Scribd Logo
Upload

Welcome to Scribd!

  • Rootsudo: Background Information

    Uploaded by

    manoj14feb
    41 views5 pages
    Sudo allows authorized users to run programs with root privileges without knowing the root password. It logs commands for auditing and expires passwords after 15 minutes by default. Key advantages are avoiding the need to share the root password and allowing fine-grained control over who can run what. Users can be added to the sudo group to gain these privileges. The root account is disabled by default but can be enabled by setting its password if truly needed.

    Original Description:

    Original Title

    62633804-Root

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Sudo allows authorized users to run programs with root privileges without knowing the root password. It logs commands for auditing and expires passwords after 15 minutes by default. Key advantages are avoiding the need to share the root password and allowing fine-grained control over who can run what. Users can be added to the sudo group to gain these privileges. The root account is disabled by default but can be enabled by setting its password if truly needed.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    41 views5 pages

    Rootsudo: Background Information

    Uploaded by

    manoj14feb
    Sudo allows authorized users to run programs with root privileges without knowing the root password. It logs commands for auditing and expires passwords after 15 minutes by default. Key advantages are avoiding the need to share the root password and allowing fine-grained control over who can run what. Users can be added to the sudo group to gain these privileges. The root account is disabled by default but can be enabled by setting its password if truly needed.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    RootSudo - Community Ubuntu Documentation

    https://help.ubuntu.com/community/RootSudo

    LogintoEdit UbuntuDocumentation>CommunityDocumentation>RootSudo

    RootSudo

    Note:Forhelpwithconfiguringsudoprivilegesviaitsconfigurationfile /etc/sudoers,pleaseseeSudoers.

    Contents 1. BackgroundInformation 2. AdvantagesandDisadvantages 1. Benefitsofusingsudo 2. Downsidesofusingsudo 3. Usage 1. sudo 2. Graphicalsudo 3. Drag&Dropsudo 4. Users 1. Allowingotheruserstorunsudo 2. Logginginasanotheruser 3. rootaccount 1. Enablingtherootaccount 2. Re-disablingyourrootaccount 5. OtherInformation 1. Misconceptions 2. Specialnotesonsudoandshells 6. RemovePasswordPromptForsudo 7. Resetsudotimeout 8. OtherResources

    BackgroundInformation
    InLinux(andUnixingeneral),thereisaSuperUsernamedRoot.The WindowsequivalentofRootisAdministratorsgroup.TheSuperUsercan doanythingandeverything,andthusdoingdailyworkastheSuperUser canbedangerous.Youcouldtypeacommandincorrectlyanddestroythe system.Ideally,yourunasauserthathasonlytheprivilegesneededforthe taskathand.Insomecases,thisisnecessarilyRoot,butmostofthetimeit isaregularuser. Bydefault,theRootaccountpasswordislockedinUbuntu.This meansthatyoucannotloginasRootdirectlyorusethesucommandto becometheRootuser.However,sincetheRootaccountphysicallyexistsit isstillpossibletorunprogramswithroot-levelprivileges.Thisiswhere sudocomesin-itallowsauthorizedusers(normally"Administrative" users;forfurtherinformationpleaserefertoAddUsersHowto)torun certainprogramsasRootwithouthavingtoknowtherootpassword.

    Thismeansthatintheterminalyoushouldusesudoforcommandsthat requirerootprivileges;simplyprependsudotoallthecommandsyouwouldnormallyrunasRoot.Formoreextensiveusage examples,pleaseseebelow.Similarly,whenyourunGUIprogramsthatrequirerootprivileges(e.g.thenetworkconfiguration applet),usegraphicalsudoandyouwillalsobepromptedforapassword(morebelow).Justremember,whensudoasksfora password,itneedsYOURUSERpassword,andnottheRootaccountpassword.

    AdvantagesandDisadvantages
    Benefitsofusingsudo
    SomebenefitsofleavingRootloginsdisabledbydefaultincludethefollowing: TheUbuntuinstallerhasfewerquestionstoask. Usersdon'thavetorememberanextrapassword(i.e.therootpassword),whichtheyarelikelytoforget(orwritedownso anyonecancrackintotheiraccounteasily). Itavoidsthe"Icandoanything"interactiveloginbydefault(e.g.thetendencybyuserstologinasan"Administrator"user inMicrosoftWindowssystems),youwillbepromptedforapasswordbeforemajorchangescanhappen,whichshould makeyouthinkabouttheconsequencesofwhatyouaredoing. sudoaddsalogentryofthecommand(s)run(in/var/log/auth.log).Ifyoumessup,youcanalwaysgobackandsee whatcommandswererun.Itisalsoniceforauditing. Everycrackertryingtobrute-forcetheirwayintoyourboxwillknowithasanaccountnamedRootandwilltrythatfirst. Whattheydon'tknowiswhattheusernamesofyourotherusersare.SincetheRootaccountpasswordislocked,thisattack becomesessentiallymeaningless,sincethereisnopasswordtocrackorguessinthefirstplace. Allowseasytransferforadminrights,inashorttermorlongtermperiod,byaddingandremovingusersfromgroups,while notcompromisingtheRootaccount. sudocanbesetupwithamuchmorefine-grainedsecuritypolicy. TheRootaccountpassworddoesnotneedtobesharedwitheverybodywhoneedstoperformsometypeofadministrative task(s)onthesystem(seethepreviousbullet). Theauthenticationautomaticallyexpiresafterashorttime(whichcanbesettoaslittleasdesiredor0);soifyouwalkaway fromtheterminalafterrunningcommandsasRootusingsudo,youwillnotbeleavingaRootterminalopenindefinitely.

    Downsidesofusingsudo

    1 of 5

    04/14/2011 04:25 PM

    RootSudo - Community Ubuntu Documentation

    https://help.ubuntu.com/community/RootSudo

    Althoughfordesktopsthebenefitsofusingsudoaregreat,therearepossibleissueswhichneedtobenoted: Redirectingtheoutputofcommandsrunwithsudorequiresadifferentapproach.Forinstanceconsider sudo ls > /root/somefilewillnotworksinceitistheshellthattriestowritetothatfile.Youcanuse ls | sudo tee -a /root/somefiletoappend,orls | sudo tee /root/somefiletooverwritecontents. Youcouldalsopassthewholecommandtoashellprocessrunundersudotohavethefilewrittentowithrootpermissions, suchassudo sh -c "ls > /root/somefile". InalotofofficeenvironmentstheONLYlocaluseronasystemisRoot.AllotherusersareimportedusingNSStechniques suchasnss-ldap.Tosetupaworkstation,orfixit,inthecaseofanetworkfailurewherenss-ldapisbroken,Rootis required.Thistendstoleavethesystemunusableunlesscracked.Anextralocaluser,oranenabledRootpasswordisneeded here.Thelocaluseraccountshouldhaveits$HOMEonalocaldisk,_not_onNFS(oranyothernetworkedfilesystem), anda.profile/.bashrcthatdoesn'treferenceanyfilesonNFSmounts.ThisisusuallythecaseforRoot,butifaddinga non-Rootrescueaccount,youwillhavetotaketheseprecautionsmanually. Alternatively,asysadmintypeaccountcanbeimplementedasalocaluseronallsystems,andgrantedpropersudo privileges.Asexplainedinthebenefitssectionabove,commandscanbeeasilytrackedandaudited.

    Usage
    Whenusingsudo,yourpasswordisstoredbydefaultfor15minutes.Afterthattime,youwillneedtoenteryourpassword again. Yourpasswordwillnotbeshownonthescreenasyoutypeit,notevenasarowofstars(******).Itisbeingenteredwith eachkeystroke!

    sudo
    Tousesudoonthecommandline,prefacethecommandwithsudo,asbelow:Example#1
    sudochownbob:bob/home/bob/*

    Example#2
    sudo/etc/init.d/networkingrestart

    Torepeatthelastcommandentered,exceptwithsudoprependedtoit,run:
    sudo!!

    Graphicalsudo
    YoushouldneverusenormalsudotostartgraphicalapplicationsasRoot.Youshouldusegksudo(kdesudoonKubuntu)to runsuchprograms.gksudosetsHOME=~root,andcopies.Xauthoritytoatmpdirectory.Thispreventsfilesinyourhome directorybecomingownedbyRoot.(AFAICT,thisisallthat'sspecialabouttheenvironmentofthestartedprocesswithgksudo vs.sudo). Examples:
    gksudogedit/etc/fstab

    or
    kdesudokate/etc/X11/xorg.conf

    Torunthegraphicalconfigurationutilities,simplylaunchtheapplicationviatheAdministrationmenu. gksudoandkdesudosimplylinktothecommandsgksuandkdesu

    Drag&Dropsudo
    ThisisatrickfromthisthreadontheUbuntu:UbuntuForums. Createalauncherwiththefollowingcommand:
    gksudo"gnome-open%u"

    Whenyoudraganddropanyfileonthislauncher(it'susefultoputitonthedesktoporonapanel),itwillbeopenedasRootwith itsownassociatedapplication.Thisishelpfulespeciallywhenyou'reeditingconfigfilesownedbyRoot,sincetheywillbeopened

    2 of 5

    04/14/2011 04:25 PM

    RootSudo - Community Ubuntu Documentation


    asreadonlybydefaultwithgedit,etc.

    https://help.ubuntu.com/community/RootSudo

    Users
    Allowingotheruserstorunsudo
    Toaddanewusertosudo,opentheUsersandGroupstoolfromSystem->Administrationmenu.Thenclickontheuserand thenonproperties.ChoosetheUserPrivilegestab.Inthetab,findAdministerthesystemandcheckthat. InHardyHeronandnewer,youmustfirstUnlock,thenyoucanselectauserfromthelistandhitProperties.Choosethe UserPrivilegestabandcheckAdministerthesystem. Intheterminalthiswouldbe:sudo adduser <username> admin,whereyoureplace<username>withthenameofthe user(withoutthe<>).

    Logginginasanotheruser
    Pleasedon'tusethistobecomeRoot,seefurtherdowninthepageformoreinformationaboutthat.
    sudo-i-u<username>

    Forexampletobecometheuseramandafortapemanagementpurposes.
    sudo-i-uamanda

    Thepasswordbeingaskedforisyourown,notamanda's.

    rootaccount
    Enablingtherootaccount
    EnablingtheRootaccountisrarelynecessary.Almosteverythingyouneedtodoasadministratorof anUbuntusystemcanbedoneviasudoorgksudo.IfyoureallyneedapersistentRootlogin,thebest alternativeistosimulateaRootloginshellusingthefollowingcommand...
    sudo-i

    ToenabletheRootaccount(i.e.setapassword)use:
    sudopasswdroot

    Useatyourownrisk! LoggingintoXasrootmaycauseveryserioustrouble.Ifyoubelieveyouneedarootaccounttoperforma certainaction,pleaseconsulttheofficialsupportchannelsfirst,tomakesurethereisnotabetteralternative.

    Re-disablingyourrootaccount
    Ifforsomereasonyouhaveenabledyourrootaccountandwishtodisableitagain,usethefollowingcommandin terminal...

    sudousermod-lroot

    OtherInformation
    Misconceptions
    Isn'tsudolesssecurethansu? Thebasicsecuritymodelisthesame,andthereforethesetwosystemssharetheirprimaryweaknesses.Anyuserwho usessuorsudomustbeconsideredtobeaprivilegeduser.Ifthatuser'saccountiscompromisedbyanattacker,the attackercanalsogainrootprivilegesthenexttimetheuserdoesso.Theuseraccountistheweaklinkinthischain,and

    3 of 5

    04/14/2011 04:25 PM

    RootSudo - Community Ubuntu Documentation


    somustbeprotectedwiththesamecareasRoot.

    https://help.ubuntu.com/community/RootSudo

    Onamoreesotericlevel,sudoprovidessomefeatureswhichencouragedifferentworkhabits,whichcanpositively impactthesecurityofthesystem.sudoiscommonlyusedtoexecuteonlyasinglecommand,whilesuisgenerally usedtoopenashellandexecutemultiplecommands.Thesudoapproachreducesthelikelihoodofarootshellbeing leftopenindefinitely,andencouragestheusertominimizetheiruseofrootprivileges. Iwon'tbeabletoentersingle-usermode! ThesuloginprograminUbuntuispatchedtohandlethedefaultcaseofalockedrootpassword. Icangetarootshellfromtheconsolewithoutenteringapassword! Youhavetoenteryourpassword. Consoleusershaveaccesstothebootloader,andcangainadministrativeprivilegesinvariouswaysduringtheboot process.Forexample,byspecifyinganalternateinit(8)program.Linuxsystemsarenottypicallyconfiguredtobe secureattheconsole,andadditionalsteps(forexample,settingarootpassword,abootloaderpasswordandaBIOS password)arenecessaryinordertomakethemso.Notethatconsoleusersusuallyhavephysicalaccesstothe machineandsocanmanipulateitinotherwaysaswell.

    Specialnotesonsudoandshells
    NoneofthemethodsbelowaresuggestedorsupportedbythedesignersofUbuntu. Pleasedonotsuggestthistoothersunlessyoupersonallyareavailable24/7tosupporttheuseriftheyhaveissuesasaresultof runningashellasRoot. Tostartarootshell(i.e.acommandwindowwhereyoucanrunRootcommands),startingRoot'senvironmentandloginscripts, use:
    sudo-i(similartosudosu-,givesyourootsenvironmentconfiguration)

    Tostartarootshell,butkeepthecurrentshell'senvironment,use:
    sudo-s(similartosudosu)

    Forabriefoverviewofsomeofthedifferencesbetweensu,su-,andsudo-{i,s}see:UbuntuForumsPostwithnicetable. Foradetaileddescriptionofthedifferencesseemansuandmansudo.

    RemovePasswordPromptForsudo
    Ifyoudisablethesudopasswordforyouraccount,youwillseriouslycompromisethesecurityofyour computer.Anyonesittingatyourunattended,loggedinaccountwillhavecompleteRootaccess,and remoteexploitsbecomemucheasierformaliciouscrackers. ThismethodisNOTsuggestednorsupportedbythedesignersofUbuntu. Pleasedonotsuggestthistoothersunlessyoupersonallyareavailable24/7tosupporttheuseriftheyhaveissuesasaresult ofrunningashellasRoot. Theseinstructionsaretoremovethepromptforapasswordwhenusingthesudocommand.Thesudocommandwillstillneedto beusedforRootaccessthough. Editthesudoersfile OpenaTerminalwindow.Typeinsudovisudo.AddthefollowinglinetotheENDofthefile(ifnotattheenditcanbenullified bylaterentries):
    <username>ALL=NOPASSWD:ALL

    Replace<username>withyourusername(withoutthe<>).ThisisassumingthatUbuntuhascreatedagroupwiththesamename asyourusername,whichistypical.Youcanalternatelyusethegroupusersoranyothersuchgroupyouarein.Justmakesure youareinthatgroup.ThiscanbecheckedbygoingtoSystem->Administration->UsersandGroups Example:


    michaelALL=NOPASSWD:ALL

    4 of 5

    04/14/2011 04:25 PM

    RootSudo - Community Ubuntu Documentation

    https://help.ubuntu.com/community/RootSudo

    Typein^xtoexit.Thisshouldpromptforanoptiontosavethefile,typeinYtosave. Logout,logbackin.Thisshouldnowallowyoutorunthesudocommandwithoutbeingpromptedforapassword.

    Resetsudotimeout
    Youcanmakesuresudoasksforpasswordnexttimebyrunning:
    sudo-k

    Thedefaultsudotimeoutlengthcanbechangedbyfollowingthisarticle:RootSudoTimeout.

    OtherResources
    fixingsudo graphicalsudo UbuntuForumspolicyonenablingtheRootaccount sudomanpage sudoersfilemanpage CategoryCommandLineCategorySecurityCategoryCommandLine
    RootSudo(lastedited2011-04-0718:03:11byhttps://login.launchpad.net/+id/y7xtYzD@proxy1.library.nuigalway.ie[140.203.12.240]:Carn Draug)

    PageHistory

    5 of 5

    04/14/2011 04:25 PM

    You might also like