Section 14.2. Becoming the Super-User

[Page 576 (continued)]

14.2. Becoming the Super-User

The super-user is a special user ID (0) that has permission to do practically anything on a Linux system. Because of this, you can see how important it is for not "just anyone" to have this access, especially anyone with any malicious intentions. Most administration tasks require that you have super-user powers, and there are three common ways to get them:

Login as "root," the username of the super-user.
Use the su utility, described in Chapter 4, "GNU Utilities for Power Users," to create a child shell owned by "root."
Use the sudo utility to run a single command as the super-user.

Although the first method is very direct, there are some dangers associated with it. If you log in as "root," every single command that you execute will have super-user privilegeseven the ones with errors in them. Imagine typing "rm -r * .bak" instead of "rm -r *.bak" while in the "/" directory! Because of this, I strongly recommend that you avoid this method. Most distributions of Linux will actually ask you if you mean to login as "root" or put up a warning (like a red background) if you attempt to do so.

[Page 577]

14.2.1. Using su

A major advantage of using the su command (described in Chapter 4, "GNU Utilities for Power Users" on page 147) is that it logs who uses it and when. In an environment with more than one system administrator, it is sometimes hard to make sure the super-user password is given only to those who really need it. Having a log to examine helps you see who is using root privileges.

14.2.2. Using sudo

An alternative method of becoming the super-user available in most Linux systems is the sudo command, which works like this:

Figure 14-1. Description of sudo command.
Utility: sudo [-u username ] commandLine sudo causes the command commandLine to be run as the user username (if specified) or by root if no -u argument and username are specified. The user who executed the sudo command is logged along with the time and command executed. sudo allows a user to execute commands as another user only if the user is listed in the /etc/sudoers file. The first time you run sudo, you must authenticate yourself to gain access by providing your own password (not the root password or that of the specified username). After that, a configurable timeout clock starts (5 minutes by default), in which time another command can be run with sudo without your having to provide your password again. Attempts to use sudo by a user not listed in /etc/sudoers are reported to the system administrator.

The advantages of sudo over su are many. sudo simplifies the process of becoming the super-user when you need to and so encourages you not to be super-user when you don't need it. It also provides more configurable access to root privileges. Those needing super-user access do not need to know the root password and, if necessary, can take away someone's super-user rights without having to change the root password.

The only real disadvantage is that now your system can be compromised not only by someone obtaining the root password but also by someone obtaining the password of any of the users listed in the /etc/sudoers file. So if you choose to use sudo, you must be sure those who will be listed protect their own passwords as judiciously as they would the root password.

[Page 578]

14.2. Becoming the Super-User

14.2.1. Using su

14.2.2. Using sudo

Figure 14-1. Description of sudo command.