Welcome to the Cisco Academy for Vision Impaired Linux Wiki. |
Main /
SuperUserThe rich multi-user unix heritage of Linux is most clearly demonstrated by this concept which is similar to Windows. In Windows you have an administrator account. But other users in Windows can also have administrator priviliges. In Linux, the administrator is the super user. On many distributions, including Debian, this superuser's account is called root. Traditionally, the root account was literally in the system's root (slash) directory, but now it's typically in a directory under home along with other users. In Debgian and Ubuntu it is in the /root directory. Ubuntu does not have a root account by default, but instead lets any permited user obtain superuser privileges via the sudo facility. This practice is considered more secure, and in fact can be implemented under any distribution if the administrator desires to make it so. Su stands for SuperUser and Do means do as in doing and done. With the sudo command (sudo is all one word) a user can have administrator privileges for some but not all commands. By default, Ubuntu gives all commands access to anyone who is a sudoer, but of course that can be changed. Another good default in Ubuntu is that only the first user created gets access to sudo. After that, if the sysadmin wishes others to also have sudo rights, he needs to add the chosen users to the sudoers group and perhaps, if he wishes, to limit their access, he will edit the sudoers file to restrict what they can do on is system. For example, he could set it up so that one group of users can edit system configuration files but not change other users' permissions. He can give another group access to backup commands, and let them run system utilities but not permit them to add users or change files. To make yourself superuser, type To issue one command as Super User, type When you issue a command by preceeding it with sudo, you are prompted for your password. The system checks that you have the necessary access rights to in fact issue that system-level command. There is also a su command, which lets you become another user. If you type If you simplytype On Ubuntu if you do not wish to prepend sudo to every command, you can type Staying superuser is potentially dangerous, and for ordinary day-to-day work, it is recommended that people don't use sudo. However if you administer a system, installing packages, updating configuration files and setting up hardware, you will need to be superuser to get most of this accomplished. Currently on Ubuntu, potential Superusers need to belong to the admin group and be placed in the sudoers file. A command called visudo is used to edit the sudoers file. On BSD systems, users need to belong to a group called Wheel. Other distributions of Linux and Unix-like operating systems have different rules and procedures for implementing the sudo facility. It is worth repeating that users often are confused by systems like Ubuntu that have no root account. Ubuntu sysadmins can eleavate anyone's priveleges to root level, so there's no problem with it lacking a root user. A cracker cannot keep attempting to log in to root, supplying passwords in the vain hope that one might work, because no root account exists. But even though there is no root account the concept of root is ubiquitous. Super user's files are owned by root. And the sudo facility gives a far more fine-grained control over superuser access, because different superuser permissions can be granted to different users. For example, John can be permitted to install packages, and Jim can reconfigure network access. On the simple setups we are using in class, we're not being asked to change this: if we use sudo we automatically have permission to do everything on the system. With sudo, all system-level commands are logged, so later on an administrator can see exactly which account mounted the CD-rom, or installed a particular package, updated the system or edited a configuration file. |