How to NOT become a root user? Are administrators root?
You are an administrator, but not root
. The root
user can do anything. Administrators can perform actions as root
, but ordinarily what administrators do is not done by root
. That way, you have full control over your own system, but only when you choose to use it.
Ubuntu asks for your password when you try to do stuff as root
, to make sure it's really you.
User Accounts: Human, and Otherwise
Real human users have user accounts to represent them. You created one such account when you installed Ubuntu. But not all user accounts represent real human users.
Real human users are granted (and denied) abilities through their user accounts. They must use their user accounts to use the system; therefore, their user accounts' abilities and limitations apply to them.
User accounts are also used to codify sets of abilities and limitations. Some user accounts--most, actually, unless you have many human users of the machine--exist so that certain programs or commands can be run with their identity, an identity with the right abilities and limitations for the job.
For example, the www-data
user exists so that if you run a web server, it owns the data the server make accessible. No real human user has to be empowered to make unchecked changes to those data, and the web server doesn't have to be empowered to perform any action unnecessary for serving the web. Consequently, both the web data and the rest of the system are more secure against accidental or intentional breakage, than if the web server were run by some human user who would have all the powers of the web server (and whose powers the web server would possess).
The Most Important Non-Human User Account
The superuser, whose username is root
, is a non-human user account with a very specific combination of abilities and limitations: all abilities, and no limitations.
root
's allowed to do anything. There are still things root
cannot do because the system itself cannot perform or make sense out of them. So root
cannot kill a process that is in uninterruptible sleep, or make a rock too heavy to move, then move it.
Many important system processes, like init
, run as root
, and root
is used for performing administrative tasks.
Can I log in as root
?
It's possible to configure the root
account so it's possible to log in with a password, but this is not enabled by default in Ubuntu. Instead, you can think of root
as being like www-data
, lp
, nobody
, and other non-human accounts. (Run cat /etc/passwd
or getent passwd
to see them all.)
Human users log in with their own user accounts, and then if some task is to be performed with another user account, they cause that task to be performed with that identity, without actually having logged in as that user.
It's possible to configure the other non-human users, like www-data
, so one can log in as them, too. That's quite rare, though, whereas in some other Unix-like OSes it's common to log in as root
in a terminal. The risks of running a whole graphical interface as root
, combined with how many graphical programs are not designed to run as root
and may not work properly, mean that you should never attempt to get a root
-owned desktop session.
Please note that while logging in as root
is disabled by default in Ubuntu, there are ways to get a root
shell without authenticating as root
, which produce a similar effect: the most common are sudo -s
or -i
, recovery mode and similar techniques. (Don't worry if you don't know what those things are.) This is not actually logging in: in recovery mode, you become root
before any login would occur; with the sudo
-based methods, you're just running a shell as root.
Administrators
In Ubuntu, administrators are the users who can do whatever they want as root
, when they choose to do so.
System Settings > User Accounts. "Eliah Kagan" is an administrator, so he can do stuff as root
, but he is not root
.
I'm an administrator on my Ubuntu system. When I run programs, ordinarily they run as ek
("Eliah Kagan" is the full name that corresponds to the ek
username.)
When I run AbiWord or LibreOffice, it runs as ek
. When I run Firefox, Chromium, Empathy, or Pidgin, it runs as ek
. The programs that run to provide the desktop interface run as ek
.
However, I am an administrator, so if I need to perform an administrative task, I can do so.
sudo
On the command line, I would ordinarily use sudo
to run a command as root
:
sudo command...
This will prompt me for my password. (Not root
's password; root
does not have one.)
- Because I am an administrator, I can perform actions as
root
. In the default configuration, I must enter my password to do this. - Users who are not administrators cannot perform actions as
root
, even by putting in their password.sudo
commands will fail if the user running them is not an administrator.
Because administrators are perfectly ordinary users except for the ability to perform actions as root
, running a command requiring root
privileges will still fail, except when the command is run as root
.
Screenshot illustrating the need to use sudo
to perform administrative tasks. (Based on "Sandwich" by Randall Munroe.)
sudo, Graphically
Graphical programs can run as root
through graphical frontends for sudo
, such as gksu
/gksudo
and kdesudo
. For example, to run GParted as root
I could run gksudo gparted
. Then I would be prompted graphically for my password.
Since I'm prompted graphically, there doesn't have to be a terminal. This is one of the ways administrative tools are run as root
.
Polkit
Polkit (once known as PolicyKit) is another way for administrators to do things as root
. A program accesses a service that performs the action. Sometimes, the action is running a whole program; sometimes the action is more limited.
These days, many graphical system administration utilities are set up to use polkit by default, rather than to use sudo
.
One example of such a utility is the Software Center. It takes full advantage of polkit, requiring the user to put in their password only when they want to do something that requires root
privileges. (This is possible with sudo
-based authentication also, but it is harder and uglier to accomplish.)
In the Software Center, I can find and read about an application; then I'm asked for my password when I want to install it.
How polkit Is Different
Any graphical program can be run as root
with gksudo
and other graphical sudo
frontends. (The program might not work very well, depending on whether or not it's designed to be used as root
. But the command to start the program will be executed as root
.)
While polkit is now more common than sudo
GUI frontends as the way applications on Ubuntu perform actions as root
behind the scenes, polki will only run a graphical application as root
if there is a configuration file allowing it and indicating what actions may be performed.
Polkit, Non-Graphically
pkexec
is the command used to run a program with polkit.
Like sudo
, pkexec
can run non-graphical commands. (And it does not require a configuration file defining the command's capabilities--it simply runs the command as root
.)
pkexec command...
pkexec
prompts for a password graphically, even if it is run from a Terminal (this is one of the ways its behavior is more similar to gksudo
than to running straight sudo
).
(If there is no GUI--for example, if you're logged in from a virtual console or text-only SSH session, or the GUI is not functioning properly--then pkexec
will degrade gracefully and prompt for your password on the command line.)
Once authentication is performed successfully, the command runs in the terminal.
Running Commands as Other Users Besides root
root
is special because it gets to do anything that can be done. But it's a user account like any account, and the ways of running commands as root
with sudo
(directly or with a graphical frontend) or polkit can be modified slightly to run a command as any other user:
sudo -u username command...
gksudo -u username command...
pkexec --user username command...
What? You just type sudo
first? How is that security?!
Running commands with sudo
is sort of like invoking papal infalliblity.
When you run a command with sudo
[invoke papal infallibility], Ubuntu [Catholic folks] tries hard to make sure you're really you [really the Pope].
Yes, I know papal infallibility (even when normative) is declarative; the parallel is not perfect.
Trying to do something as root
with sudo
(or polkit) is a big deal--Ubuntu is not just going to let that slide by like all the other times you run a program.
You are prompted for your password. (Then, that you have done so is remembered for a short time, so you don't have to constantly enter your password as you administer your system.)
Besides reminding you to be careful, this safeguards against two scenarios:
- Someone uses your computer (or mobile device), maybe under the guise of checking their email or some similar innocuous purpose. Here, it's still possible for them to do some harm--for example, they could modify or delete your documents. However, they cannot administer the system, since they cannot put in your password.
- Programs that aren't supposed to administer the system cannot do so, unless you enter your password. For example, if your web browser is compromised by a security bug and runs malicious code, it still cannot perform administrative tasks. It cannot create and delete users, modify programs installed as
root
(which includes anything installed by the package manager, such as LibreOffice), or alter the system at a deep level.
I've heard of su
. What's that? Can I use that?
su
authenticates as another user, and runs a command (or starts an interactive shell). It's possible to limit who is permitted to use su
, but su
authenticates with the target account's password, not the password of the user running.
For example, su username -c 'command...'
runs command...
as username, just like sudo -u username command...
.
But when you run a command as username
with sudo
, you enter your password. When you run a command as username
with su
, you enter username
's password.
Since su
performs authentication for the target user, with su
you can only run commands as users whose accounts are enabled.
The root
account (like www-data
and nobody
) is disabled by default. There is no password that will work to log in as root
. So you cannot use su
to run commands as root
.
You can use su
to run commands as another user who can log in (which typically includes all the user accounts on your system that represent human beings).
When logged in as a guest, you cannot use su
at all.
Combining su
and sudo
Someone who is not an administrator can even use su
to run sudo
as an administrator. (This is OK though, as they need the administrator's password to run commands as the administrator.) That is, a limited user can use su
to run sudo
to run a command as root
. This can look like:
su username -c 'sudo command...'
(Running graphical programs this way requires special care.)
Wouldn't su
be a more secure way to run commands as root
?
Probably not.
What if a user shouldn't be allowed to act as root
?
Make them a limited user instead of an administrator.
What if a program running as an administrator tries to sudo
to root
?
Unless you have reconfigured sudo
to let it succeed without a password, it will fail.
Can't a program that shouldn't be run as root
piggyback on a recent sudo
command, so no password is required?
This would be very unlikely to succeed. These days, most operating systems (including Ubuntu) have sudo
configured by default so that its timestamps apply only in a specific context.
For example, if I run sudo ...
in one Terminal tab and authenticate successfully, sudo
in another tab (or run by an unrelated GUI program, or that I run from a virtual console or SSH session) will still prompt for a password. Even if it's run immediately afterwards.
Doesn't a program running as user X have access to user X's password?
No.
If a malicious program is able to run as an administrator, can't it "listen in" to what's being typed when the administrator authenticates with sudo
or polkit?
Potentially, yes. But then it could "listen in" to a password typed in for su
.
If I tell someone my password—
Don't tell people your password.
What if someone has to know my password to do something on my behalf, but I don't want to let them administer the system?
Ideally, they should have a separate user account that lets them do what they need to do. For example, can share files between accounts, allowing multiple user to write to them, while still denying access to other users.
However, in a situation where a less-trusted person may be permitted to share your account, it should be a limited user account. You could make a separate account for this purpose (which makes sense--if it's an account for you and someone else who you want to have different capabilities, it should be a different account).
So, would the most secure thing be to disallow both sudo
and su
and make people log in as root
, manually?
No, because there are serious disadvantages associated with letting people log in as root
at all. Whenever possible, the smallest number of actions as possible should be undertaken as root
. Even most acts relating directly to administering a system (e.g., looking at what users are configured, and reading logs) usually don't require root
privileges.
Also, just as potentially a malicious program could watch what someone types when they run sudo
or su
, or create a fake sudo
/su
password prompt, potentially a malicious program could create a fake login screen, too.
What makes a user an administrator?
Group membership.
In Ubuntu 12.04 and later, administrators are members of the group called sudo
.
In Ubuntu 11.10 and earlier, administrators are members of the group called admin
.
When an Ubuntu system before 12.04 is upgraded to 12.04 or later, the admin
group is kept for backward compatibility (and continues to confer administrative power to users in it), but the sudo
group is used as well.
Limited User Accounts
Can I use a limited user account instead of an administrator account?
If you like, sure. Create a limited user account in System Settings > User Accounts, and log in as that user.
Can I make my administrator account a limited user account?
Yes, just remove it from the sudo
and admin
groups (see above).
But you should make sure there is at least one other administrator account, so you can administer your system. If there is not, then you'd have to boot to recovery mode or a live CD and make some user an administrator again. (This is similar to resetting a lost administrator password.)
Graphical tools for administering users and groups will usually keep you from creating a system with no administrators, or at least warn you. Command line tools typically will not (trusting that you know what you're doing).
No such thing as a dumb question ;)
I hope this clarifies things a bit:
In Ubuntu, two different types of user accounts may be made: standard accounts and administrator accounts. The difference between the two: a standard account is not allowed to make any important changes to your system by attaining root access, whereas an administrator account may use their password to make changes as the root user. The Root user itself is one of the many users that the system has created and that you do not normally see or notice, and you can't login as it (by default, anyway). If you are logged into an administrator type account, you can become this Root user with the sudo
command in a terminal, and you are able to type in your password in order to install software, make system changes, etc. If you are logged in as a standard user, you are unable to do any of that.