Professional Documents
Culture Documents
https://help.ubuntu.com/community/RootSudo
LogintoEdit UbuntuDocumentation>CommunityDocumentation>RootSudo
RootSudo
Note:Forhelpwithconfiguringsudoprivilegesviaitsconfigurationfile /etc/sudoers,pleaseseeSudoers.
Contents 1. BackgroundInformation 2. AdvantagesandDisadvantages 1. Benefitsofusingsudo 2. Downsidesofusingsudo 3. Usage 1. sudo 2. Graphicalsudo 3. Drag&Dropsudo 4. Users 1. Allowingotheruserstorunsudo 2. Logginginasanotheruser 3. rootaccount 1. Enablingtherootaccount 2. Re-disablingyourrootaccount 5. OtherInformation 1. Misconceptions 2. Specialnotesonsudoandshells 6. RemovePasswordPromptForsudo 7. Resetsudotimeout 8. OtherResources
BackgroundInformation
InLinux(andUnixingeneral),thereisaSuperUsernamedRoot.The WindowsequivalentofRootisAdministratorsgroup.TheSuperUsercan doanythingandeverything,andthusdoingdailyworkastheSuperUser canbedangerous.Youcouldtypeacommandincorrectlyanddestroythe system.Ideally,yourunasauserthathasonlytheprivilegesneededforthe taskathand.Insomecases,thisisnecessarilyRoot,butmostofthetimeit isaregularuser. Bydefault,theRootaccountpasswordislockedinUbuntu.This meansthatyoucannotloginasRootdirectlyorusethesucommandto becometheRootuser.However,sincetheRootaccountphysicallyexistsit isstillpossibletorunprogramswithroot-levelprivileges.Thisiswhere sudocomesin-itallowsauthorizedusers(normally"Administrative" users;forfurtherinformationpleaserefertoAddUsersHowto)torun certainprogramsasRootwithouthavingtoknowtherootpassword.
AdvantagesandDisadvantages
Benefitsofusingsudo
SomebenefitsofleavingRootloginsdisabledbydefaultincludethefollowing: TheUbuntuinstallerhasfewerquestionstoask. Usersdon'thavetorememberanextrapassword(i.e.therootpassword),whichtheyarelikelytoforget(orwritedownso anyonecancrackintotheiraccounteasily). Itavoidsthe"Icandoanything"interactiveloginbydefault(e.g.thetendencybyuserstologinasan"Administrator"user inMicrosoftWindowssystems),youwillbepromptedforapasswordbeforemajorchangescanhappen,whichshould makeyouthinkabouttheconsequencesofwhatyouaredoing. sudoaddsalogentryofthecommand(s)run(in/var/log/auth.log).Ifyoumessup,youcanalwaysgobackandsee whatcommandswererun.Itisalsoniceforauditing. Everycrackertryingtobrute-forcetheirwayintoyourboxwillknowithasanaccountnamedRootandwilltrythatfirst. Whattheydon'tknowiswhattheusernamesofyourotherusersare.SincetheRootaccountpasswordislocked,thisattack becomesessentiallymeaningless,sincethereisnopasswordtocrackorguessinthefirstplace. Allowseasytransferforadminrights,inashorttermorlongtermperiod,byaddingandremovingusersfromgroups,while notcompromisingtheRootaccount. sudocanbesetupwithamuchmorefine-grainedsecuritypolicy. TheRootaccountpassworddoesnotneedtobesharedwitheverybodywhoneedstoperformsometypeofadministrative task(s)onthesystem(seethepreviousbullet). Theauthenticationautomaticallyexpiresafterashorttime(whichcanbesettoaslittleasdesiredor0);soifyouwalkaway fromtheterminalafterrunningcommandsasRootusingsudo,youwillnotbeleavingaRootterminalopenindefinitely.
Downsidesofusingsudo
1 of 5
04/14/2011 04:25 PM
https://help.ubuntu.com/community/RootSudo
Althoughfordesktopsthebenefitsofusingsudoaregreat,therearepossibleissueswhichneedtobenoted: Redirectingtheoutputofcommandsrunwithsudorequiresadifferentapproach.Forinstanceconsider sudo ls > /root/somefilewillnotworksinceitistheshellthattriestowritetothatfile.Youcanuse ls | sudo tee -a /root/somefiletoappend,orls | sudo tee /root/somefiletooverwritecontents. Youcouldalsopassthewholecommandtoashellprocessrunundersudotohavethefilewrittentowithrootpermissions, suchassudo sh -c "ls > /root/somefile". InalotofofficeenvironmentstheONLYlocaluseronasystemisRoot.AllotherusersareimportedusingNSStechniques suchasnss-ldap.Tosetupaworkstation,orfixit,inthecaseofanetworkfailurewherenss-ldapisbroken,Rootis required.Thistendstoleavethesystemunusableunlesscracked.Anextralocaluser,oranenabledRootpasswordisneeded here.Thelocaluseraccountshouldhaveits$HOMEonalocaldisk,_not_onNFS(oranyothernetworkedfilesystem), anda.profile/.bashrcthatdoesn'treferenceanyfilesonNFSmounts.ThisisusuallythecaseforRoot,butifaddinga non-Rootrescueaccount,youwillhavetotaketheseprecautionsmanually. Alternatively,asysadmintypeaccountcanbeimplementedasalocaluseronallsystems,andgrantedpropersudo privileges.Asexplainedinthebenefitssectionabove,commandscanbeeasilytrackedandaudited.
Usage
Whenusingsudo,yourpasswordisstoredbydefaultfor15minutes.Afterthattime,youwillneedtoenteryourpassword again. Yourpasswordwillnotbeshownonthescreenasyoutypeit,notevenasarowofstars(******).Itisbeingenteredwith eachkeystroke!
sudo
Tousesudoonthecommandline,prefacethecommandwithsudo,asbelow:Example#1
sudochownbob:bob/home/bob/*
Example#2
sudo/etc/init.d/networkingrestart
Torepeatthelastcommandentered,exceptwithsudoprependedtoit,run:
sudo!!
Graphicalsudo
YoushouldneverusenormalsudotostartgraphicalapplicationsasRoot.Youshouldusegksudo(kdesudoonKubuntu)to runsuchprograms.gksudosetsHOME=~root,andcopies.Xauthoritytoatmpdirectory.Thispreventsfilesinyourhome directorybecomingownedbyRoot.(AFAICT,thisisallthat'sspecialabouttheenvironmentofthestartedprocesswithgksudo vs.sudo). Examples:
gksudogedit/etc/fstab
or
kdesudokate/etc/X11/xorg.conf
Torunthegraphicalconfigurationutilities,simplylaunchtheapplicationviatheAdministrationmenu. gksudoandkdesudosimplylinktothecommandsgksuandkdesu
Drag&Dropsudo
ThisisatrickfromthisthreadontheUbuntu:UbuntuForums. Createalauncherwiththefollowingcommand:
gksudo"gnome-open%u"
Whenyoudraganddropanyfileonthislauncher(it'susefultoputitonthedesktoporonapanel),itwillbeopenedasRootwith itsownassociatedapplication.Thisishelpfulespeciallywhenyou'reeditingconfigfilesownedbyRoot,sincetheywillbeopened
2 of 5
04/14/2011 04:25 PM
https://help.ubuntu.com/community/RootSudo
Users
Allowingotheruserstorunsudo
Toaddanewusertosudo,opentheUsersandGroupstoolfromSystem->Administrationmenu.Thenclickontheuserand thenonproperties.ChoosetheUserPrivilegestab.Inthetab,findAdministerthesystemandcheckthat. InHardyHeronandnewer,youmustfirstUnlock,thenyoucanselectauserfromthelistandhitProperties.Choosethe UserPrivilegestabandcheckAdministerthesystem. Intheterminalthiswouldbe:sudo adduser <username> admin,whereyoureplace<username>withthenameofthe user(withoutthe<>).
Logginginasanotheruser
Pleasedon'tusethistobecomeRoot,seefurtherdowninthepageformoreinformationaboutthat.
sudo-i-u<username>
Forexampletobecometheuseramandafortapemanagementpurposes.
sudo-i-uamanda
Thepasswordbeingaskedforisyourown,notamanda's.
rootaccount
Enablingtherootaccount
EnablingtheRootaccountisrarelynecessary.Almosteverythingyouneedtodoasadministratorof anUbuntusystemcanbedoneviasudoorgksudo.IfyoureallyneedapersistentRootlogin,thebest alternativeistosimulateaRootloginshellusingthefollowingcommand...
sudo-i
ToenabletheRootaccount(i.e.setapassword)use:
sudopasswdroot
Re-disablingyourrootaccount
Ifforsomereasonyouhaveenabledyourrootaccountandwishtodisableitagain,usethefollowingcommandin terminal...
sudousermod-lroot
OtherInformation
Misconceptions
Isn'tsudolesssecurethansu? Thebasicsecuritymodelisthesame,andthereforethesetwosystemssharetheirprimaryweaknesses.Anyuserwho usessuorsudomustbeconsideredtobeaprivilegeduser.Ifthatuser'saccountiscompromisedbyanattacker,the attackercanalsogainrootprivilegesthenexttimetheuserdoesso.Theuseraccountistheweaklinkinthischain,and
3 of 5
04/14/2011 04:25 PM
https://help.ubuntu.com/community/RootSudo
Onamoreesotericlevel,sudoprovidessomefeatureswhichencouragedifferentworkhabits,whichcanpositively impactthesecurityofthesystem.sudoiscommonlyusedtoexecuteonlyasinglecommand,whilesuisgenerally usedtoopenashellandexecutemultiplecommands.Thesudoapproachreducesthelikelihoodofarootshellbeing leftopenindefinitely,andencouragestheusertominimizetheiruseofrootprivileges. Iwon'tbeabletoentersingle-usermode! ThesuloginprograminUbuntuispatchedtohandlethedefaultcaseofalockedrootpassword. Icangetarootshellfromtheconsolewithoutenteringapassword! Youhavetoenteryourpassword. Consoleusershaveaccesstothebootloader,andcangainadministrativeprivilegesinvariouswaysduringtheboot process.Forexample,byspecifyinganalternateinit(8)program.Linuxsystemsarenottypicallyconfiguredtobe secureattheconsole,andadditionalsteps(forexample,settingarootpassword,abootloaderpasswordandaBIOS password)arenecessaryinordertomakethemso.Notethatconsoleusersusuallyhavephysicalaccesstothe machineandsocanmanipulateitinotherwaysaswell.
Specialnotesonsudoandshells
NoneofthemethodsbelowaresuggestedorsupportedbythedesignersofUbuntu. Pleasedonotsuggestthistoothersunlessyoupersonallyareavailable24/7tosupporttheuseriftheyhaveissuesasaresultof runningashellasRoot. Tostartarootshell(i.e.acommandwindowwhereyoucanrunRootcommands),startingRoot'senvironmentandloginscripts, use:
sudo-i(similartosudosu-,givesyourootsenvironmentconfiguration)
Tostartarootshell,butkeepthecurrentshell'senvironment,use:
sudo-s(similartosudosu)
Forabriefoverviewofsomeofthedifferencesbetweensu,su-,andsudo-{i,s}see:UbuntuForumsPostwithnicetable. Foradetaileddescriptionofthedifferencesseemansuandmansudo.
RemovePasswordPromptForsudo
Ifyoudisablethesudopasswordforyouraccount,youwillseriouslycompromisethesecurityofyour computer.Anyonesittingatyourunattended,loggedinaccountwillhavecompleteRootaccess,and remoteexploitsbecomemucheasierformaliciouscrackers. ThismethodisNOTsuggestednorsupportedbythedesignersofUbuntu. Pleasedonotsuggestthistoothersunlessyoupersonallyareavailable24/7tosupporttheuseriftheyhaveissuesasaresult ofrunningashellasRoot. Theseinstructionsaretoremovethepromptforapasswordwhenusingthesudocommand.Thesudocommandwillstillneedto beusedforRootaccessthough. Editthesudoersfile OpenaTerminalwindow.Typeinsudovisudo.AddthefollowinglinetotheENDofthefile(ifnotattheenditcanbenullified bylaterentries):
<username>ALL=NOPASSWD:ALL
4 of 5
04/14/2011 04:25 PM
https://help.ubuntu.com/community/RootSudo
Typein^xtoexit.Thisshouldpromptforanoptiontosavethefile,typeinYtosave. Logout,logbackin.Thisshouldnowallowyoutorunthesudocommandwithoutbeingpromptedforapassword.
Resetsudotimeout
Youcanmakesuresudoasksforpasswordnexttimebyrunning:
sudo-k
Thedefaultsudotimeoutlengthcanbechangedbyfollowingthisarticle:RootSudoTimeout.
OtherResources
fixingsudo graphicalsudo UbuntuForumspolicyonenablingtheRootaccount sudomanpage sudoersfilemanpage CategoryCommandLineCategorySecurityCategoryCommandLine
RootSudo(lastedited2011-04-0718:03:11byhttps://login.launchpad.net/+id/y7xtYzD@proxy1.library.nuigalway.ie[140.203.12.240]:Carn Draug)
PageHistory
5 of 5
04/14/2011 04:25 PM