Letting Mortals Play at Wizardry: SuperUsers

It has been said here frequently: it is generally a bad idea to log in as Root and do work. Too much damage can be done, and if you're connected to the Internet, you can actually lose control of your system to an attacker. Nonetheless, there are tasks and operations that can be done only by Root, and you may find yourself needing to be Root on a daily basis. Fortunately, there is a built-in solution to this problem: becoming the SuperUser.

There are two ways to perform Root tasks while being logged in as a generic user. The su command allows anyone with the Root password to become Root. In a larger system, Root can also assign specific tasks to users without handing out the Root password by implementing the sudo command.

Changing User Identity with su

When you run YaST to make changes in your configuration, you are first asked for the Root password. You have just used su to become Root.

Whether the task is installing software, troubleshooting problems, or some other system-related issue, you will need this command sooner or later.

Note

Although most often run on a system to gain SuperUser access, su is not the "SuperUser" command. It stands for "Substitute User," and you can log in as any other system user with the correct password.

To run su from the shell prompt, use this syntax:

su <option> <username> <arguments> 

Typing su by itself means you want to log in as Root, and you'll be prompted for the Root password. You'll also retain your own environment settings. To gain Root's environment, type su -.

To run a single Root command from the shell and return to your user prompt, use the -c switch. Try something like this:

su root -c chmod 600 /etc/shadow 

When you have completed your Root tasks, type exit to return to your user prompt.

Using sudo to Grant Root Privileges

When you're the system administrator of a large system with lots of users, you don't want to give out the Root password to everyone who wants to install software on his or her computer. You can solve this problem with SuperUser Do, or sudo.

You configure sudo by editing /etc/sudoers with the special visudo editor. As you might guess, visudo is a version of vi made for use with this file. It checks for parsing errors in your edits, so you should definitely use this, rather than your regular editor (even if you normally work with vi). You may want to return to the vi section of Chapter 5 to review some of the commands if you are not familiar with this editor.

Run su to log in as Root before running visudo. To begin, run visudo with no arguments; that is:

visudo 

The default /etc/sudoers file appears in the shell, looking something like this:

# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults targetpw    # ask for the password of the target user i.e. root %users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! # User privilege specification # You should not use sudo as root in an SELinux environment # If you use SELinux, remove the following line root    ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel    ALL=(ALL)    ALL # Same thing without a password # %wheel    ALL=(ALL)    NOPASSWD: ALL # Samples # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users  localhost=/sbin/shutdown -h now 

Before editing sudoers, you may want to review the man pages for both sudoers and visudo (sudo itself has a man page as well) for instructions on how to use these files.

Feel free to uncomment any of the default lines to activate them. Instead of editing the default lines, you should add new lines (with a comment to document what you want to do). The basic format of a sudoers line is

user host_computer=command 

The user can also be a group; so, for example, to grant permission to the Writers group to run YaST Online Update, add this line:

writers ALL=/sbin/yast2 

To grant the Writers group this same permission without having to enter a password, add this line:

writers ALL=/sbin/yast2 NOPASSWD: ALL 

When you're finished editing, press :q to save changes and return to the shell prompt. Type exit to return to your user prompt.

Once configured, sudo is very easy to use. Anyone in the Writers group should now be able to type this command to run YaST:

sudo /sbin/yast2 

Depending on how you set it, writers may be prompted for their own user password to confirm that they are the person that is logged in.