RootSudo

Differences between revisions 2 and 23 (spanning 21 versions)
Revision 2 as of 2005-10-24 04:28:59
Size: 8370
Editor: S0106000d88b9f3db
Comment: restored - this is one of the most frequently cited wiki pages
Revision 23 as of 2006-02-15 18:08:16
Size: 8285
Editor: gordonprangnell
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Ubuntu uses {{{sudo}}} command to allow a '''normal user''' administrative privileges. Thus the traditional UNIX '''root''' account is disabled (i.e. it is not possible to log in as root). ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;">'''Contents'''[[BR]][[TableOfContents]]||
Line 3: Line 3:
All the graphical configuration utilities use {{{sudo}}} by default. Thus when '''Synaptic''' or something similar asks you for a password, it is asking for '''your user password''', ''not the root password''. By default, the password for root is locked in Ubuntu. This means you cannot login as root or use su. Instead, the installer will setup sudo to allow the user that is created during install to run all administrative commands.
Line 5: Line 5:
The first user created is part of the ''admin group'', which can use {{{sudo}}}. Any users created after that are not by default.
It is recommended that all users of Ubuntu use sudo, as it provides clear benefits to security.
This means that in the terminal you can use sudo for commands that require root privileges. All programs in the menu will use a graphical sudo to prompt for a password. When sudo asks for a password, it needs '''YOUR password''', this means that a root password is not needed.
Line 10: Line 9:
 * Your password will '''not''' be echoed to the screen at all, not even as a row of stars (******). It is going in, however!
Line 12: Line 11:
Line 14: Line 12:
Line 16: Line 13:

* '''Breezy users''', go to {{{Applications --> System Tools --> Run as different user}}}.
 * '''Ubuntu 5.10 (Breezy Badger) users''', go to {{{Applications --> System Tools --> Run as different user}}}.
Line 20: Line 15:
Line 23: Line 17:
sudo chown bob * sudo chown bob:bob /home/bob/*
Line 25: Line 19:

Line 31: Line 23:
 * '''NEVER''' use sudo to start graphical programs. You should always use {{{gksudo}}} or {{{kdesu}}} to run such programs, otherwise new login attempts may fail. If this happens and at login an error message reports: "Unable to read ICE authority file", log in using the failsafe terminal and execute the command below subsituting user for your username.
{{{
chown user:user /home/user/.ICEauthority
}}}
 * To start a ''root shell'' (i.e. a command window where you can run root commands) use:
{{{
sudo -i
}}}
Line 32: Line 32:
To start a ''root shell'' (i.e. a command window where you can run root commands) use: == Allowing other users to run sudo ==
=== Ubuntu 4.10 (Warty Warthog) ===
In Warty, adding a new user involves editing the {{{/etc/sudoers}}} file. To edit that file, you must use {{{visudo}}} as it will error check the file before exiting. To add a user with the same administration rights as the first user, add the following lines to the file:
Line 35: Line 37:
sudo -s $newuser ALL=(ALL) ALL
Line 38: Line 40:
 /!\ '''Warning:''' {{{sudo -s}}} doesn't change the environment variables ({{{$HOME}}}, {{{$PATH}}}, etc). It can have some bad side effects. You can use {{{sudo -i}}} to initialize a full root environment.

== Adding users ==
=== Warty ===
In ''Warty'', adding a new user involves editing the {{{/etc/sudoers}}} file. To edit that file, you must use {{{visudo}}} as it will error check the file before exiting. To add a user with the same administration rights as the first user, add the following lines to the file:
<!> ''Replace the $newuser with the username.''[[BR]]
<!> When upgrading from Warty, to a newer version, add the admin group to /etc/sudoers using the line
Line 45: Line 43:
$newuser ALL=(ALL) ALL' %admin ALL=(ALL) ALL
}}}
And add the initial user to the admin group
{{{
sudo adduser $(geteent passwd 1000 | cut -f 1 -d :) admin
Line 48: Line 50:
<!> ''Replace the $newuser with the username.'' === Ubuntu 5.04 (Hoary Hedgehog) & Ubuntu 5.10 (Breezy Badger) ===
To add a new user to sudo, open the '''Users and Groups''' tool from {{{System --> Administration}}} menu. Then click on the user and then on properties. Choose the '''User Privileges''' tab. In the tab, find '''Executing system administration tasks''' and check that.
Line 50: Line 53:
=== Hoary & Breezy ===
To add a new user to sudo, open the '''Users and Groups''' tool from {{{System --> Adminitration}}} menu. Then click on the user and then on properties. Choose the '''User Privileges''' tab. In the tab, find '''Executing system administration tasks''' and check that.
/!\ In the terminal this would be: {{{sudo adduser $user admin}}}, where you replace $user with the name of the user.
Line 53: Line 55:
== Benefits of sudo == == Benefits of using sudo ==
Line 57: Line 59:
 * Initially the ''Ubuntu team'' wanted the easiest install possible. By not enabling '''root''', a couple of steps requiring user interaction during install could be avoided. (Colin Watson)  * The installer has to ask fewer questions
 * Users don't have to remember an extra password, which they are likely to forget
 * It avoids the "I can do ''anything''" interactive login by default -you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.
 * Sudo adds a log entry of the command(s) run (In {{{/var/log/auth.log}}}). If you mess up, you can always go back and see what commands were run. It is also nice for auditing.
 * Every cracker trying to ''brute-force'' their way into your box will know it has an account named ''root'' and will try that first. What they don't know is what the usernames of your other users are.
 * Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the ''root'' account.
 * sudo can be setup with a much more fine-grained security policy
Line 59: Line 67:
 * Even more significantly, if '''root''' were enabled during install, the user would be required to forever remember the password they chose -even though they would rarely use it. Root passwords are often forgotten by users who are new to the Unix security model. (Matt Zimmerman)

 * It avoids the "I can do ''anything''" interactive login by default -you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing. If you were logged in as ''root'', you could just delete some of those "useless folders" and not realize you were in the wrong directory until it's too late. It's been good Unix practice for a long time to {{{su-command-^D}}} regularly instead of staying in a root shell--unless you're doing serious system maintenance (at which point you can still {{{sudo su}}}. (Jim Cheetham and Andrew Sobala)

 * Sudo adds a log entry of the command(s) run (In {{{/var/log/auth.log}}}). If you mess up, you can always go back and see what commands were run. (Andrew Zbikowski)

 * Every cracker trying to ''brute-force'' their way into your box will know it has an account named ''root'' and will try that first. What they don't know is what the usernames of your other users are.

 * Allows easy transfer for admin rights, in a short term or long term period, by added and removing users from groups, while not compromising the ''root'' account. (Stuart Bishop)

== Security ==

While there are various advantages and disadvantages to this approach, compared with the traditional superuser model. Neither is clearly superior overall.

 * By encouraging the execution of single commands with root privileges, rather than opening a shell, `sudo`:
  * Reduces the amount of time spent with root privileges, and thus the risk of inadvertently executing a command as root
  * Provides a more useful audit trail
 * Having a separate root password (the traditional model) provides an extra layer of protection if an administrative user's password is compromised
 * In either case, if the administrative user (who uses `sudo` or `su` to become root) is compromised, the attacker can generally gain root through an indirect attack

== Possible issues with the "sudo" model ==
== Downsides of using sudo ==
Line 83: Line 71:
 * Some packages from universe are effectively broken (e.g. webmin) or become dangerous to use. A good workaround is to enable the root account before dealing with the affected packages (sudo su-; passwd <password>) and to lock it again afterwards (su -; passwd -l).
 * Redirecting the output of commands run with sudo can catch new users out (consider "sudo ls > /root/somefile"). Workarounds for this include using "sudo sh -c 'ls > /root/somefile'" (but escaping for this gets very ugly very quickly), using [http://www.greenend.org.uk/rjk/2001/06/adverbio.html Adverbio], or simply using sudo -s to get a root shell and going from there
  * ''MattZimmerman: A simple approach which works for most cases is to use dd(1): '' `ls | sudo dd of=/root/somefile`
 * In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked.
  * JerryHaltom: Perhaps in these cases it neccessitates the creation of a local account: "admin" with sudo to root privileges.
 * Redirecting the output of commands run with sudo can catch new users out. For instance consider {{{sudo ls > /root/somefile}}} will not work since it is the shell that tries to write to that file. You can use `ls | sudo tee -a /root/somefile` to append, or `ls | sudo tee /root/somefile` to overwrite contents.
 * In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled root password is needed here.
Line 102: Line 86:
== Enabling the root account ==
Note: This is not recommended! It will break all the GUI admin tools
== Going back to a traditional root account ==
<!> This is not recommended!
Line 105: Line 89:
=== Enabling the root account ===
Line 113: Line 98:
== Disabling the root account ==
Note: This is if you have already enabled a root account and wish to disable it again.
=== Disabling the root account ===
If you have enabled a root password and wish to disable it again.
Line 121: Line 106:
[[BR]] [[BR]] <!> This will also prevent you starting the computer in recovery mode on versions of Ubuntu before Ubuntu 6.04 (Dapper Drake)
 * This is because the password value for root in /etc/shadow is not automatically returned to the single * character required for passwordless recovery log in as root. (You will be asked for a password, as one still exists, but will not be able to log in as it is locked.) You will need to edit /etc/shadow to prevent this problem after enabling and then locking the root account. This has been fixed for Ubuntu 6.04 (Dapper Drake) (Flight 3 onwards), locked password and null (*) password are now treated as the same when recovery mode is started.
Line 122: Line 109:
== Running GUI applications with Root permissions == === Let sudo ask for the root password ===
You can make sudo ask for the root password instead of the user password, you can do this by adding the keyword {{{rootpw}}} to the line in {{{/etc/sudoers}}} that starts with {{{Defaults}}}.
Line 124: Line 112:
It is generally recommended that you do not run applications with root privileges, but if you have to, it is recommended that you do not run "sudo {GUIAPP}", as sudo may not set up the environment correctly, and particularly on KDE this can be detrimental. Instead, always use gksudo {GUIAPP} or kdesu {GUIAPP}. === Enabling graphical root login ===

<!> It is highly recommended not to allow root to login graphically!

==== In Gnome ====

 * Open System --> Administration --> Login Screen Setup
 * Click on the security tab
 * Check {{{Allow root login}}}

==== In KDE ====

  * Open Konqueror and open the /etc/kde3/kdm/ folder
  * Right click the kdmrc file and then Actions --> 'Edit as root'
  * On line 246 should be {{{AllowRootLogin=false}}} change it to 'true'
  * Save and exit.

By default, the password for root is locked in Ubuntu. This means you cannot login as root or use su. Instead, the installer will setup sudo to allow the user that is created during install to run all administrative commands.

This means that in the terminal you can use sudo for commands that require root privileges. All programs in the menu will use a graphical sudo to prompt for a password. When sudo asks for a password, it needs YOUR password, this means that a root password is not needed.

Notes

  • The password is stored by default for 15 minutes. After that time, you will need to enter your password again.
  • Your password will not be echoed to the screen at all, not even as a row of stars (******). It is going in, however!

  • To run the graphical configuration utilities with sudo, simply launch the application via the menu.

  • To run a program using sudo that normally is run as the user, such as gedit, go to Applications --> Run Application and enter gksudo gedit.

  • For users of Kubuntu, use kdesu in replacement for gksudo.

  • Ubuntu 5.10 (Breezy Badger) users, go to Applications --> System Tools --> Run as different user.

  • To use sudo on the command line, preface the command with sudo, as below:

Example #1

sudo chown bob:bob /home/bob/*

Example #2

sudo /etc/init.d/networking restart
  • NEVER use sudo to start graphical programs. You should always use gksudo or kdesu to run such programs, otherwise new login attempts may fail. If this happens and at login an error message reports: "Unable to read ICE authority file", log in using the failsafe terminal and execute the command below subsituting user for your username.

chown user:user /home/user/.ICEauthority
  • To start a root shell (i.e. a command window where you can run root commands) use:

sudo -i

Allowing other users to run sudo

Ubuntu 4.10 (Warty Warthog)

In Warty, adding a new user involves editing the /etc/sudoers file. To edit that file, you must use visudo as it will error check the file before exiting. To add a user with the same administration rights as the first user, add the following lines to the file:

$newuser        ALL=(ALL) ALL

Info <!> Replace the $newuser with the username.BR Info <!> When upgrading from Warty, to a newer version, add the admin group to /etc/sudoers using the line

%admin          ALL=(ALL) ALL

And add the initial user to the admin group

sudo adduser $(geteent passwd 1000 | cut -f 1 -d :) admin

Ubuntu 5.04 (Hoary Hedgehog) & Ubuntu 5.10 (Breezy Badger)

To add a new user to sudo, open the Users and Groups tool from System --> Administration menu. Then click on the user and then on properties. Choose the User Privileges tab. In the tab, find Executing system administration tasks and check that.

Warning /!\ In the terminal this would be: sudo adduser $user admin, where you replace $user with the name of the user.

Benefits of using sudo

The benefits of leaving root disabled by default include the following:

  • The installer has to ask fewer questions
  • Users don't have to remember an extra password, which they are likely to forget
  • It avoids the "I can do anything" interactive login by default -you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.

  • Sudo adds a log entry of the command(s) run (In /var/log/auth.log). If you mess up, you can always go back and see what commands were run. It is also nice for auditing.

  • Every cracker trying to brute-force their way into your box will know it has an account named root and will try that first. What they don't know is what the usernames of your other users are.

  • Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the root account.

  • sudo can be setup with a much more fine-grained security policy

Downsides of using sudo

Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:

  • Redirecting the output of commands run with sudo can catch new users out. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents.

  • In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled root password is needed here.

Misconceptions

  • Isn't sudo less secure than su?

    • The basic security model is the same, and therefore these two systems share their primary weaknesses. Any user who uses su or sudo must be considered to be a privileged user. If that user's account is compromised by an attacker, the attacker can also gain root privileges the next time the user does so. The user account is the weak link in this chain, and so must be protected with the same care as root.

      On a more esoteric level, sudo provides some features which encourage different work habits, which can positively impact the security of the system. sudo is commonly used to execute only a single command, while su is generally used to open a shell and execute multiple commands. The sudo approach reduces the likelihood of a root shell being left open indefinitely, and encourages the user to minimize their use of root privileges.

  • I won't be able to enter single-user mode!

    • The sulogin program in Ubuntu is patched to handle the default case of a locked root password.

Going back to a traditional root account

Info <!> This is not recommended!

Enabling the root account

To enable the root account (i.e. set a password) use:

sudo passwd root

Enter your existing passwordBR Enter password for rootBR Confirm password for root

Disabling the root account

If you have enabled a root password and wish to disable it again. To disable the root account after you have enabled it use:

sudo passwd -l root

This locks the root account. BR BR Info <!> This will also prevent you starting the computer in recovery mode on versions of Ubuntu before Ubuntu 6.04 (Dapper Drake)

  • This is because the password value for root in /etc/shadow is not automatically returned to the single * character required for passwordless recovery log in as root. (You will be asked for a password, as one still exists, but will not be able to log in as it is locked.) You will need to edit /etc/shadow to prevent this problem after enabling and then locking the root account. This has been fixed for Ubuntu 6.04 (Dapper Drake) (Flight 3 onwards), locked password and null (*) password are now treated as the same when recovery mode is started.

Let sudo ask for the root password

You can make sudo ask for the root password instead of the user password, you can do this by adding the keyword rootpw to the line in /etc/sudoers that starts with Defaults.

Enabling graphical root login

Info <!> It is highly recommended not to allow root to login graphically!

In Gnome

  • Open System --> Administration --> Login Screen Setup

  • Click on the security tab
  • Check Allow root login

In KDE

  • Open Konqueror and open the /etc/kde3/kdm/ folder
  • Right click the kdmrc file and then Actions --> 'Edit as root'

  • On line 246 should be AllowRootLogin=false change it to 'true'

  • Save and exit.


CategoryDocumentation

RootSudo (last edited 2008-08-06 16:29:06 by localhost)