Scribd
Upload
66 views5 pages

Rootsudo: Background Information

Sudo allows authorized users to run programs with root privileges without knowing the root password. It logs commands for auditing and expires passwords after 15 minutes by default. Key advantages are avoiding the need to share the root password and allowing fine-grained control over who can run what. Users can be added to the sudo group to gain these privileges. The root account is disabled by default but can be enabled by setting its password if truly needed.

Uploaded by

manoj14feb
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views5 pages

Rootsudo: Background Information

Sudo allows authorized users to run programs with root privileges without knowing the root password. It logs commands for auditing and expires passwords after 15 minutes by default. Key advantages are avoiding the need to share the root password and allowing fine-grained control over who can run what. Users can be added to the sudo group to gain these privileges. The root account is disabled by default but can be enabled by setting its password if truly needed.

Uploaded by

manoj14feb
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

RootSudo - Community Ubuntu Documentation

https://help.ubuntu.com/community/RootSudo

LogintoEdit UbuntuDocumentation>CommunityDocumentation>RootSudo

RootSudo

Note:Forhelpwithconfiguringsudoprivilegesviaitsconfigurationfile /etc/sudoers,pleaseseeSudoers.

Contents 1. BackgroundInformation 2. AdvantagesandDisadvantages 1. Benefitsofusingsudo 2. Downsidesofusingsudo 3. Usage 1. sudo 2. Graphicalsudo 3. Drag&Dropsudo 4. Users 1. Allowingotheruserstorunsudo 2. Logginginasanotheruser 3. rootaccount 1. Enablingtherootaccount 2. Re-disablingyourrootaccount 5. OtherInformation 1. Misconceptions 2. Specialnotesonsudoandshells 6. RemovePasswordPromptForsudo 7. Resetsudotimeout 8. OtherResources

BackgroundInformation
InLinux(andUnixingeneral),thereisaSuperUsernamedRoot.The WindowsequivalentofRootisAdministratorsgroup.TheSuperUsercan doanythingandeverything,andthusdoingdailyworkastheSuperUser canbedangerous.Youcouldtypeacommandincorrectlyanddestroythe system.Ideally,yourunasauserthathasonlytheprivilegesneededforthe taskathand.Insomecases,thisisnecessarilyRoot,butmostofthetimeit isaregularuser. Bydefault,theRootaccountpasswordislockedinUbuntu.This meansthatyoucannotloginasRootdirectlyorusethesucommandto becometheRootuser.However,sincetheRootaccountphysicallyexistsit isstillpossibletorunprogramswithroot-levelprivileges.Thisiswhere sudocomesin-itallowsauthorizedusers(normally"Administrative" users;forfurtherinformationpleaserefertoAddUsersHowto)torun certainprogramsasRootwithouthavingtoknowtherootpassword.

Thismeansthatintheterminalyoushouldusesudoforcommandsthat requirerootprivileges;simplyprependsudotoallthecommandsyouwouldnormallyrunasRoot.Formoreextensiveusage examples,pleaseseebelow.Similarly,whenyourunGUIprogramsthatrequirerootprivileges(e.g.thenetworkconfiguration applet),usegraphicalsudoandyouwillalsobepromptedforapassword(morebelow).Justremember,whensudoasksfora password,itneedsYOURUSERpassword,andnottheRootaccountpassword.

AdvantagesandDisadvantages
Benefitsofusingsudo
SomebenefitsofleavingRootloginsdisabledbydefaultincludethefollowing: TheUbuntuinstallerhasfewerquestionstoask. Usersdon'thavetorememberanextrapassword(i.e.therootpassword),whichtheyarelikelytoforget(orwritedownso anyonecancrackintotheiraccounteasily). Itavoidsthe"Icandoanything"interactiveloginbydefault(e.g.thetendencybyuserstologinasan"Administrator"user inMicrosoftWindowssystems),youwillbepromptedforapasswordbeforemajorchangescanhappen,whichshould makeyouthinkabouttheconsequencesofwhatyouaredoing. sudoaddsalogentryofthecommand(s)run(in/var/log/auth.log).Ifyoumessup,youcanalwaysgobackandsee whatcommandswererun.Itisalsoniceforauditing. Everycrackertryingtobrute-forcetheirwayintoyourboxwillknowithasanaccountnamedRootandwilltrythatfirst. Whattheydon'tknowiswhattheusernamesofyourotherusersare.SincetheRootaccountpasswordislocked,thisattack becomesessentiallymeaningless,sincethereisnopasswordtocrackorguessinthefirstplace. Allowseasytransferforadminrights,inashorttermorlongtermperiod,byaddingandremovingusersfromgroups,while notcompromisingtheRootaccount. sudocanbesetupwithamuchmorefine-grainedsecuritypolicy. TheRootaccountpassworddoesnotneedtobesharedwitheverybodywhoneedstoperformsometypeofadministrative task(s)onthesystem(seethepreviousbullet). Theauthenticationautomaticallyexpiresafterashorttime(whichcanbesettoaslittleasdesiredor0);soifyouwalkaway fromtheterminalafterrunningcommandsasRootusingsudo,youwillnotbeleavingaRootterminalopenindefinitely.

Downsidesofusingsudo

1 of 5

04/14/2011 04:25 PM

RootSudo - Community Ubuntu Documentation

https://help.ubuntu.com/community/RootSudo

Althoughfordesktopsthebenefitsofusingsudoaregreat,therearepossibleissueswhichneedtobenoted: Redirectingtheoutputofcommandsrunwithsudorequiresadifferentapproach.Forinstanceconsider sudo ls > /root/somefilewillnotworksinceitistheshellthattriestowritetothatfile.Youcanuse ls | sudo tee -a /root/somefiletoappend,orls | sudo tee /root/somefiletooverwritecontents. Youcouldalsopassthewholecommandtoashellprocessrunundersudotohavethefilewrittentowithrootpermissions, suchassudo sh -c "ls > /root/somefile". InalotofofficeenvironmentstheONLYlocaluseronasystemisRoot.AllotherusersareimportedusingNSStechniques suchasnss-ldap.Tosetupaworkstation,orfixit,inthecaseofanetworkfailurewherenss-ldapisbroken,Rootis required.Thistendstoleavethesystemunusableunlesscracked.Anextralocaluser,oranenabledRootpasswordisneeded here.Thelocaluseraccountshouldhaveits$HOMEonalocaldisk,_not_onNFS(oranyothernetworkedfilesystem), anda.profile/.bashrcthatdoesn'treferenceanyfilesonNFSmounts.ThisisusuallythecaseforRoot,butifaddinga non-Rootrescueaccount,youwillhavetotaketheseprecautionsmanually. Alternatively,asysadmintypeaccountcanbeimplementedasalocaluseronallsystems,andgrantedpropersudo privileges.Asexplainedinthebenefitssectionabove,commandscanbeeasilytrackedandaudited.

Usage
Whenusingsudo,yourpasswordisstoredbydefaultfor15minutes.Afterthattime,youwillneedtoenteryourpassword again. Yourpasswordwillnotbeshownonthescreenasyoutypeit,notevenasarowofstars(******).Itisbeingenteredwith eachkeystroke!

sudo
Tousesudoonthecommandline,prefacethecommandwithsudo,asbelow:Example#1
sudochownbob:bob/home/bob/*

Example#2
sudo/etc/init.d/networkingrestart

Torepeatthelastcommandentered,exceptwithsudoprependedtoit,run:
sudo!!

Graphicalsudo
YoushouldneverusenormalsudotostartgraphicalapplicationsasRoot.Youshouldusegksudo(kdesudoonKubuntu)to runsuchprograms.gksudosetsHOME=~root,andcopies.Xauthoritytoatmpdirectory.Thispreventsfilesinyourhome directorybecomingownedbyRoot.(AFAICT,thisisallthat'sspecialabouttheenvironmentofthestartedprocesswithgksudo vs.sudo). Examples:
gksudogedit/etc/fstab

or
kdesudokate/etc/X11/xorg.conf

Torunthegraphicalconfigurationutilities,simplylaunchtheapplicationviatheAdministrationmenu. gksudoandkdesudosimplylinktothecommandsgksuandkdesu

Drag&Dropsudo
ThisisatrickfromthisthreadontheUbuntu:UbuntuForums. Createalauncherwiththefollowingcommand:
gksudo"gnome-open%u"

Whenyoudraganddropanyfileonthislauncher(it'susefultoputitonthedesktoporonapanel),itwillbeopenedasRootwith itsownassociatedapplication.Thisishelpfulespeciallywhenyou'reeditingconfigfilesownedbyRoot,sincetheywillbeopened

2 of 5

04/14/2011 04:25 PM

RootSudo - Community Ubuntu Documentation


asreadonlybydefaultwithgedit,etc.

https://help.ubuntu.com/community/RootSudo

Users
Allowingotheruserstorunsudo
Toaddanewusertosudo,opentheUsersandGroupstoolfromSystem->Administrationmenu.Thenclickontheuserand thenonproperties.ChoosetheUserPrivilegestab.Inthetab,findAdministerthesystemandcheckthat. InHardyHeronandnewer,youmustfirstUnlock,thenyoucanselectauserfromthelistandhitProperties.Choosethe UserPrivilegestabandcheckAdministerthesystem. Intheterminalthiswouldbe:sudo adduser <username> admin,whereyoureplace<username>withthenameofthe user(withoutthe<>).

Logginginasanotheruser
Pleasedon'tusethistobecomeRoot,seefurtherdowninthepageformoreinformationaboutthat.
sudo-i-u<username>

Forexampletobecometheuseramandafortapemanagementpurposes.
sudo-i-uamanda

Thepasswordbeingaskedforisyourown,notamanda's.

rootaccount
Enablingtherootaccount
EnablingtheRootaccountisrarelynecessary.Almosteverythingyouneedtodoasadministratorof anUbuntusystemcanbedoneviasudoorgksudo.IfyoureallyneedapersistentRootlogin,thebest alternativeistosimulateaRootloginshellusingthefollowingcommand...
sudo-i

ToenabletheRootaccount(i.e.setapassword)use:
sudopasswdroot

Useatyourownrisk! LoggingintoXasrootmaycauseveryserioustrouble.Ifyoubelieveyouneedarootaccounttoperforma certainaction,pleaseconsulttheofficialsupportchannelsfirst,tomakesurethereisnotabetteralternative.

Re-disablingyourrootaccount
Ifforsomereasonyouhaveenabledyourrootaccountandwishtodisableitagain,usethefollowingcommandin terminal...

sudousermod-lroot

OtherInformation
Misconceptions
Isn'tsudolesssecurethansu? Thebasicsecuritymodelisthesame,andthereforethesetwosystemssharetheirprimaryweaknesses.Anyuserwho usessuorsudomustbeconsideredtobeaprivilegeduser.Ifthatuser'saccountiscompromisedbyanattacker,the attackercanalsogainrootprivilegesthenexttimetheuserdoesso.Theuseraccountistheweaklinkinthischain,and

3 of 5

04/14/2011 04:25 PM

RootSudo - Community Ubuntu Documentation


somustbeprotectedwiththesamecareasRoot.

https://help.ubuntu.com/community/RootSudo

Onamoreesotericlevel,sudoprovidessomefeatureswhichencouragedifferentworkhabits,whichcanpositively impactthesecurityofthesystem.sudoiscommonlyusedtoexecuteonlyasinglecommand,whilesuisgenerally usedtoopenashellandexecutemultiplecommands.Thesudoapproachreducesthelikelihoodofarootshellbeing leftopenindefinitely,andencouragestheusertominimizetheiruseofrootprivileges. Iwon'tbeabletoentersingle-usermode! ThesuloginprograminUbuntuispatchedtohandlethedefaultcaseofalockedrootpassword. Icangetarootshellfromtheconsolewithoutenteringapassword! Youhavetoenteryourpassword. Consoleusershaveaccesstothebootloader,andcangainadministrativeprivilegesinvariouswaysduringtheboot process.Forexample,byspecifyinganalternateinit(8)program.Linuxsystemsarenottypicallyconfiguredtobe secureattheconsole,andadditionalsteps(forexample,settingarootpassword,abootloaderpasswordandaBIOS password)arenecessaryinordertomakethemso.Notethatconsoleusersusuallyhavephysicalaccesstothe machineandsocanmanipulateitinotherwaysaswell.

Specialnotesonsudoandshells
NoneofthemethodsbelowaresuggestedorsupportedbythedesignersofUbuntu. Pleasedonotsuggestthistoothersunlessyoupersonallyareavailable24/7tosupporttheuseriftheyhaveissuesasaresultof runningashellasRoot. Tostartarootshell(i.e.acommandwindowwhereyoucanrunRootcommands),startingRoot'senvironmentandloginscripts, use:
sudo-i(similartosudosu-,givesyourootsenvironmentconfiguration)

Tostartarootshell,butkeepthecurrentshell'senvironment,use:
sudo-s(similartosudosu)

Forabriefoverviewofsomeofthedifferencesbetweensu,su-,andsudo-{i,s}see:UbuntuForumsPostwithnicetable. Foradetaileddescriptionofthedifferencesseemansuandmansudo.

RemovePasswordPromptForsudo
Ifyoudisablethesudopasswordforyouraccount,youwillseriouslycompromisethesecurityofyour computer.Anyonesittingatyourunattended,loggedinaccountwillhavecompleteRootaccess,and remoteexploitsbecomemucheasierformaliciouscrackers. ThismethodisNOTsuggestednorsupportedbythedesignersofUbuntu. Pleasedonotsuggestthistoothersunlessyoupersonallyareavailable24/7tosupporttheuseriftheyhaveissuesasaresult ofrunningashellasRoot. Theseinstructionsaretoremovethepromptforapasswordwhenusingthesudocommand.Thesudocommandwillstillneedto beusedforRootaccessthough. Editthesudoersfile OpenaTerminalwindow.Typeinsudovisudo.AddthefollowinglinetotheENDofthefile(ifnotattheenditcanbenullified bylaterentries):
<username>ALL=NOPASSWD:ALL

Replace<username>withyourusername(withoutthe<>).ThisisassumingthatUbuntuhascreatedagroupwiththesamename asyourusername,whichistypical.Youcanalternatelyusethegroupusersoranyothersuchgroupyouarein.Justmakesure youareinthatgroup.ThiscanbecheckedbygoingtoSystem->Administration->UsersandGroups Example:


michaelALL=NOPASSWD:ALL

4 of 5

04/14/2011 04:25 PM

RootSudo - Community Ubuntu Documentation

https://help.ubuntu.com/community/RootSudo

Typein^xtoexit.Thisshouldpromptforanoptiontosavethefile,typeinYtosave. Logout,logbackin.Thisshouldnowallowyoutorunthesudocommandwithoutbeingpromptedforapassword.

Resetsudotimeout
Youcanmakesuresudoasksforpasswordnexttimebyrunning:
sudo-k

Thedefaultsudotimeoutlengthcanbechangedbyfollowingthisarticle:RootSudoTimeout.

OtherResources
fixingsudo graphicalsudo UbuntuForumspolicyonenablingtheRootaccount sudomanpage sudoersfilemanpage CategoryCommandLineCategorySecurityCategoryCommandLine
RootSudo(lastedited2011-04-0718:03:11byhttps://login.launchpad.net/+id/[email protected][140.203.12.240]:Carn Draug)

PageHistory

5 of 5

04/14/2011 04:25 PM

You might also like