The Newbie Guide to the 'root' account

Introduction

One of the most common concepts about Linux that the helpers in #mandrake (irc.freenode.net), and probably many more IRC channels, tell new Linux users about is the 'root' user account and what it is - and isn't - used for.

Unlike the earlier versions of Windows (3.0 through to Millennium Edition), and the default behaviour of Windows 2000/XP, a normal user account does not have complete control over the system. This means that a regular user cannot change system-wide settings (like IP addresses or what driver to load for a sound card) or install new programs using the RPM tools (rpm, urpmi and RPMDrake).

Things are different in Linux. Regular users can only affect files that are under their direct control - usually only those in their 'home' directory (/home/fred is usually fred's home directory, for example). If you need to change system settings, or install a new version of Mozilla, you will need to have root's privileges.


Part 1: Becoming root

When you first installed Linux, you were almost certainly asked to give a password for the root account. You probably had to create at least one normal user account, which I hope you are using right now! On Mandrake at least, you probably can't even login as root through the X Windows login screen. There is a very good reason for this - you stand a higher chance of trashing the box if you run things as root.

So, you've logged in as your regular user and you are quite happy playing Frozen Bubble but you've discovered that there's a newer version out that you'd really like to try. You managed to find it pre-built as a Mandrake rpm, but for some reason every time you try and install it, you get errors!

[mwatts@quasar mwatts]$ urpmi frozen-bubble-1.0.0-6mdk.i586
bash: urpmi: command not found

You might be thinking now that Linux sucks because you have to workout how to login as root. You vaguely remember seeing someone mention using "Ctrl-Alt-F1" to get to a text login, but you're not sure, and you'd rather stay in KDE.

The other technique people keep shouting at you is the 'su' command. This stands for 'Switch User' and allows you to have a shell (command) prompt as anyone else on the system. By default, unless you specify a user account to switch to, su will assume you want to switch to 'root'. Su on it's own will just change you to root, but won't give you a full root login shell (so you might not get root's environment setup properly). You have to use the '-' switch to su for that.

First, you need to open a shell window (also called a 'command prompt' or 'console'). KDE has the 'Konsole' application, usually found on the K menu somewhere. Alternatively, use the Alt-F2 dialog to type 'konsole'.

[mwatts@quasar mwatts]$ su -
Password:
[root@quasar root]#

Notice how the prompt has changed? The '#' character means you have a root prompt. Sometimes people will give you a command to run, and only the inclusion of the '#' would give away that they want you to run it as root.

[root@quasar root]# urpmi frozen-bubble-1.0.0-6mdk.i586

	ftp://ftp.mirror.ac.uk/sites/sunsite.uio.no/pub/unix/Linux/Mandrake/Mandrake/9.2/i586/
	Mandrake/RPMS/frozen-bubble-1.0.0-6mdk.i586.rpm
installing /var/cache/urpmi/rpms/frozen-bubble-1.0.0-6mdk.i586.rpm
Preparing...                ##################################################
   1:frozen-bubble          ##################################################
[root@quasar root]#

Success!

Part 2: Advanced root access - sudo

Sudo is one of the most powerful programs in Unix/Linux, but also the most under-used and over-looked. Sudo allows you, when setup correctly, to run programs with root privileges but without having to type in the root password.

This might sound like the most stupid thing you can ever want to do with a Unix/Linux box, but bear with me - under certain circumstances it can actually be the most secure way of doing things that need root access

Basic sudo use

Sudo is configured from a single config file - /etc/sudoers. In this, you will (at least on Mandrake Linux) find an existing entry for root, as well as a few examples.

root    ALL=(ALL) ALL

This looks a little complicated at first but it breaks down like this:

<local user>    <host>=(effective user id) <command(s)>

The 'host' section is beyond the scope of this document, but I shall briefly cover the other parts here. As always, the man page for the sudoers file (man sudoers) gives more detail and examples than I shall present here

If you wanted to let the user 'billy' have root access to do some general admin tasks on the box whilst you are away on vacation, you would configure /etc/sudoers like so:

billy    ALL=(ALL) ALL

This lets billy run any command on the system as long as he prefixes it with the word 'sudo'. He will have to enter his own password instead of root's, so this is a good way of giving someone temporary root access without giving the root password.

[billy@localhost billy]$ sudo vi /etc/fstab

Limiting command use with sudo

Now we shall start doing some more useful things with sudo - allowing specific users to run specific commands with root privileges.

Note: If you allow users to run things that they can potentially break a shell out of, you are effectively giving them full root access! This includes things like vi and certain, badly coded, shell scripts.

If you wanted to allow billy to only be able to restart Apache and Postfix, you'd setup /etc/sudoers like this:

billy    ALL=(root) /etc/init.d/httpd restart, /etc/init.d/postfix restart

If you wanted billy to be able to run a script which needs to be run as another user (admin), do this:

billy    ALL=(admin) /path/to/script

The End!

If you read the sudo man page, you will quickly find that I have only begun to scratch the surface of sudo and what it can do.

One of the things I like to use it for is to allow certain user accounts to run very specific commands in order to update websites. Coupled with passphraseless SSH keys, this provides a very secure way of automating admin tasks.


Valid XHTML 1.1! Valid CSS!

Creative Commons License

This work is licensed under a Creative Commons License.