Why don't I have a password for "su"? Problems with "sudo"

I have installed Ubuntu using the GUI, giving myself a password and everything. I do not intricately remember the process. However, what worries me is that I don't know the following password:

$ su
Password: <the only password I've ever created on this machine>
su: Authentication failure

I just don't know what to do. I'm not in trouble, but I just want to know what's going on here. I can also lock myself out of directories:

starkers@ubuntu:~/Desktop$ mkdir foobs
starkers@ubuntu:~/Desktop$ sudo chmod 777 -R foobs
sudo: /var/lib/sudo writable by non-owner (040777), should be mode 0700
[sudo] password for starkers: <the only password I've ever created on this machine> 
starkers@ubuntu:~/Desktop$ cd foobs
bash: cd: foobs: Permission denied

I'm just a bit confused. How can I lock myself out like this? I think sudo is the key command here. But I'm making the foobs file as open as it can possibly be via the chmod, so why does it lock me out?


1. Why you don't have a root password

While you can create a password for the superuser account allowing you to log in as root with su, it's worth mentioning that this isn't the usual way of doing things with Ubuntu (or increasingly, other distributions as well). Ubuntu chose not to give a root login and password by default for a reason. Instead, a default Ubuntu install will use sudo to give superuser privileges. In a default Ubuntu install the person who installed the OS is given "sudo" permission by default.

Anybody with full "sudo" permission may perform something "as a superuser" by pre-pending sudo to their command. For instance, to run apt-get dist-upgrade as a superuser, you could use:

sudo apt-get dist-upgrade

You will see this usage of sudo pretty much anywhere you read a tutorial about Ubuntu on the web. It's an alternative to doing this.

su
apt-get dist-upgrade
exit

With sudo, you choose in advance which users have sudo access. There is no need for them to remember a root password, as they use their own password. If you have multiple users, you can revoke one's superuser access just by removing their sudo permission, without needing to change the root password and notify everyone of a new password. You can even choose which commands a user is allowed to perform using sudo and which commands are forbidden for that user. And lastly, if there is a security breach it can in some cases leave a better audit trail showing which user account was compromised.

Sudo makes it easier to perform a single command with superuser privileges. With su, you permanently drop to a superuser shell which must be exited using exit or logout. This can lead to people staying in the superuser shell for longer than necessary just because it's more convenient than logging out and in again later.

With sudo, you still have the option of opening a permanent (interactive) superuser shell with the command:

sudo su

... and this can still be done without any root password, because sudo gives superuser privileges to the su command.

And similarly, instead of su - for a login shell you can use sudo su - or its shortcut sudo -i.

However when doing so you just need to be aware that you are acting as a superuser for every command. It's a good security principle not to stay as a superuser for longer than necessary, just to lessen the possibility of accidentally causing some damage to the system (without it, you can only damage files your user owns).

Just to clarify, you can, if you choose, give the root user a password allowing logins as root as described in @Oli's answer, if you specifically want to do things this way instead. I just wanted to let you know about the Ubuntu convention of preferring sudo instead and let you know that there is an alternative.


2. The problems with your chmod 777 -R command

Your question also has a second part to it: your issues with the command sudo chmod 777 -R foobs.

Firstly, the following warning indicates a potentially serious security issue on your machine:

sudo: /var/lib/sudo writable by non-owner (040777), should be mode 0700

This means that at some stage, you've set /var/lib/sudo to be world-writable. I imagine you've done this at some stage using a command like sudo chmod 777 -R /. Unfortunately, by doing this you've probably pretty much broken all file permissions throughout your system. It's unlikely that this will be the only important system file whose permissions have been changed to be world-writable. Essentially you have an easily hackable system now, and the only easy way to get it back would be to re-install.

Secondly, the command you were using:

sudo chmod 777 -R foobs

When manipulating files within your home directory, in this case in ~/Desktop, you should not have to use sudo. All the files you create in your home directory should be modifiable by you anyway (and if not, something funny is going on).

Also, you need to be fully aware of the consequences of changing file permissions en masse, such as doing it recursively or on a huge number of files. In this case, you're changing carefully set up file permissions to be world-writable. Any other user, or any buggy server software on the machine, may have easy access to overwrite all of these files and directories.

It's almost certain that chmod 777 -R [dir] it is not an appropriate solution for whatever problem you were trying to solve (and as I mentioned above, there is evidence that you have done it to system files in /var/lib too, and I assume to lots of other places).

A couple of basic rules of thumb:

  • If you're just messing with your own files in your home directory, desktop etc, you should never need to use sudo or superuser rights. If you do, it's a warning sign that you're doing something wrong.

  • You should never manually modify system files owned by packages. Exception: unless you're doing it specifically in ways documented by those packages, such as by modifying their configuration in /etc. This applies also to changing file permissions. If a tutorial or attempt to fix the problem requires sudo or superuser rights, and it's not simply a change to a configuration in /etc/, it's a warning sign that you're doing something wrong.


By default, the superuser (root) account is disabled and doesn't have any password. You can create one by running:

$ sudo passwd root

You will then be able to login as root by running su using this password.

As for chmod, the correct command would be:

$ chmod 777 -R foobs

You can also use:

$ sudo -i

to login as root using your password (without creating a root password as described above).