Using the Root Account on Debianby Edd Dumbill
There is one user account on your Debian system that has the power to change anything: the root account. By power, I mean absolute power. The root user account can read, replace, or remove any file. It can read or write to any attached device. It can read or write to any part of the computer's memory. If there's even a mere suspicion that a piece of software is buggy or poses a security risk, there's no way you should run it as root.
Because of the power of the root account, sensible system administrators take a good deal of care when using it. The best rule of thumb is to do only the bare minimum of operations as root. Different users take different views on how to minimize root usage. Increasingly, Unix-like operating systems take the approach of going as far as to disable the root account and to use privilege-gaining tools such as
sudo to give normal users the ability to run programs as the root user when required.
This article introduces using
sudo to restrict superuser privileges. It is a good idea for you to get used to
sudo now, as the rest of this series will use it wherever you need root access to perform a task.
Running Commands As root
There are several ways to access the root account. The first is simply to log in to the machine's console as the root user. In normal operation, this is a bad idea, as it tends to encourage excessive use of the root account. However, when in single user mode for repair tasks, it's perfectly acceptable.
In normal operation, a user logs in to the system under his or her own account and wants to become root in order to run privileged commands. The
su program lets you do this. The following example shows what happens when you use
su to become root.
Switching to the root account
user@host:~$ su - Password: enter root's password here host:~#
You can use
The example shows the normal Debian command-line prompts in full, to show how they change when root successfully logs in. To save space in the future, I will normally use only the
$ prompt to denote the use of a normal user account and
# to denote a root login.
The hyphen argument (
su instructs it to behave as if root had logged in on the console, so that it executes whatever shell customizations are set up. The root user has the home directory /root by default, and using
su - will place you in that directory. Terminate the root session by exiting the shell with Ctrl-D or
su to start a root shell session is almost as tempting for bad habits as a console login, however. Although you can give the
--command option to
su to execute a single command, rather than entire shell, retyping root's password each time becomes tiresome. Furthermore, using
su means that you have to share the root password with anyone else who wants to run a program as root. Additionally, you can't restrict what those users can do as root. It may well be that you want them to run only one or two commands that require root privileges, not have dominion over your entire system.
sudo program provides a solution to these problems and allows a more flexible and controllable approach to regulating root privileges. Install it by becoming root conventionally with
su and using the
aptitude package manager to install the software. An upcoming column in this series will explain fully how to install the software.
$ su - # aptitude install sudo
sudo, you must give your normal user account full privileges. To do this, run the
visudo command as root. This will start up a text editor showing
sudo's configuration file. Find the line reading
root ALL=(ALL) ALL and copy it, substituting your username for root. Write out the file and quit the text editor.
The cautionary notice is shown only the first time you run
Now, quit the root login and log in to your regular user account. To test your new privileges, run
whoami both with and without
$ whoami username$ sudo whoami We trust you have received the usual lecture from the local system administrator. It usually boils down to these two things: 1. Respect the privacy of others. 2. Think before you type. Password: here, enter your own password root
From now on, you can prefix all commands that you need to run as root with
sudo and just use your own password. If you use
sudo again within 15 minutes, you won't need to reenter the password. If you add your user to the
sudo group, you need never enter your password to use
sudo. Assign this privilege with extreme care!
Pages: 1, 2