Superuser Root System Administrator and Superuser in Linux

Much of what a system administrator does is work that ordinary users do not have permission to do. When performing one of these tasks, the system administrator logs in as root (or uses another method; see the list starting on page 392) to have systemwide powers that are beyond those of ordinary users: A user with root privileges is referred to as Superuser. The username is root by default. Superuser has the following powers and more: createssh

Some commands, such as those that add new users, partition hard drives, and change system configuration, can be executed only by root. Superuser can use certain tools, such as sudo, to give specific users permission to perform tasks that are normally reserved for Superuser. vibrantbiz

Read, write, and execute file access and directory access permissions do not affect root: Superuser can read from, write to, and execute all files, as well as examine and work in all directories. recommendit

Some restrictions and safeguards that are built into some commands do not apply to root. For example, root can change any user’s password without knowing the old password.

When you are running with root (Superuser) privileges, the shell by convention displays a special prompt to remind you of your status. By default this prompt is or ends with a pound sign (#). frontrunnerz

To lessen the chance that a user other than Superuser will try to use them by mistake, many of the utilities that Superuser runs are kept in the /sbin and /usr/sbin directories, rather than in /bin and /usr/bin. (Many of these utilities can be run by ordinary users.) You can execute these utilities by giving their full pathnames on the command line (for example, /sbin/runlevel). When you log in as root, these directories are in your PATH (page 292) by default.

Caution: Least privilege

When you are working on the computer, especially when you are working as the system administrator, perform any task by using the least privilege possible. When you can perform a task logged in as an ordinary user, do so. When you must be logged in as Superuser, do as much as you can as an ordinary user, log in or use su so that you have root privileges, complete the part of the task that has to be done as Superuser, and revert to being an ordinary user as soon as you can. Because you are more likely to make a mistake when you are rushing, this concept becomes more important when you have less time to apply it. getalink

You can gain or grant Superuser privileges in a number of ways:

When you bring the system up in single-user mode (page 409), you are Superuser.

Once the system is up and running in multiuser mode (page 410), you can log in as root. When you supply the proper password, you will be Superuser.

You can give an su (substitute user) command while you are logged in as yourself and, with the proper password, you will have Superuser privileges. For more information refer to “su: Gives You Another User’s Privileges” on page 393.

You can use sudo selectively to give users Superuser privileges for a limited amount of time on a per-user and per-command basis. The sudo utility is controlled by the /etc/sudoers file, which must be set up by root. Refer to the sudo man page for more information.

Any user can create a setuid (set user ID) file (page 183). Setuid programs run on behalf of the owner of the file and have all the access privileges that the owner has. While you are running as Superuser, you can change the permissions of a file owned by root to setuid. When an ordinary user executes a file that is owned by root and has setuid permissions, the program has full root privileges. In other words, the program can do anything that root can do and that the program does or allows the user to do. The user’s privileges do not change. When the program finishes running, all user privileges revert to the way they were before the program started. Setuid programs that are owned by root are both extremely powerful and extremely dangerous to system security, which is why a system contains very few of them. Examples of setuid programs that are owned by root include passwd, at, and crontab. The following example shows two ways for Superuser to give a program setuid privileges:

# ls -l my*
rwxrxrx 1 root other 24152 Apr 29 16:30 myprog
rwxrxrx 1 root other 24152 Apr 29 16:31 myprog2
# chmod 4755 myprog
# chmod u+s myprog2
# ls -l my*
rwsrxrx 1 root other 24152 Apr 29 16:30 myprog
rwsrxrx 1 root other 24152 Apr 29 16:31 myprog2
The s in the owner execute position of the ls l output (page 181) indicates that the file has setuid permission.

Security: root-owned setuid programs are extremely dangerous

Because a root-owned setuid program allows someone who does not know the root password to have the powers of Superuser, it is a tempting target for a malicious user. A system should have as few of these programs as necessary. You can disable setuid programs at the filesystem level by mounting a filesystem with the nosuid option (page 467). You can also use SELinux (page 400) to disable setuid programs. See page 399 for a command that lists setuid files on the local system.

For more info please visit sites:-



Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *