IconsPage/warning.png

March 14, 2019 PLEASE NOTE: This wiki article is being significanly rewritten as it contains a good deal of old, dated and possibly questionable material. Using caution and consulting with others on the Ubuntu Forums or Ask Ubuntu is highly recommended!

IconsPage/warning.png

Note: For help with configuring sudo privileges via its configuration file /etc/sudoers, please see Sudoers.

Background Information

In Linux (and Unix in general), there is a SuperUser named root. The Windows equivalent of root is the Administrators group. The SuperUser can do anything and everything, and thus doing daily work as the SuperUser can be dangerous. You could type a command incorrectly and destroy the system. Ideally, you run as a user that has only the privileges needed for the task at hand. In some cases, this is necessarily root, but most of the time it is a regular user.

By default, the root account password is locked in Ubuntu. This means that you cannot login as root directly or use the su command to become the root user. However, since the root account physically exists it is still possible to run programs with root-level privileges. This is where sudo comes in - it allows authorized users (normally "Administrative" users; for further information please refer to AddUsersHowto) to run certain programs as root without having to know the root password.

This means that in the terminal you should use sudo for commands that require root privileges; simply prepend sudo to all the commands you need to run as root. For more extensive usage examples, please see below. Similarly, when you run GUI programs that require root privileges (e.g. the network configuration applet), use graphical sudo and you will also be prompted for a password (more below). Just remember, when sudo asks for a password, it needs YOUR USER password, and not the root account password.

Please keep in mind, a substantial number of Ubuntu users are new to Linux. There is a learning curve associated with any OS and many new users try to take shortcuts by enabling the root account, logging in as root, and changing ownership of system files.

Example: Broken system via (ab)use of root by a new user

Please note: At the time of the post, this was the users' first post on the Ubuntu forums. While some might call this a "learning experience", learning by breaking your system is frustrating and can result in data loss.

When giving advice on the Ubuntu Forums and IRC, please take the time to teach "the basics" such as ownership, permissions, and how to use sudo / gksu / kdesudo in such a way that new users do not break systems.

Advantages and Disadvantages

Benefits of using sudo

There are a number of benefits to Ubuntu leaving root logins disabled by default, including:

Downsides of using sudo

Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:

Usage

sudo

To use sudo on the command line, preface the command with sudo, as below: Example #1

sudo chown bob:bob /home/bob/*

Example #2

sudo /etc/init.d/networking restart

To repeat the last command entered, except with sudo prepended to it, run:

sudo !!

Graphical sudo

You should never use normal sudo to start graphical applications as root. Using sudo with graphical apps has the potential to corrupt your environment by allowing root to take ownership of and/or change permissions on critical files that you must own. The forums frequently see panicked requests for help from users who can no longer log in after running graphical applications under sudo.

Please note that many websites and old threads advise the use of gksu. However, such search results are obsolete. gksudo has not been updated for years and is not even available in Bionic (18.04) and higher. gksu has been replaced by pkexec, but even pkexec is being deprecated by the mainline Ubuntu developers. They have taken the position that file manipulation and editing under root should be restricted to the command line.

We can only surmise what the motives were behind this decision: perhaps there are just too many users who run into problems running graphical apps as root. In any case, running graphical apps as root now requires workarounds and additional steps.

Flavour-specific workarounds

There are a number of flavour-specific options for running graphical applications as root:

General workarounds

The following methods will work on all flavours:

Users

Allowing other users to run sudo

To add a new user to sudo, open the Settings window, then Details → Users menu. First click Unlock, then you can select a user and hit Administrator.

Warning /!\ In the terminal (for Precise Pangolin, 12.04), this would be:

sudo adduser <username> sudo

where you replace <username> with the name of the user (without the <>).

In previous version of Ubuntu

sudo adduser <username> admin

would have been appropriate, but the admin group has been deprecated and no longer exists in Ubuntu 12.04.

Logging in as another user

Please don't use this to become root, see further down in the page for more information about that.

sudo -i -u <username>

For example to become the user amanda for tape management purposes.

sudo -i -u amanda

The password being asked for is your own, not amanda's.

root account

Enabling the root account

IconsPage/warning.png

Enabling the root account is rarely necessary. Almost everything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent root login, the best alternative is to simulate a root login shell using the following command...

IconsPage/warning.png

sudo -i

To enable the root account (i.e. set a password) use:

sudo passwd root

Use at your own risk!

IconsPage/dont.png

Logging in to X as root may cause very serious trouble. If you believe you need a root account to perform a certain action, please consult the official support channels first, to make sure there is not a better alternative.

IconsPage/dont.png

Re-disabling your root account

IconsPage/info.png

If for some reason you have enabled your root account and wish to disable it again, use the following command in terminal...

IconsPage/info.png

sudo passwd -dl root

Other Information

Misconceptions

Special notes on sudo and shells

None of the methods below are suggested or supported by the designers of Ubuntu.

Please do not suggest this to others unless you personally are available 24/7 to support the user if they have issues as a result of running a shell as root.

To start a root shell (i.e. a command window where you can run root commands), starting root's environment and login scripts, use:

sudo -i     (similar to sudo su - , gives you roots environment configuration)

To start a root shell, but keep the current shell's environment, use:

sudo -s     (similar to sudo su)

For a brief overview of some of the differences between su, su -, and sudo -{i,s} see : Ubuntu Forums Post with nice table .

Summary of the differences found -

                                                     corrupted by user's 
                HOME=/root      uses root's PATH     env vars
sudo -i         Y               Y[2]                 N
sudo -s         N               Y[2]                 Y
sudo bash       N               Y[2]                 Y
sudo su         Y               N[1]                 Y

[1] PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
    probably set by /etc/environment
[2] PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

For a detailed description of the differences see man su and man sudo .

Remove Password Prompt For sudo

IconsPage/warning.png

If you disable the sudo password for your account, you will seriously compromise the security of your computer. Anyone sitting at your unattended, logged in account will have complete root access, and remote exploits become much easier for malicious crackers.

IconsPage/warning.png

These instructions are to remove the prompt for a password when using the sudo command. The sudo command will still need to be used for root access though.

Edit the sudoers file

Open a Terminal window. Type in sudo visudo. Add the following line to the END of the file (if not at the end it can be nullified by later entries):

<username> ALL=NOPASSWD: ALL

Replace <username> with your user name (without the <>). This is assuming that Ubuntu has created a group with the same name as your user name, which is typical. You can alternately use the group users or any other such group you are in. Just make sure you are in that group. This can be checked by going to System->Administration->Users and Groups

Example:

michael ALL=NOPASSWD: ALL

Type in ^x to exit. This should prompt for an option to save the file, type in Y to save.

Log out, and then log back in. This should now allow you to run the sudo command without being prompted for a password.

Or to do this for the system wide group sudo

root$ echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

Log out, and then back in.

Reset sudo timeout

You can make sure sudo asks for password next time by running:

sudo -k

The default sudo timeout length can be changed by following this article: RootSudoTimeout.

Other Resources


CategoryCommandLine CategorySecurity CategoryCommandLine

RootSudo (last edited 2019-03-15 02:33:38 by qiii)