Much of what a system administrator does is work that ordinary users do not have permission to do. When performing one of these tasks, the system administrator logs in as root (or uses another method; see the list starting on page 392) to have systemwide powers that are beyond those of ordinary users: A user with root privileges is referred to as Superuser. The username is root by default. Superuser has the following powers and more:
When you are running with root (Superuser) privileges, the shell by convention displays a special prompt to remind you of your status. By default this prompt is or ends with a pound sign (#). To lessen the chance that a user other than Superuser will try to use them by mistake, many of the utilities that Superuser runs are kept in the /sbin and /usr/sbin directories, rather than in /bin and /usr/bin. (Many of these utilities can be run by ordinary users.) You can execute these utilities by giving their full pathnames on the command line (for example, /sbin/runlevel). When you log in as root, these directories are in your PATH (page 292) by default. Caution: Least privilege When you are working on the computer, especially when you are working as the system administrator, perform any task by using the least privilege possible. When you can perform a task logged in as an ordinary user, do so. When you must be logged in as Superuser, do as much as you can as an ordinary user, log in or use su so that you have root privileges, complete the part of the task that has to be done as Superuser, and revert to being an ordinary user as soon as you can. Because you are more likely to make a mistake when you are rushing, this concept becomes more important when you have less time to apply it. You can gain or grant Superuser privileges in a number of ways:
Some techniques limit the number of ways to become Superuser. PAM (page 438) controls the who, when, and how of logging in. The /etc/securetty file controls which terminals (ttys) a user can log in on as root. The /etc/security/access.conf file adds another dimension to login control (see the file for details). Security: Do not allow root access over the Internet Prohibiting root logins using login over a network is the default policy of Red Hat Enterprise Linux and Fedora Core and is implemented by the PAM securetty module. The /etc/security/access.conf file must contain the names of all users and terminals/workstations that you want a user to be able to log in on as root. Initially every line in access.conf is commented out. You can, however, log in as root over a network using ssh (page 579). As shipped by Red Hat, ssh does not follow the instructions in securetty or access.conf. Also, in /etc/ssh/sshd_config, Red Hat sets PermitRootLogin to YES (it is set by default) to permit root to log in using ssh (page 594). System Administration ToolsMany tools can help you be an efficient and thorough system administrator. A few of these tools/utilities are described in this section, another group of administration utilities is described starting on page 415, and others are scattered throughout Part IV. su: Gives You Another User's PrivilegesThe su (substitute user) utility can create a shell or execute a program with the identity and permissions of a specified user. Follow su on the command line with the name of a user; if you are root or if you know the user's password, you take on the identity of that user. When you give an su command without an argument, su defaults to Superuser so that you take on the identity of root (you have to know the root password). To be sure that you are using the system's official version of su (and not one planted on your system by a malicious user), specify su's absolute pathname (/bin/su) when you use it. (Of course, if someone has compromised your system enough that you are running a fake su command, you are in serious trouble anywaybut using an absolute pathname for su is still a good idea.) When you give an su command to become Superuser, you spawn a new shell, which displays the # prompt. You return to your normal status (and your former shell and prompt) by terminating this shell: Press CONTROL-D, or give an exit command. Giving an su command by itself changes your user and group IDs but makes minimal changes to your environment. You still have the same PATH you did when you logged in as yourself. When you run a utility that is normally run by root (the utilities in /sbin and /usr/sbin), you need to specify an absolute pathname for the utility (such as /sbin/service). When you give the command su (you can use l or login in place of the hyphen), you get a root login shell: It is as though you logged in as root. Not only are your user and group IDs those of root, but your entire environment is that of root. The login shell executes the appropriate startup scripts before displaying a prompt, and your PATH is set to what it would be if you had logged in as root, typically including /sbin and /usr/sbin. Use the id utility to display the changes in your user and group IDs and in the groups you are associated with. In the following example, the information that starts with context pertains to SELinux: $ id uid=500(alex) gid=500(alex) groups=500(alex) context=user_u:system_r:unconfined_t $ su Password: # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys), ... You can use su with the c option to run a single command with root privileges, returning to your original shell when the command finishes executing. The following example first shows that a user is not permitted to kill a process. With the use of su c and the root password, the user is permitted to kill (page 395) the process. The quotation marks are necessary because su c takes its command as a single argument. $ kill -15 4982 -bash: kill: (4982) - Operation not permitted $ su -c "kill -15 4982" Password: $ consolehelper: Runs Programs as rootThe consolehelper utility can make it easier for someone who is logged in on the system console but not logged in as root to run system programs that normally can be run only by root. PAM (page 438), which authenticates users, can be set to trust all console users, to require user passwords (not the root password), or to require root passwords before granting trust. The concept underlying consolehelper is that you may want to consider as trustworthy anyone who has access to the console. For example, Alex can log in on the console as himself and run halt without knowing the root password. For more information refer to the discussion of consolehelper on page 413 and to the consolehelper man page. Security: Superuser, PATH, and security The fewer directories you keep in your PATH when you are root, the less likely you will be to execute an untrusted program as root. If possible, keep only the default directories, along with /sbin and /usr/sbin, in root's PATH. Never include the working directory (as . or : : anywhere in PATH, or : as the last element of PATH). For more information refer to "PATH: Where the Shell Looks for Programs" on page 292. kill: Sends a Signal to a ProcessThe kill builtin sends a signal to a process. This signal may or may not terminate (kill) the process, depending on which signal is sent and how the process is designed. Refer to "trap: Catches a Signal" on page 933 for a discussion of the various signals and their interaction with a process. Running kill is not the first method a user or system administrator should try when a process needs to be aborted. Caution: kill: Use the kill signal (KILL or 9) as a method of last resort When you do need to use kill, send the termination signal (kill TERM or kill 15) first. Only if that tactic does not work should you attempt to use the kill signal (kill KILL or kill 9). Because of its inherent dangers, using a kill signal is a method of last resort, especially when you are running as Superuser. One kill command issued by root can bring the system down without warning. Usually a user can kill a process by working in another window or by logging in on another terminal. Sometimes you may have to log in as root (or use su) to kill a process for a user. To kill a process, you need to know its PID. The ps utility can provide this information once you determine the name of the program the user is running and/or the username of the user. The top utility (page 550) can also be helpful in finding and killing (see top's k command) a runaway process. In the following example, Sam complains that xeyes is stuck and that he cannot do anything from the xeyes window, not even close it. A more experienced user could open another window and kill the process, but in this case, you kill it for Sam. First use ps with the u option, followed by the name of the user and the f (full/wide) option to view all the processes associated with that user. $ ps -u sam -f UID PID PPID C STIME TTY TIME CMD sam 2294 2259 0 09:31 ? 00:00:00 /bin/sh /usr/bin/startkde sam 2339 2294 0 09:31 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/dbus-launch sam 2342 1 0 09:31 ? 00:00:00 dbus-daemon --fork --print-pid 8 --prin sam 2343 1 0 09:31 ? 00:00:00 /usr/bin/dbus-launch --exit-with-sessio sam 2396 1 0 09:31 ? 00:00:00 kdeinit Running... sam 2399 1 0 09:31 ? 00:00:00 dcopserver [kdeinit] --nosid sam 2401 2396 0 09:31 ? 00:00:00 klauncher [kdeinit] sam 2403 1 0 09:31 ? 00:00:00 kded [kdeinit] sam 2405 1 0 09:31 ? 00:00:00 /usr/libexec/gam_server sam 2413 2396 0 09:31 ? 00:00:00 /usr/bin/artsd -F 10 -S 4096 -s 60 -m a sam 2415 1 0 09:31 ? 00:00:00 kaccess [kdeinit] sam 2416 2294 0 09:31 ? 00:00:00 kwrapper ksmserver sam 2418 1 0 09:31 ? 00:00:00 ksmserver [kdeinit] sam 2421 2396 0 09:31 ? 00:00:00 kwin [kdeinit] -session 1070626e6a00011 sam 2424 1 0 09:31 ? 00:00:01 kdesktop [kdeinit] sam 2426 1 0 09:31 ? 00:00:01 kicker [kdeinit] sam 2429 2396 0 09:31 ? 00:00:00 kio_file [kdeinit] file /tmp/ksocket-ma sam 2434 2396 0 09:31 ? 00:00:00 konsole [kdeinit] -session 1070626e6a00 sam 2435 2396 0 09:31 ? 00:00:00 /bin/sh /usr/lib/firefox-1.5/firefox -U sam 2446 2435 0 09:31 ? 00:00:00 /bin/sh /usr/lib/firefox-1.5/run-mozill sam 2451 2446 0 09:31 ? 00:00:01 /usr/lib/firefox-1.5/firefox-bin -UILoc sam 2453 2434 0 09:31 pts/2 00:00:00 /bin/bash sam 2474 1 0 09:31 ? 00:00:00 /usr/libexec/gconfd-2 10 sam 2482 1 0 09:32 ? 00:00:00 synergyc jam sam 3568 3567 0 13:55 pts/3 00:00:00 -bash sam 3726 1 0 14:07 ? 00:00:00 knotify [kdeinit] sam 3728 1 0 14:07 ? 00:00:00 /usr/bin/artsd -F 10 -S 4096 -s 60 -m a sam 3730 2424 0 14:07 ? 00:00:00 xeyes sam 3731 3568 0 14:07 pts/3 00:00:00 ps -u sam -f This list is fairly short, and the process running xeyes is easy to find. Another way to search for a process is to use ps to produce a long list of all processes and then use grep to find which ones are running xeyes. $ ps -ef | grep xeyes sam 3730 2424 0 14:07 ? 00:00:00 xeyes sam 3766 3568 0 14:14 pts/3 00:00:00 grep xeyes If several people are running xeyes, you may need to look in the left column to find the name of the user so you can kill the right process. You can combine the two commands as ps u sam f | grep xeyes. Now that you know Sam's process running xeyes has a PID of 3730, you can use kill to terminate it. The safest way to do so is to log in as Sam (perhaps allow him to log in for you or su to sam [su sam] if you are logged in as root) and give any of the following commands (they all send a termination signal to process 3730): $ kill 3730 or $ kill -15 3730 or $ kill TERM 3730 Only if this command fails should you send the kill signal: $ kill KILL 3730 The KILL option instructs kill to send a SIGKILL signal, which the process cannot ignore. You can give the same command while you are logged in as root, but a typing mistake can have much more far-reaching consequences in this circumstance than when you make the mistake while you are logged in as an ordinary user. A user can kill only her own processes, whereas Superuser can kill any process, including system processes. As a compromise between speed and safety, you can combine the su and kill utilities by using the c option to su. The following command runs the part of the command line following the c with the identity of Sam: # su sam -c "kill -TERM 3730" Two useful utilities related to kill are killall and pidof. The killall utility is very similar to kill but uses a command name instead of a PID number. To kill all your processes that are running xeyes or vi, you can give the following command: $ killall xeyes vi When root gives this command, all processes that are running xeyes or vi on the system are killed. The pidof utility displays the PID number of each process running the command you specify. Because this utility resides in /sbin, you must give the absolute pathname if you are not running as root: $ /sbin/pidof httpd 567 566 565 564 563 562 561 560 553 If it is difficult to find the right process, try using top. Refer to the man pages for these utilities for more information, including lists of options. |