The Root Password | Absolute OpenBSD: Unix for the Practical Paranoid

UNIX has an all-or-nothing concept of security. While the root user may do absolutely anything, other users may only do things root permits them to. This one fact has been responsible for a wide number of system intrusions. What's more, this coarse-grained approach causes any number of problems for system administrators. While you can create groups and use them to handle permissions for a variety of files, groups don't work well for sysadmin tasks. Only root can add users; only root can configure the network; only root can install system-wide software. Different people might handle these tasks separately. But they all need root privileges to do their work, so either you need to trust these people to stay out of each other's way or you need to configure an add-on access control tool. Only give the root password to those users you trust. All other users should be given access to particular tasks via sudo(8).

Using the Root Password

The su(1) command allows one user to become another user, if you have that user's password. I could use Chris's password to access Chris's account, just as if I was him. I could use Phil's password to effectively become Phil. Or, I could use the root password to become root.

Using su is very straightforward: Just type su, and the system will prompt you for a password. Enter the root password, and you will have a root shell!

 # su Password: #

One thing to remember is that su gives you the shell of the user you're switching to. You might not want to do that — if you're on a system with multiple administrators, someone will not like the shell assigned to root. Do not change OpenBSD's root shell unless you know all the implications of doing so. Instead, use su's -m flag to keep your current shell and environment variables. For example, while my preferred shell is tcsh, OpenBSD's root shell is old-fashioned csh. If I use "su", I will get a csh shell. If I use "su -m", I will get my preferred tcsh shell. If you use "su -m", make sure that your shell doesn't contain any garbage that can confuse programs run as root. A nonstandard $PATH or $LD_LIBRARY_PATH environment variable combined with "su -m" can really interfere with your uptime.

Who May Use the Root Password?

Only users who are in the "wheel" group may use the root password. A user who is not in the wheel group cannot use the root password, even if he has the password. For example, suppose I get very lazy and write the root password on a sticky note and put it on my monitor. Phil wanders by, sees the password, and decides to give it a try from his account even though he isn't in the wheel group.

 # su Password: you are not in group wheel Sorry #

What's more, his attempt will be logged in /var/log/authlog.

 Jul 1 16:10:15 openbsd su: BAD SU phil to root on /dev/ttyp1

As a responsible security administrator, I should be checking my authorization log daily looking for these things. These errors are mailed to root each day as part of the daily security check, so there really is no excuse for not reading them.

Mind you, anyone who has this root password could walk up to the console and log in directly as root. He could then add himself to the wheel group if he wanted. This is bad. You could disallow root logins on the console, but you might need them sometime. The existence of the wheel group does not mean that you can skip hiding your root password!

If you have no users in the wheel group, then only the root account can get root access (without exploiting some sort of security hole, of course). If you forget to add your first account to the wheel group, you will need to log in to the console as root and make the necessary changes to /etc/group. If you've disabled root logins on the console, boot into single-user mode and make the changes.