Though the normal way to become the super user is to log in as root, sometimes that is not
The answer is that you can use the su command. From any Terminal window or shell, you can simply type:
$ su Password: ****** #
When you are prompted, type in the root user’s password. The prompt for the regular user (
) will be changed to the super user prompt (
). At this point, you have full permission to run any command and use any file on the system. However, one thing that the
command doesn’t do when used this way is read in the root user’s environment. As a result, you may type a command that you know is available and get the message "command not found." To fix this problem, you can use the
command with the dash (-) option instead, as
$ su - Password: ****** #
You still need to type the password, but after you do that, everything that normally happens at login for the root user will happen after the su command is completed. Your current directory will be root’s home directory (probably /root ), and things like the root user’s PATH variable will be used. If you became the root user by just typing su , rather than su - , you would not have changed directories or the environment of the current login session.
When you become super user during someone else’s session, a common mistake is to leave files or directories in the user’s directories that are owned by root. If you do this, be sure to use the
command to make the files and directories you modify
You can also use the su command to become another user than root. For example, to have the permissions of a user named chum , you could type the following:
$ su - chum
Even if you were root user before you typed this command, you would only have the permission to open files and run programs that are available to chum . As root user, however, after you type the su command to become another user, you don’t need a password to continue. If you type that command as a regular user, you must type the new user's password.
When you are finished using super user permissions, return to the previous shell by exiting the current shell. Do this by pressing Ctrl+D or by typing exit . If you are the administrator for a computer that is accessible to multiple users, don’t leave a root shell open on someone else’s screen (unless you want to let that person do anything they like to the computer)!
When you run GUI tools as a regular user, you are usually prompted for the root password (as described the section "Using graphical administration tools" later in this chapter). If a GUI tool fails and doesn't prompt you for a password, refer to the "Becoming Super User in X" sidebar.
Fedora and Red Hat Linux systems have advanced enough in recent releases that you can now do most system administration from your desktop GUI, bypassing the shell altogether. Whether you administer Fedora from the GUI or from a shell, however, underlying your activities are many administrative commands, configuration files, and log files.
There may be times when an X GUI is running on Linux as a non-root user and you want to run a graphical administration program. In most cases, the GUI administration program will simply prompt you for the root password to continue. However, if the program fails, saying that you don't have permission to run the command, here is what you can do:
Then, open permission to the X window display to everyone on the local computer (this is just a temporary measure) by typing:
$ xhost +localhost
Type the following and enter the root password when prompted, to become super user:
$ su - Password: ****** #
# echo $DISPLAY
If the value is something like :0 or :0.0, any X command you run from that shell will appear on the console terminal for the computer. If you are at the console and that’s what you see, then you can skip the next step. If you see no value (which is quite possible) or the wrong value, you must set the DISPLAY variable.
Type the following (
# export DISPLAY=:0
At this point, you can run any administrative X command (such as
) and have it appear on your X desktop. If you are running an administrative command from a remote computer and you want it to appear on your local desktop, you can set the
When you are done, be sure to exit the application you are running. Then restore the security of your X desktop by typing the following:
$ xhost –
Understanding where GUI tools, commands, and files are located and how they are used will help you effectively maintain your Fedora system. Although most administrative features are intended for the root user, other administrative users (described later in this section) have limited administrative capabilities.
The trend over the past few versions of Fedora and other Red Hat Linux distributions has been to steer clear of the massive administrative interfaces (such as
) and instead to offer graphical
In Fedora Core 1 and previous versions of Red Hat Linux, the GUI
To administer your Fedora system through the GNOME or KDE desktops, Red Hat, Inc. has provided a common menu (Red Hat calls it the Main Menu; I refer to it as the red hat menu). In GNOME click the red hat; in KDE, click the K icon in the lower-left corner of the desktop.
Because these administrative tasks require root permission, if you are logged in as a regular user you must enter the root password before the GUI application's window opens. For example, if you launch the System Logs window (System Tools System Logs) from the GNOME menu as a regular user, you see the pop-up window shown in Figure 10-1.
Figure 10-1: Enter the root password to open system administration windows from a regular user’s GUI.
After you have entered the root password, most of the system configuration tools will open without requiring you to retype the password during this login session. Look for a “keys” icon in the lower right corner of the panel, indicating that you have root authorization. Click the keys to open a pop-up window that lets you remove authorization.
As you configure different features on your Fedora or Red Hat Linux system, you are asked to launch different individual graphical windows. In general, if you have a choice of tools for configuring a server or adding a feature, I recommend that you use the tool provided with your distribution. That’s because the Red Hat GUI tools more often integrate closely with the way Fedora and Red Hat systems store and manage their configuration information.
The following list describes many of the GUI-based windows you can use to administer your Fedora or Red Hat Linux system. Start these windows from the System Settings or System Tools submenus on your red hat menu:
— This submenu
Domain Name System — Create and configure zones if your computer is acting as a DNS server.
HTTP — Configure your computer as an Apache Web server.
NFS — Set up directories from your system to be shared with other computers on your network using the NFS service.
Samba — Configure Windows (SMB) file sharing. (To configure other Samba features, you can use the SWAT window. SWAT is described in Chapter 18.)
Services —Display and change which services are running on your Fedora system at different run levels.
Add/Remove Applications — Manage software packages in the Fedora distribution.
Authentication —Change how users are authenticated on your system. Usually, Shadow Passwords and MD5 Passwords are selected. However, if your network supports LDAP, Kerberos, SMB, NIS, or Hesiod authentication, you can select to use any of those authentication types.
Date & Time —Set the date and time or choose to have an NTP server keep system time in sync. Figure 10-2 shows the Date/Time Properties window.
Figure 10-2: Choose an NTP server or set date and time in the Date/Time Properties window.
Disk Management — Mount and format removable media, such as CDs and floppy disks.
— Change the settings for your X desktop, including
Hardware Browser — View information about your computer's hardware.
Internet Configuration Wizard — Create initial configurations for connecting to the Internet via Ethernet, ISDN, modem, and other types of network equipment.
Keyboard — Choose the type of keyboard you are using, based on language.
Kickstart —Create a Kickstart configuration file that can be used to install multiple Fedora systems without user intervention.
Language — Select the default language used for the system.
Login Screen — Control how your login screen appears and behaves.
Mouse — Configure your mouse.
Network —Manage your current network interfaces, as well as add interfaces.
Network Device Control — Display the active profile for network devices.
Printing Manager —Configure local and network printers.
Red Hat Network —Register your computer with the Red Hat Network to get free software updates.
Root Password — Change the root password.
Security Level — Configure your firewall to allow or deny services to computers from the network.
System Logs — Displays system log files and lets you search them for keywords. Figure 10-3 shows the Boot Log being displayed in the System Logs window.
Figure 10-3: Show log files of activities from system boot, FTP, mail, news, and other services.
System Monitor — Shows information about running processes and resource usage.
Task Scheduler — Schedules tasks to be run at set times.
Users & Groups
— Lets you add, display, and change user and
Procedures for using the various system graphical administrative tools are discussed throughout the book.
Many commands are intended only for root. When you log in as root, your
/sbin — This contains commands for modifying your disk partitions (such as fdisk ), changing boot procedures ( grub ), and changing system states ( init ).
— This contains commands for managing user accounts (such as
) and configuring your mouse (
). Commands that run as daemon processes are also contained in this directory. (Look for commands that end in "d" such as
Some administrative commands are contained in regular user directories (such as
). This is
To find commands that are intended primarily for the system administrator, check out the section 8 manual pages (usually in /usr/share/man/man8 ). They contain descriptions and options for most Linux administrative commands.
Some third-party applications will add administrative commands to directories that are not in your PATH . For example, an application may put commands in /usr/local/bin , /opt/bin , or /usr/local/sbin . In those cases, you may want to add those directories to your PATH .
Configuration files are another mainstay of Linux administration. Almost everything you set up for your particular computer — user accounts, network addresses, or GUI preferences — is stored in plain-text files. This has some advantages and some disadvantages.
The advantage of plain-text files is that it is easy to read and change them. Any text editor will do. On the downside, however, is that as you edit configuration files, no error checking is going on. You have to run the program that reads these files (such as a network daemon or the X desktop) to find out if you set up the files correctly. A comma or a quote in the wrong place can sometimes cause a whole interface to fail.
Throughout this book, I describe the configuration files you need to set up the different features that make up Fedora systems. In terms of a general perspective on configuration files, however, there are several locations in a Fedora file system where configuration files are stored. Here are some of the major locations:
$HOME — All users store information in their home directories that directs how their login accounts behave. Most configuration files in $HOME begin with a dot (.), so they don’t appear as a user’s directory when you use a standard ls command (you need to type ls -a to see them). There are dot files that define how each user’s shell behaves, the desktop look and feel , and options used with your text editor. There are even files (such as .ssh/* and .rhosts ) that configure network permissions for each user.
/etc — This directory contains most of the basic Linux system-configuration files. The following /etc configuration files are of interest:
adjtime — Holds to data to adjust the hardware clock (see the hwclock man page).
aliases — Can contain distribution lists used by the Linux mail service.
bashrc — Sets system-wide defaults for bash shell users. (By default, it sets the shell prompt to include current user name, host name, current directory, and other values.)
cdrecord.conf — Contains defaults used for recording CDs.
crontab — Sets cron environment and times for running automated tasks.
exports — Contains a list of local directories that are available to be shared by remote computers using the Network File System (NFS).
fdprm — Sets parameters for common floppy disk formats.
fedora-release — Contains a string identifying the current Fedora Core release.
fstab — Identifies the devices for common storage media (hard disk, floppy, CDROM, and so on) and locations where they are mounted in the Linux system. This is used by the mount command to choose which file systems to mount.
group — Identifies group names and group IDs (GIDs) that are defined on the systems. Group permissions in Fedora are defined by the second of three sets of rwx (read, write, execute) bits associated with each file and directory.
gshadow — Contains shadow passwords for groups.
— Sets the locations in which domain names (for example, redhat.com) are searched for on TCP/IP networks (such as the Internet). By default, the local
hosts — Contains IP addresses and host names that you can reach from your computer. (Usually this file is used just to store names of computers on your LAN or small private network.)
hosts.allow — Lists host computers that are allowed to use certain TCP/IP services from the local computer.
hosts.deny — Lists host computers that are not allowed to use certain TCP/IP services from the local computer (doesn't exist by default).
inittab — Contains information that defines which programs start and stop when Fedora boots, shuts down, or goes into different states in between. This is the most basic configuration file for starting Linux.
issue — Contains the lines that are displayed when a terminal is ready to let you log in to Fedora from a local terminal, or the console in text mode.
issue.net — Contains login lines that are displayed to users who try to log in to the Linux system from a computer on the network using the telnet service.
lilo.conf — Sets Linux boot loader (lilo) parameters to boot the computer. In particular, it lists information about bootable partitions on your computer. (If you are using grub, which replaced lilo as the default boot manager, the lilo.conf.anaconda file is available. You can copy that file to lilo.conf to switch to LILO.)
mail.rc — Sets system-wide parameters associated with using mail.
man.config — Used by the man command to determine the default path to the location of man pages.
— Contains aliases and options
mtab — Contains a list of file systems that are currently mounted.
mtools.conf — Contains settings used by DOS tools in Linux.
named.conf — Contains DNS settings if you are running your own DNS server.
ntp.conf — Includes information needed to run the Network Time Protocol (NTP).
passwd — Stores account information for all valid users for the system. Also includes other information, such as the home directory and default shell.
printcap — Contains definitions for the printers configured for your computer.
profile — Sets system-wide environment and start-up programs for all users. This file is read when the user logs in.
— Sets protocol
redhat-release — Contains a string identifying the current Red Hat release. (This file exists on Red Hat Linux and Red Hat Enterprise Linux systems. On Fedora systems, this file exists as a link to the fedora-release file, so that applications that look for release information in the redhat-release file won't fail.)
resolv.conf — Identifies the locations of DNS name server computers that are used by TCP/IP to translate Internet host.domain names into IP addresses.
rpc — Defines remote procedure call names and numbers.
services — Defines TCP/IP services and their port assignments.
— Contains encrypted passwords for users who are defined in the
file. (This is
syslog.conf — Defines what logging messages are gathered by the syslogd daemon and what files they are stored in. (Typically, log messages are stored in files contained in the /var/log directory.)
termcap — Lists definitions for character terminals, so that character-based applications know what features are supported by a given terminal. Graphical terminals and applications have made this file obsolete to most people. (Termcap was the BSD UNIX way of storing terminal information; UNIX System V used definitions in /usr/share/terminfo files.)
xinetd.conf — Contains simple configuration information used by the xinetd daemon process. This file mostly points to the /etc/xinetd.d directory for information about individual services (described later in this chapter).
/etc/X11 — Contains subdirectories that each contain system-wide configuration files used by X and different X window managers available for Linux. The xorg.conf file (which makes your computer and monitor usable with X) and configuration directories containing files used by xdm and xinit to start X are in here.
Directories relating to window managers contain files that include the default values that a user will get if that user starts one of these window managers on your system. Window managers that may have system-wide configuration files in these directories include GNOME ( gdm ) and Twm ( twm ).
Some files and directories in /etc/X11 are linked to locations in the /usr/X11R6 directory.
/etc/alternatives — Contains links that the alternatives facility uses to enable a system administrator to exchange one service with another in a way that is invisible to users. (Currently, only mail and printing use the alternatives service.)
— Contains files and directories that allow the amanda facility to do network
/etc/cipe — Holds if-up and if-down scripts to start a CIPE virtual private network.
/etc/cron* — Directories in this set contain files that define how the crond utility runs applications on a daily ( cron.daily ), hourly ( cron.hourly ), monthly ( cron.monthly ), or weekly ( cron.weekly ) schedule.
/etc/cups — Contains files that are used to configure the CUPS printing service.
/etc/default — Contains files that set default values for various utilities. For example, the file for the useradd command defines the default group number, home directory, password expiration date, shell, and skeleton directory ( /etc/skel ) that are used when creating a new user account.
— Contains a variety of files used to configure the behavior of your Apache Web server (
— Contains the permanent copies of run-level scripts. These scripts are linked to files in the
directories to have each service associated with a script started or
/etc/mail — Contains files used to configure your sendmail mail service.
— Contains configuration files that allow you to have a variety of PCMCIA cards configured for your computer. (PCMCIA slots are those openings on your laptop that allow you to have credit card–
/etc/postfix — Contains configuration files for the postfix mail transport agent.
/etc/ppp — Contains several configuration files used to set up Point-to-Point protocol (so that you can have your computer dial out to the Internet).
/etc/rc?.d — There is a separate rc?.d directory for each valid system state: rc0.d (shutdown state), rc1.d (single-user state), rc2.d (multiuser state), rc3.d (multiuser plus networking state), rc4.d (user-defined state), rc5.d (multiuser, networking, plus GUI login state), and rc6.d (reboot state).
/etc/security — Contains files that set a variety of default security conditions for your computer. These files are part of the pam (pluggable authentication modules) package.
— Any files contained in this directory are automatically
/etc/squid — Contains configuration files for the Squid proxy caching server.
— Contains important system configuration files that are created and
/etc/uucp — Contains configuration files used with Taylor UUCP (a nonstandard version of the uucp facility that is used to create modem, direct line, and other serial connections with other computers).
/etc/vsftpd — Contains configuration files used to set up the vsftpd FTP server.
/etc/xinetd.d — Contains a set of files, each of which defines a network service that the xinetd daemon listens for on a particular port. When the xinetd daemon process receives a request for a service, it uses the information in these files to determine which daemon processes to start to handle the request.
One of the things that Linux does well is keep track of itself. This is a good thing, when you consider how much can go wrong with a complex operating system. Sometimes you are trying to get a new facility to work and it fails without giving you the foggiest reason why. Other times you want to monitor your system to see if people are trying to access your computer illegally. In any of those cases, you can use log files to help track down the problem.
The main utilities for logging error and debugging messages for Linux are the syslogd and klogd daemons. General system logging is done by syslogd . Logging that is specific to kernel activity is done by klogd . Logging is done according to information in the /etc/syslog.conf file. Messages are typically directed to log files that are usually in the /var/log directory.
Fedora includes a System Logs window (System Tools System Logs) you can use to view and search system log files from the desktop. See Chapter 14 for a description of that window and of the log files you can view with it.
You don’t hear much about other administrative logins (besides root) being used with Fedora. It was a
In any case, these administrative logins are available with Linux, so you may want to look into using them. At the very least, because individual software packages such as bind, squid, and amanda set up permissions for their log files and configuration files based on their administrative logins, maintaining those permissions can prevent someone who hacks into one of those services from gaining control of the whole computer.
Because most Fedora administrative features are expected to be administered by the root user, e-mail for other administrative accounts is routed to the root user. If you want other administrative users to receive their own e-mail, delete the aliases for those users from the /etc/aliases file.
Here are some of the administrative logins that are configured automatically for Linux systems. By tradition, these logins are assigned UID numbers under 100. Here are examples:
Most administrative logins have no passwords by default. They also typically have
lp — This user can control some printing features. Having a separate lp administrator allows someone other than the super user to do such things as move or remove lp logs and print spool files. The home directory for lp is /var/spool/lpd .
mail — This user can work with administrative e-mail features. The mail group has group permissions to use mail files in /var/spool/mail (which is also the mail user’s home directory).
uucp — This user owns various uucp commands (once used as the primary method for dial-up serial communications). It is the owner of log files in /var/log/uucp , spool files in /var/spool , administrative commands (such as uuchk , uucico , uuconv , and uuxqt ) in /usr/sbin , and user commands ( uucp , cu , uuname , uustat , and uux ) in /usr/bin . The home directory for uucp is /var/spool/uucp .
bin — This user owns many commands in /bin in traditional UNIX systems. This is not the case in Fedora, because root tends to own most executable files. The home directory of bin is /bin .
news — This user could do administration of Internet news services, depending on how you set permission for /var/spool/news and other news-related resources. The home directory for news is /etc/news .
One way to give full or limited root privileges to any non-root user is to set up the
facility. That simply entails adding the user to
and defining what privilege you want that user to have. Then the user can run any command he or she is privileged to use by
The following is an example of how to use the sudo facility to cause any users that are added to the wheel group to have full root privileges:
As the root user, edit the /etc/sudoers file by running the visudo command:
# /usr/sbin/ visudo
By default, the file is opened in
, unless your
variable happens to be set to some other editor acceptable to
) The reason for using
is that the command will lock the
file and do some basic
If you are stuck here, refer to the vi tutorial in Chapter 4 for information on using the vi editor.
Uncomment the following line to allow users in the group named wheel to have full root privileges on the computer:
%wheel ALL=(ALL) ALL
The previous line causes the user to be prompted for a password to be allowed to use administrative commands. To allow users in the wheel group to have that privilege without using a password, uncomment the following line instead:
%wheel ALL=(ALL) NOPASSWD: ALL
Save the changes to the /etc/sudoers file (in vi, type ZZ ).
Still as root user, open the
file in any text editor and add the users you want to have root privilege to the
line. For example, if you were to add the users
group, the line would appear as
At this point, the users
can run the
command to run commands, or
[jake]$ sudo umount /mnt/win We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things: #1) Respect the privacy of others. #2) Think before you type. Password: ********* [jake]$ mount /mnt/win mount: only root can mount /dev/hda1 on /mnt/win [jake]$ sudo mount /mnt/win [jake]$
In the above session, the user
command so he can
Notice that even after jake has given the password, he must still use the sudo command to run the command as root (the first mount fails, but the second succeeds). Notice that he was not prompted for a password for the second sudo . That’s because after entering his password successfully he can enter as many sudo commands as he wants for the next five minutes without having to enter it again. (You can change the timeout value from five minutes to however long you want by setting the passwd_timeout value in the /etc/sudoers file.)
The preceding example grants a simple all-or-nothing administrative privilege to everyone you put in the wheel group. However, the /etc/sudoers file gives you an incredible amount of flexibility in permitting individual users and groups to use individual applications or groups of applications. I recommend you refer to the sudoers and sudo man pages for information about how to tune your sudo facility.