Image
Linux superuser access, explained
Here’s how to configure Linux superuser access so that it's available to those who need it—yet well out of the way of people who don't need it.
On Linux, everything starts at "root." The hard drive has a root partition (/
), and the default initial user (at least traditionally) is root
(often referred to as the "superuser"). Historically, you used the root account to log in, create secondary "normal" users, and then mostly forget about it.
These days, though, the root user is redundant to requirements. The Anaconda installer can create an initial user for you, and then you can perform "superuser" tasks with the sudo
command. A computer's admin must understand how to configure superuser access so that it's well out of the way of people who don't need it and available to those who require it.
Lock root at installation
An attacker with enough knowledge to attempt a break-in also knows that every Unix and Linux system once had a user called root
. That's one less guess an attacker must make when attempting unauthorized entry into a system. Locking down the root account is a significant foil to uninvited guests.
During installation, you have the option to lock the root account.
Locking the root account prevents you from logging in as the root user. If you do that, grant the user you create administrative privileges during user creation.
Making the user an admin adds that user to the special wheel
group. By default, members of wheel
can run any command with sudo
with, essentially, root privilege. It seems nearly the same as using su
to switch to the superuser account, but there are safeguards and advantages to sudo
.
[ Free download: Advanced Linux commands cheat sheet. ]
Disable root
If you didn't lock the root account during installation, or if you're unsure, then you can disable the root account later, as long as you have administrative privileges. If you don't, then use the root account to add your user to the sudoers file and then use sudo
to disable root.
To disable root, set the root shell to /sbin/nologin
:
$ sudo sed -i 's_root:/bin/bash_root:/sbin/nologin_' /etc/passwd
Test your change by attempting to switch to the superuser account with su
:
$ sudo su -
[sudo] password for tux:
This account is currently not available.
Delegate administration
The su
command uses an all-or-nothing model. If you have the password for root, you get all the power. If you don't have the password, you have no admin power. The problem with this approach is that a sysadmin must choose between handing over the master key to the system and withholding the key and all control of the system. That's not always what you want. Sometimes you want to delegate.
Suppose you want to grant a user permission to run a specific application, such as the groupadd
command, that usually requires administrative permissions. You don't want to give this user permission to do any administrative task. You just want to allow them to create new groups.
To grant selective privileges to a single command or a group of commands, edit /etc/sudoers
with the visudo
command. The visudo
command assumes you want to edit text with vi
but also allows you to override that default by setting the variable EDITOR
:
$ sudo EDITOR=nano visudo
Find the section of the sudoers file defining command permissions, and add the user and command you want to allow. For instance, to permit the user shadowman
to run the groupadd
command:
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
# root ALL=(ALL) ALL
shadowman ALL=/sbin/groupadd
Test it out by switching to that user's account and running the command:
$ su - shadowman
Password:
$ sudo groupadd qa
[sudo] password for shadowman:
$ sudo ls
Sorry, user bogan is not allowed to execute '/bin/ls'
as root on darkstar.sysadmin.local.
Sudo aliases
You can create aliases in the sudoers file to group hosts, commands, and users together. You could have, for instance, an admin group that could use commands such as useradd
, groupadd
, and usermod
, and a software group that could use commands like dnf
and rpm
.
[ Free online course: Red Hat Enterprise Linux technical overview. ]
The sudoers file provides example syntax, but here's an example of allowing all users in the Unix group softadmins
to run all commands in the sudoer alias SOFTWARE
:
## Installation and management of software
Cmnd_Alias SOFTWARE = /usr/bin/dnf, /usr/bin/rpm
softadmins ALL=SOFTWARE
Protect your admin privileges
Everything from mission-critical machines to computers with customer data, and even your own humble personal laptop, are too important to casually lend the keys out to anyone who needs an escalation of privilege. Disable the root account to avoid broad permission escalation, and use the sudo
command and a well-tended sudoers file to manage who can manage your computers.
Image
Interrupting the boot process is useful for troubleshooting and maintenance, but make sure you enable full disk encryption first.
Image
Swap your old Linux commands for new and improved alternatives that provide the same functionality, if not more.
Image
Learn how to schedule timed shutdowns and reboots with systemd and to hibernate your system with systemctl.
Seth Kenlon
Seth Kenlon is a UNIX geek and free software enthusiast. More about me