From Mageia wiki
Jump to: navigation, search


Drakconf multiflag.png
Other languages
English ; français ; Portuguese (Portugal) ; Türkçe ;
this page is a draft.
It requires improvements. If you want to improve it, simply log in and click on the Edit tab.

Please remove this {{Draft}}template, when you're sure the page is complete and correct.


View the other draft pages, or other pages to improve and maintain.
This was imported from Mandriva wiki licensed under CC-By-SA 2.5




Introducing 'root'

Unix and its clones and derivatives, including Linux, have been designed as multi-user systems. This is inevitable since in the days when Unix was designed, personal computers simply didn't exist. A network structure consisted of a server, the mainframe, to which the clients connected via 'dumb' terminals.

A centralized and shared resource requires someone to maintain it - the system administrator, also known as 'superuser', or 'root'. The account name 'root' for this function is customary, but not obligatory. Possibly it stems from the fact that 'root' is the only account that has write permissions on the '/' (or 'root') directory, which is the root of the file system (thus the name). 'root's power does not come from its name but from its user ID, which is '0':

# echo $UID
0

This command reads the contents of the environment variable $ UID, which houses the digital identifier of the current user (the "current" user as they say in computing).

The file /etc/passwd always assigns the UID (User ID) 0 root the superuser, as you can verify this:

# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash

The system file /etc/passwd contains one row for each system user. Each line consists of "c ȟ amps" separated by colons. The first field contains the user name (root here) and his third field numeric identifier (UID), here 0).

The system file /etc/passwd contains one row for each system user. Each line consists of "c ȟ amps" separated by colons. The first field contains the user name (root here) and his third field numeric identifier (UID), here 0).

The system of permissions for files on Unix has been programmed to limit access for normal users to system files while leaving the account holder of the master root permissions on all files. Since everything in GNU/Linux is from files, root has total power over the whole system.

Using root can be harmful

It is very tempting for novice users in a Unix system, especially those who are accustomed to operating systems (OS) do not manage permissions system to override this system by connecting the outset as root and stay there. This approach would give you only a momentary relief! There are indeed many good and excellent reasons, you must learn to know to make your daily work on the system with a single user account. root, meanwhile, is the system administrator account.

Well, it may seem surprising at first, but listen to me carefully: you can crash brilliantly with any operating system. Designers and system developers are doing their best to stop you. But these mechanisms only work if you use the system as it should. Designers of operating systems like Unix assume that the root user knows exactly what he does. Remember when Unix was designed, the directors were the masters of vast networks at a time when ordinary people had never heard of computers. For the root user, there is no safety net, no message like "Are you really sure you want to do this?", nor automatic backups. If you crash as root, you actually crash the whole system.

Warning!

"Here's a little story. Imagine that you have the sendmail.cf file in /etc. That was my case, I was working on sendmail and I wanted to get rid of a number of sendmail.cf.xxx files. I then used the rm command by typing this:

rm -f sendmail.cf. *

At first, I was surprised how long it was to erase the unhappy ten files. I stopped the action and when I saw what had happened, it was already too late." (Richard Eiger in comp.unix.admin)

You've understood?

The author of this story wanted to type rm -f sendmail.cf.*, but the extra space between the latter and the asterisk has transformed what was typed into a command requesting to delete not only the sendmail.cf file, but also all other files in the root directory of the current directory, in this case, was the /etc directory containing all the system configuration files...

You are a lot more likely to damage a Unix system by using it as root, as in our example, that in a family of Win32 operating systems. Insofar as the designers of the OS knew that there was no permission in that way, they have therefore developed other methods to protect you and your system.


Note:
Working more often with your normal user account rather than using root protects you against attackers acting on the canvas or malicious users or clumsy, but also against yourself!


This is not Unix!

What's the point in using a different operating system when you just make it act like the one you already know? Apart from the fact that this strategy won't work anyway, what do you do if you're on a different Unix-like system and don't have the possibility to become root? You will never feel at home as long as you don't accept that some things are done differently on Unix-like systems, and done differently for a reason, not just to annoy you (although it can pretty much look like that sometimes!)


Security

Every person who has physical access to a Unix-like computer is able to gain root access, if he gets access to the file system (e.g. floppy disk, CD-ROM drive, USB device, internet), because he can edit the '/etc/shadow' file. In this file the password for all users is stored. It can easily be edited and set to a zero password ('*'). So for perfect security, you will need to secure physical access to your computer. All processes started by 'root' have 'root' privileges, which means they can do pretty much everything they want. It doesn't even need to be a malicious program like a virus, a trojan horse or a worm to cause damage. Those are very rare in Linux (so far). Programming errors do happen, and even more so in Linux programs, which often rely on the user as an active tester, than in Windows, where testing is usually done before a product is released. This is possible because the programmers can rely on the permissions mechanism in Linux to prevent their programs from doing any real damage. If you circumvent that by starting these programs as 'root', some will say you don't have any justification to complain afterwards when your system is broken.

Furthermore, even mature programs can contain security-related programming errors (also known as 'exploits'). These errors can allow an attacker to execute commands of his own design with the permissions of the faulty program. If this program runs with 'root' privileges, you have basically handed over control of your machine to this malicious intruder.

In other words : only be root when it is absolutely necessary for the task at hand.

Note:
The latest security updates for Mageia Linux systems, designed to address vulnerabilities, are regularly made available to users. Do not ignore these resources, do your regular updates, it's so easy with Mageia after all!


Tasks requiring root privileges

Of course, there are tasks that require 'root' privileges, but these are not everyday issues. What's more, when you use tools like the Mageia Control Center, you will be prompted for the root password automatically if you are not root. And there are other tools that allow you to assume and drop 'root' privileges whenever you need to. These will be discussed in the next item.


Generally speaking, there are only two tasks that require 'root' privileges:

  • Moving files or directories into or out of system directories, copying files into system directories. Moving files out of system directories requires root privileges because the original file is deleted in the process.
    Installing software belongs here, too. RPMs usually install to system directories that are writable by root only. If you are compiling from source, you can configure most software to install and run from your user home directory, in which case you don't need 'root' privileges to install the software.
Note:
Compiling software does not require 'root' privileges when done in your home directory, and in fact, shouldn't be done as 'root' for security reasons.
  • Writing to files in system directories. This involves editing system configuration files, either by hand or by a utility, but also running programs that write output to files in system directories like 'updatedb'. Notice that many programs allow a 'per user' configuration, controlled by files in the user's home directory.
    Another case where you might need to be logged in as root is when changing permissions on files or directories you do not own.
Note:
In the case where you access files in system directories, you don't need to be root in the vast majority of cases. You can change to system directories and read most configuration files and all documentation files just fine from your user account.


Becoming root with su

To perform the administrative tasks assigned to root, it is not necessary (nor desirable, indeed!) to reconnect to the system, you just need to type :

# su -
Password :

in a window shell (console) and provide the password for root.

Once done, you are root and you can run any program as root, including the principle software with a graphical user interface (this only if you're running a graphics console, as the utility of KDE Konsole If you are in a text console accessible by <CTRL+ALT+Fn>, however, you can not run graphical applications).

You can return to your user account by hitting <CTRL+D> or by typing exit.


A practical way to avoid you opening many virtual terminals with su, is to create once and use it for all tasks requiring superuser during your work session.

Of course, you must be sure that person has physical access to your machine during this session. In addition, it is recommended to close the terminal or log out of root account when you are connected to the Internet.

su -

When you switch to root using the su command, you have probably noticed that you stay in the same working directory as before (the pwd command displays the directory "where you are") :

# pwd
/home/foo
# su
Password :
# pwd
/home/foo

If you want to have the full root environment, working directory included, when you use the su command, you just need to force the reading of configuration files for /etc/profile and ~/.Bash_profile login shells, as follows :

# pwd
/home/foo
# su -
Password :
# pwd
/root

You will then automatically in the working directory to root and, more generally, you'll be sure to have all of its environment.

Note:
Never use just su

su -c

To be completed...


su -p

To be completed...

Exit root

To exit root and become a regular user, type:

# exit

or even easier: tap the keyboard key combination <Ctrl-D>.

For security reasons, it is advisable not to leave unnecessarily open a console as a root when the machine is connected to a network including Internet.


Shuttle Express AR root <> single user

Within minutes, you think you have to use several times this root and interlard passages under your normal user identity? And you do not want to retype again and again the password (inevitably long and complex) that you assigned to root?

That is what if you want to stay on one console and minimize periods remains open a console as root.

You switch to root quite normally managed through:

# su
Password :

You make all your small business as root, and when the time came to go back to the normal user instead of typing exit (or <Ctrl-D>) as usual, you type this:

# suspend

Most often you can simply follow the addition of <Esc>, auto-completion will do the rest!

This command sets the instance of Bash launched as root sleep in the background and you're once again become a regular user.

You select as a normal user, and that you now have to switch back to root. This time you wake root by simply typing fg, which gave it to the foreground (fg = foreground):

$ fg

And you're back root. You can as many times as you want to switch from one to the other shots suspends and fg.

A graphical version of su: kdesu

kdesu is the means provided by KDE to run graphical applications with root privileges from a graphical environment.

kdesu work so from a console graphical environment, such as the Konsole utility generally present on the KDE desktop, but not in "traditional" consoles called by <CTRL+ALT+Fn>:

$ kdesu command
Note:
Also possible: kdesu -c command. To what extent the -c option is useful or necessary is not clear to us. Thank you for any info on this.


A dialog box asking you the password of root is displayed and then the program is run as root.

You can make a particular graphics program is launched automatically as root via a dialog through a menu item in the main system or an icon.

To do this, simply create an entry in the main menu or edit an existing entry. Right-click on the K Menu button, then left-click on Menu Editor. In the left window, navigate to the entry for the application you want and select (or add it if it does not). Then type: kdesu "command" in your order (substituting, of course, command the appropriate command to launch the application!) Do not forget to finish click on the Save button before leaving the Editor K-Menu, for change is well preserved.

Note that other graphical environments also use kdesu if the kdebase package is installed.

The program is based on the file. Xauthority which is located in the root directory of the user ($ HOME) to enable the root user to access the X server In the rare event that this file is corrupted, kdesu crashes. To avoid this, delete or rename the file. Xauthority and restart the system. This should recreate a file. Xauthority correct.

This program comes with a help file in French: who should be in /usr/share/doc/HTML/en/kdesu. It is in DocBook (XML). To view, use the command:

$ khelpcenter help:/kdesu

Note that the specifics of kdesu provides a conservation function, a temporary password limited to the current session. This feature is attractive but is, if you select a certain weakening of the security of your system. See discussion on this in the documentation of kdesu.


An easier su to handle : sudo

See the page Configuring sudo

Change the root password

Change the root password of a system is easy when you know that famous password. Just type passwd as root.

# passwd
Changing password for user root. New UNIX password :

When we do remember the password, it is necessary to use the method explained in the article Recover the root password.

For problems accessing root with or without a password and security issues relating to the password of root, we read with profit this forum thread Mandriva : failsafe: no more password required for root! BROKEN LINK


To be continued... To be completed...