Linux superuser access, explained
Here’s how to configure Linux superuser access so that it's available to those who need it—yet well out of the way of people who don't need it.
On Linux, everything starts at "root." The hard drive has a root partition (
/), and the default initial user (at least traditionally) is
root (often referred to as the "superuser"). Historically, you used the root account to log in, create secondary "normal" users, and then mostly forget about it.
These days, though, the root user is redundant to requirements. The Anaconda installer can create an initial user for you, and then you can perform "superuser" tasks with the
sudo command. A computer's admin must understand how to configure superuser access so that it's well out of the way of people who don't need it and available to those who require it.
Lock root at installation
An attacker with enough knowledge to attempt a break-in also knows that every Unix and Linux system once had a user called
root. That's one less guess an attacker must make when attempting unauthorized entry into a system. Locking down the root account is a significant foil to uninvited guests.
During installation, you have the option to lock the root account.
Locking the root account prevents you from logging in as the root user. If you do that, grant the user you create administrative privileges during user creation.
Making the user an admin adds that user to the special
wheel group. By default, members of
wheel can run any command with
sudo with, essentially, root privilege. It seems nearly the same as using
su to switch to the superuser account, but there are safeguards and advantages to
[ Free download: Advanced Linux commands cheat sheet. ]
If you didn't lock the root account during installation, or if you're unsure, then you can disable the root account later, as long as you have administrative privileges. If you don't, then use the root account to add your user to the sudoers file and then use
sudo to disable root.
To disable root, set the root shell to
$ sudo sed -i 's_root:/bin/bash_root:/sbin/nologin_' /etc/passwd
Test your change by attempting to switch to the superuser account with
$ sudo su -
[sudo] password for tux:
This account is currently not available.
su command uses an all-or-nothing model. If you have the password for root, you get all the power. If you don't have the password, you have no admin power. The problem with this approach is that a sysadmin must choose between handing over the master key to the system and withholding the key and all control of the system. That's not always what you want. Sometimes you want to delegate.
Suppose you want to grant a user permission to run a specific application, such as the
groupadd command, that usually requires administrative permissions. You don't want to give this user permission to do any administrative task. You just want to allow them to create new groups.
To grant selective privileges to a single command or a group of commands, edit
/etc/sudoers with the
visudo command. The
visudo command assumes you want to edit text with
vi but also allows you to override that default by setting the variable
$ sudo EDITOR=nano visudo
Find the section of the sudoers file defining command permissions, and add the user and command you want to allow. For instance, to permit the user
shadowman to run the
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## user MACHINE=COMMANDS
## The COMMANDS section may have other options added to it.
## Allow root to run any commands anywhere
# root ALL=(ALL) ALL
Test it out by switching to that user's account and running the command:
$ su - shadowman
$ sudo groupadd qa
[sudo] password for shadowman:
$ sudo ls
Sorry, user bogan is not allowed to execute '/bin/ls'
as root on darkstar.sysadmin.local.
You can create aliases in the sudoers file to group hosts, commands, and users together. You could have, for instance, an admin group that could use commands such as
usermod, and a software group that could use commands like
[ Free online course: Red Hat Enterprise Linux technical overview. ]
The sudoers file provides example syntax, but here's an example of allowing all users in the Unix group
softadmins to run all commands in the sudoer alias
## Installation and management of software
Cmnd_Alias SOFTWARE = /usr/bin/dnf, /usr/bin/rpm
Protect your admin privileges
Everything from mission-critical machines to computers with customer data, and even your own humble personal laptop, are too important to casually lend the keys out to anyone who needs an escalation of privilege. Disable the root account to avoid broad permission escalation, and use the
sudo command and a well-tended sudoers file to manage who can manage your computers.
Interrupting the boot process is useful for troubleshooting and maintenance, but make sure you enable full disk encryption first.
Swap your old Linux commands for new and improved alternatives that provide the same functionality, if not more.
Learn how to schedule timed shutdowns and reboots with systemd and to hibernate your system with systemctl.