGodawski> Use the command ls to list the directories located there. The test directory should be visible. 51 18:09 <MichaelGodawski> Now we want to remove the test directory. Using the rm command via the terminal and especially with root privileges is very dangerous and must be executed with alertness and a cautious mind. 52 18:10 <MichaelGodawski> The correct command to remove the test directory we have just created is: 53 18:10 <MichaelGodawski> command: sudo rm -r /usr/test 54 18:10 <MichaelGodawski> Always remember to specify a path to the directory or file after the rm command or you are in big trouble. 55 18:10 <MichaelGodawski> Questions so far? I hope your system is still there :) 56 18:11 <linkmaster03> a ton of text is scrolling by and it is removing /boot 57 18:11 <linkmaster03> is that good? 58 18:11 <MichaelGodawski> not good 59 18:11 <linkmaster03> just kidding lol 60 18:11 <MichaelGodawski> i was dying 61 18:11 <linkmaster03> :P 62 18:11 <MichaelGodawski> next point then ::))))) no jokes :) 63 18:11 <coolbhavi> MichaelGodawski, I have a doubt 64 18:12 <MichaelGodawski> next point then: 65 18:12 <MichaelGodawski> Advantages/Disadvantages of Sudo 66 18:12 <MichaelGodawski> Pros: 67 18:12 <MichaelGodawski> You have only one password. This is a good thing when you are a forgetful person. 68 18:12 <MichaelGodawski> Your actions are somewhat supervised by the precondition to enter your sudo/root password. 69 18:12 <MichaelGodawski> Brute-force attacks on the root-account become meaningless because there is no root-account. 70 18:12 <MichaelGodawski> The transfer of rights is very flexible and highly customizable. (via sudoers file) 71 18:13 <MichaelGodawski> The default authentication is limited to a specific amount of time - 15 min (can be changed). So if you leave the machine, you do not leave an open root-terminal forever. 72 18:13 <MichaelGodawski> Basically you can say using sudo is safer than a root account by default. The "restriction" to type in the password each time after sudo gives you a break to really think about the consequences of your next actions. Sudo can save you from your own genius. 73 18:13 <coolbhavi> MichaelGodawski, for removing/ making files of the user you dont need sudo in general right? 74 18:13 <Bodsda> coolbhavi, you can remove and make files/folders in your /home dir because you own it 75 18:14 <MichaelGodawski> everything what happen in your /home folder is done without sudo 76 18:14 <MichaelGodawski> yes Bodsda thx :) 77 18:14 <linkmaster03> we have two MichaelGodawski's cool 78 18:14 <MichaelGodawski> feel free to jump in and help me out if you know better :) 79 18:14 <MichaelGodawski> Cons 80 18:14 <Bodsda> if you did chown -R <username> / then you would a) bugger everything up, and b) be able to create files folders anywhere without sudo -- i think :) 81 18:14 <coolbhavi> MichaelGodawski, yup that was what I was trying to tell :) Thanks 82 18:15 <MichaelGodawski> Ok now the cons: 83 18:15 <MichaelGodawski> A real life example: 84 18:15 <MichaelGodawski> http://ubuntuforums.org/showthread.php?t=1001804 85 18:15 <MichaelGodawski> Basically it can be summarized with: "Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents. You could also pass the whole command to a shell process run under sudo to have 86 18:15 <MichaelGodawski> the file written to with root permissions, such as sudo sh -c ls > /root/somefile. 87 18:15 <MichaelGodawski> This is just an info to be complete; you have not to understand the syntax of these commands now. Perhaps it is a topic for another course. For now it is sufficient to say that sudo needs a specifiic syntax when more than one command is executed at once. 88 18:16 <easwar> or when you are redirecting,as in this case 89 18:16 <MichaelGodawski> Let's proceed we have some more topics ..... true easwar 90 18:17 <MichaelGodawski> next point then: 91 18:17 <MichaelGodawski> auth.log and .bash_history 92 18:17 <MichaelGodawski> All your commmands started with sudo, executed with root privileges are stored in this log: 93 18:17 <MichaelGodawski> /var/log/auth.log 94 18:17 <MichaelGodawski> You can either access it by System - Administration - System Log - auth.log, or by typing into the terminal 95 18:17 <MichaelGodawski> nano /var/log/auth.log 96 18:17 <MichaelGodawski> This log is very useful if you messed something up, and want to look up the commands executed with sudo. 97 18:17 <easwar> MichaelGodawski, wouldn't be easier with cat /var/log/auth.log 98 18:17 <Bodsda> or nano can be replaced by any editor 99 18:18 <MichaelGodawski> yes cat / less what you want :) 100 18:18 <linkmaster03> ooh i didn't know that one 101 18:18 <easwar> neither I 102 18:18 <MichaelGodawski> wanted just to introduce one cli editor at this point 103 18:18 <coolbhavi> or more also some times I think :) 104 18:18 <linkmaster03> so will that log contain all commands execute as sudo? 105 18:18 <MichaelGodawski> we all should no gedit and vim is complex 106 18:18 <Bodsda> coolbhavi, more is primitive less 107 18:19 <MichaelGodawski> linkmaster03, The usual entry login and usage of a sudo command looks as follows: 108 18:19 <coolbhavi> :) 109 18:19 <easwar> emacs!I don't know anything about it though,I prefer vim 110 18:19 <MichaelGodawski> Dec 4 10:35:37 michael-laptop sudo: michael : TTY=pts/0 ; PWD=/home/michael ; USER=root ; COMMAND=/usr/bin/apt-get install ubuntu-restricted-extras 111 18:19 <forestpixie> can we cut the chat please 112 18:19 <MichaelGodawski> thx forestpixie 113 18:19 <linkmaster03> ah yes i see it thank you MichaelGodawski 114 18:19 <MichaelGodawski> you see the command executed and the user in this example the root 115 18:19 <MichaelGodawski> There is also a log which stores every command you type into the terminal. It is located here: 116 18:20 <Bodsda> MichaelGodawski, may i ask a question? 117 18:20 <easwar> linkmaster03, that file contains all the commands with executed as sudo 118 18:20 <MichaelGodawski> can we wait till the end of this section with questions and remarks? 119 18:20 <MichaelGodawski> thx 120 18:20 <Bodsda> sure, sorry 121 18:20 <MichaelGodawski> There is also a log which stores every command you type into the terminal. It is located here: 122 18:20 <MichaelGodawski> ~/.bash_history 123 18:20 <MichaelGodawski> So open it with nano ~/.bash_history and have a look at all your commands used so far. Notice that you do not need the sudo in front of the nano command, because the .bash-history is located in your home directory. In this directory the user has read, write and execute permissions. 124 18:21 <MichaelGodawski> Other possibilities to open the log are: 125 18:21 <MichaelGodawski> cat .bash_history |grep sudo 126 18:21 <MichaelGodawski> If it was recent use tail as well 127 18:21 <MichaelGodawski> cat .bash_history |grep sudo |tail 128 18:21 <MichaelGodawski> Questions so far? 129 18:22 <Bodsda> MichaelGodawski, does auth.log store unsuccessful sudo attempts? 130 18:22 <MichaelGodawski> good question let's try it out :) what do you mean by unsuccessful? 131 18:22 <MichaelGodawski> wrong password? 132 18:22 <MichaelGodawski> command not found? 133 18:22 <Bodsda> wrong password > 3 times -- or wrong password once 134 18:23 <forestpixie> I will try and report back 135 18:23 <MichaelGodawski> we can solve this here I guess... just try it out everybody 136 18:23 <Bodsda> iirc sudo will re-prompt three times, if still unsuccessful it just doesnt run the command 137 18:23 <MichaelGodawski> run this command: sudo apt-get installl foo 138 18:23 <MichaelGodawski> does it occur in the log? 139 18:24 <forestpixie> 1 incorrect password attempt 140 18:24 <forestpixie> so yes it does Bodsda :) 141 18:24 <MichaelGodawski> Jan 17 19:24:14 michael-laptop sudo: michael : TTY=pts/0 ; PWD=/home/michael ; USER=root ; COMMAND=/usr/bin/apt-get installl f 142 18:24 <Bodsda> Jan 17 18:24:03 bod sudo: bod : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/bod ; USER=root ; COMMAND=/usr/bin/apt-get install foo 143 18:24 <Bodsda> bod@bod:~ 144 18:24 <linkmaster03> yup it does 145 18:24 <Bodsda> yep :) 146 18:24 <MichaelGodawski> nice question empirically solved 147 18:25 <Bodsda> so if you wanted to see if anyone had tried to use your computer while you were away 148 18:25 <Bodsda> you could 149 18:25 <easwar> I didn't enter anything as password,and it just reported an authentication failure 150 18:25 <easwar> not an "incorrect password attempt" 151 18:25 <Bodsda> cat /var/log/auth.log | grep incorrect 152 18:25 <Bodsda> or tail it first for recent incorrect attempts 153 18:25 <easwar> zilch results 154 18:26 <easwar> of course,I was only running sudo apt-get update 155 18:26 <Bodsda> easwar, it doesnt matter about the command 156 18:26 <linkmaster03> can we let the course go on :P 157 18:26 <Bodsda> easwar, the authentication error was still logged, but not as an incorrect attempt because you didnt attempt anything 158 18:26 <MichaelGodawski> Jan 17 19:26:20 michael-laptop sudo: pam_unix(sudo:auth): authentication failure; logname=michael uid=0 euid=0 tty=/dev/pts/1 ruser= rhost= user=michael 159 18:27 <easwar> Bodsda, hmm 160 18:27 <easwar> MichaelGodawski, exactly 161 18:27 <MichaelGodawski> so you see everything is somehow logged. Especially useful while helping new users on the forums 162 18:28 <MichaelGodawski> who have executed commands, and cannot remember how they nuked their system :) 163 18:28 <MichaelGodawski> Let's come back to the theory. When you are asking yourself "what does this and that command actually do" run man commandname in the terminal for details. 164 18:28 <MichaelGodawski> So for instance : 165 18:28 <MichaelGodawski> man sudo 166 18:28 <MichaelGodawski> There we read: 167 18:29 <MichaelGodawski> DESCRIPTION 168 18:29 <MichaelGodawski> sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. 169 18:29 <MichaelGodawski> Next question: what is the sudoers file? 170 18:29 <MichaelGodawski> "The sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what)." 171 18:29 <MichaelGodawski> Here is an example of a sudoers file: 172 18:29 <MichaelGodawski> http://www.gratisoft.us/sudo/sample.sudoers 173 18:29 <easwar> MichaelGodawski, one point I would like to make(later if you say so) 174 18:30 <forestpixie> later 175 18:30 <MichaelGodawski> sure at the end of every sections is time to aks and speak 176 18:30 <MichaelGodawski> And this is our default Ubuntu sudoers file: 177 18:30 <Bodsda> just a quick fyi, the sudoers file is located here: /etc/sudoers 178 18:30 <MichaelGodawski> https://help.ubuntu.com/community/Sudoers#The Default Ubuntu Sudoers File 179 18:31 <MichaelGodawski> good Bodsda 180 18:31 <MichaelGodawski> Editing the sudoers file should be only done when you know what you are doing. A usual user, who just wants to work with the system, will never have to open this file if he/she does not want to. 181 18:31 <MichaelGodawski> If you want more info on how to change the sudoers file ( but it is a rather rare task to do and some changes like removing the prompt for the sudo password are not supported by Canonical) have a look at: 182 18:31 <MichaelGodawski> http://www.wlug.org.nz/SudoHowto 183 18:31 <MichaelGodawski> https://help.ubuntu.com/community/Sudoers 184 18:32 <MichaelGodawski> ok questions and remarks 185 18:32 <MichaelGodawski> now 186 18:32 <MichaelGodawski> :) 187 18:32 <easwar> [23:57]<MichaelGodawski> so you see everything is somehow logged. Especially useful while helping new users on the forums[23:58]<MichaelGodawski> who have executed commands, and cannot remember how they nuked their system :)<--If they have run sudo rm -rf /,even /var/log/auth.log won't be able to tell you what they've done 188 18:32 <Bodsda> lol, correct 189 18:32 <MichaelGodawski> worst case scenario 190 18:32 <linkmaster03> /var is one of the last directories to be removed though 191 18:32 <MichaelGodawski> true 192 18:32 <forestpixie> but I assume that they will be able to remeber that one :) 193 18:33 <MichaelGodawski> questions to the audience from me if you run the sudo rm -rf command is there anything you can do to stop it?? 194 18:33 <easwar> forestpixie, not,if they've run one of those "hex code gibberish" ways 195 18:33 <linkmaster03> Ctrl+C 196 18:33 <Bodsda> ctrl+c 197 18:34 <MichaelGodawski> anybody tried this out ? joke please do not try to replicate this :) 198 18:34 <easwar> linkmaster03, I don't know that,but why would /var be one of the last directories to be removed? 199 18:34 <Bodsda> easwar, those should never be run untill you can personally read all of the code (usually) 200 18:34 <linkmaster03> easwar: because it is alphabetically after most other directories in / 201 18:34 * Bodsda sets up VM to disobey orders :) 202 18:34 <forestpixie> yes on a vm MichaelGodawski 203 18:34 <forestpixie> it works ;) 204 18:34 <linkmaster03> easwar: so /boot, /bin, /etc, /home and stuff would be removed before it even got to /var 205 18:34 <easwar> Bodsda, I know,but those things were (unfortunately) disguised as help 206 18:34 <MichaelGodawski> virtualization heaven :) 207 18:35 <easwar> linkmaster03, citation needed 208 18:35 <forestpixie> there are I believe some safeguards in jaunty 209 18:35 <Bodsda> easwar, yes, the forums will catch them pretty quick now, and kmandla has posted a harmful commands sticky thread explaining some of them 210 18:35 <linkmaster03> eh google it 211 18:35 <easwar> Bodsda, I know that,that's where I found out 212 18:36 <MichaelGodawski> ok next point then: :) 213 18:36 <easwar> and I wrote a thread too,asking exactly how they were disguised 214 18:36 <MichaelGodawski> The Standards 215 18:36 <MichaelGodawski> sh sh sh 216 18:36 <MichaelGodawski> To enhance the security of Linux-Systems administrative tasks can only be executed with super-user (Administrator) privileges. 217 18:36 <MichaelGodawski> With the prefix sudo the user can run a command with these privileges and change the system freely and without restrictions. 218 18:36 <MichaelGodawski> Root is the Super-user in Linux. The Root can be compared to the Administrator in Windows. The root may do everything. The root may nuke his system, Linux/Ubuntu will kindly ask if the user really wants this to happen, and then it will explode. 219 18:36 <MichaelGodawski> The Root can edit every single file on the system. Therefore it is rather dangerous to act as root the whole time. 220 18:36 <MichaelGodawski> Root privileges are bound to time. So if the task at hand is accomplished, the super-user becomes a "normal" user again. This is reasonable, because every attacker which might somehow gain control over the system gains also the normal user rights, and not the root privileges. 221 18:37 <MichaelGodawski> The Linux Standard 222 18:37 <MichaelGodawski> During the installation a root account with a corresponding root password was created. Additional users with restricted rights were also set up. To do administrative tasks the user had use the Terminal: he/she had to switch with su (substitute user identity) and the root password into the role of the root. With exit the root became a normal user again. 223 18:37 <MichaelGodawski> For a long period of time this was the usual procedure - but this method has some disadvantages: 224 18:37 <MichaelGodawski> When you forget to exit the root mode, the system becomes vulnerable. 225 18:37 <MichaelGodawski> You have to remember two different passwords: the root and the user password. 226 18:38 <MichaelGodawski> The root account can be very seducing and can entice to do real damage 227 18:38 <MichaelGodawski> The Ubuntu Standard 228 18:38 <MichaelGodawski> of that the first user is able to activate root rights temporally. 229 18:38 <MichaelGodawski> sry 230 18:38 <MichaelGodawski> The Ubuntu developers followed a different path. A root account does exist, but it is disabled by default. Instead of that the first user is able to activate root rights temporally. 231 18:38 <MichaelGodawski> This happens with the help of the terminal: sudo (super-user, do) in front of a command executes it with root right. Graphical applications are launched with gksudo or kdesudo respectively. 232 18:38 <MichaelGodawski> So when Ubuntu asks you for a password, it is always the user (login) password. You won't see the password when you type it in into the Terminal; you have to type blindly, so to speak. 233 18:39 <MichaelGodawski> Only users which belong to the admin group can gain root privileges. More precisely "for sudo, you do not need to be in the admin group; you only need access in the sudoers file, or in a group specified in the sudoers file; for su, you need to be in the admin group." 234 18:39 <MichaelGodawski> More info on this topic can be found here: 235 18:39 <MichaelGodawski> https://help.ubuntu.com/community/AddUsersHowto 236 18:39 <MichaelGodawski> One disadvantage of this method might be the time-limited effect of the sudo command. You can extend the period however: 237 18:39 <MichaelGodawski> https://help.ubuntu.com/community/RootSudoTimeout 238 18:39 <MichaelGodawski> But it definitely has its advantages: 239 18:40 <MichaelGodawski> More than once super-user can exist; they can have different rights. 240 18:40 <MichaelGodawski> Time-limitations is set to 15 minutes, after this period of time the password must the re-entered. 241 18:40 <MichaelGodawski> You have to remember only one password. 242 18:40 <MichaelGodawski> The educational effect is bigger, because every time you do an important administrative task, the sudo password reminds you of it. 243 18:40 <MichaelGodawski> Another advantage of sudo, it allows a graded access to root. The commands su (root environment) is all or none; but you can configure sudo such that a user may run some commands , but not others. 244 18:40 <MichaelGodawski> To increase the time in which one have root privileges, for instance to run several commands, you can enter a pseudo-root-shell: 245 18:40 <MichaelGodawski> command : sudo -i 246 18:41 <MichaelGodawski> and you can exit the root environment with the command : exit 247 18:41 <MichaelGodawski> END