I installed Ubuntu on my PC. To log in, I use the username and password I created during installation. Does this mean I am a root user? If yes, then how do I become non-root? It looks like non-root user is more secure than admin user.
Ubuntu – How to NOT become a root user? Are administrators root
administratorprivilegesrootsudousers
Related Solutions
What Would Happen
If you configure your system so that no users are administrators, then no one will be able to perform administrative tasks as root with sudo (or its graphical frontends, such as gksu, gksudo, and kdesudo) or PolicyKit. Assuming the root account remains disabled, you will not be able to log in as root (even from a virtual console) or su-to-root either. Barring possible security vulnerabilities, this would prevent anyone from performing administrative tasks in the running system.
Fixing the Problem
However, if you did this, the problem would still be easily fixed, assuming you have physical access to the machine. Fixing this problem is similar to resetting a forgotten password, except you add the user to the sudo and/or admin groups with usermod, rather than resetting their password with passwd.
Here's one method:
Boot into recovery mode by holding Shift while booting and selecting it. Select the option for a
rootshell. You'll get a shell with a#prompt (rather than the usual$). This means it's arootshell. Any command you run here is run asroot.If you know your username, skip this step. To find out your username, run
ls /home. This is a pretty reliable way to list the usernames of the human users of your system (while omitting user accounts likewww-dataandnobodywhich are used internally but don't represent real people).Run these commands to add
usernameto the necessary group(s) to be an administrator. (Replaceusernamewith the actual username.)usermod -a -G sudo username usermod -a -G admin usernameThis separately attempts to add the user to the
sudoandadmingroups. In Ubuntu releases up to Ubuntu 11.10, administrators were in theadmingroup. In Ubuntu 12.04 (and in future releases), administrators are in thesudogroup; if a 12.04 system was upgraded from a previous release, both groups will exist.So you can put the user in just one, if you know which one, or you can just run those two commands and put them in whichever exists. I advise doing this with two commands so that if one group doesn't exist, the error doesn't stop
usermodfrom attempting to add the user to the other group.
Recovery mode is usually accessible. But occasionally it may be broken, disabled, or require a password, in which case you can boot from a live CD, chroot into the installed system, and run the usermod commands. Here's a procedure for doing that, adapted from my considerably more general answer here:
If you don't already have one, burn an Ubuntu live CD/DVD (on Ubuntu, Windows, or Mac OS X) or write an Ubuntu live USB flash drive (on Ubuntu, Windows, or Mac OS X).
In your Ubuntu system (not the live CD/DVD/USB system), run the following command in the Terminal (Ctrl+Alt+T). You do not need to be an administrator to do this.
mount | grep ' on / 'You should include the spaces before
onand after/.That command produces something like
/dev/sda1 on / type ext4 (rw,errors=remount-ro,commit=0)as the output. The text beforeon(not including the space) is the device name of the partition that contains your Ubuntu system's root filesystem. Remember it (or write it down).Boot the computer from the live CD/DVD/USB and select
Try Ubuntu without installing(notInstall Ubuntu).Run these commands, replacing
/dev/sda1with the device name of the partition containing your Ubuntu system's root filesystem, if different (andusernamewith the name of the user account you wish to give administrative abilities).sudo mount /dev/sda1 /mnt sudo chroot /mnt usermod -a -G sudo username usermod -a -G admin username exit sudo umount /mntAs with the other method, you can use
ls /home(run this after thechrootcommand) to see a list of users on the machine, if you don't know the username.
Alternatives to Eliminating Administrators
On Ubuntu, when you're an administrator, you still need to authenticate with sudo or PolicyKit to perform actions as root. This is considered to be at least as secure as using su to perform actions as root, since anyone who can compromise your account in such a way to read your own password (for sudo) can also read root's password (for su). Furthermore, there are some substantial advantages (explained here) of sudo over su, and enabling the root account, while quite possible, is neither recommended nor officially supported in Ubuntu.
If you decide that even though sudo and PolicyKit require your password to perform actions as root, you still want yourself and all other human users on your machine to run as a standard user (and not as an administrator who can run commands as root), you have two easy options:
You can enable the
rootaccount, but this is discouraged as explained above. Also, by default you will not be able to log in to a graphical session asroot, and you should not configure your system to allow this, as it's particularly dangerous to run an entire graphical desktop environment asroot(a security bug in any part of it could compromise your system). Also, most GUI programs are not tested asrootso there may be substantial usability bugs. If you do enableroot, you should only ever log on as root from a virtual console (or usesu).The better option is to just create another user account for administrative purposes. Make this account an administrator. Having a non-
rootaccount that can perform administrative tasks withsudoand PolicyKit does not force you to use that account for day-to-day, non-administrative tasks.
However, most users are best off with the default--where at least one user account is an administrator and can perform administrative tasks, but must (re)enter their password to do so.
Ahmm.. the problem is that the standard shell of those users is normally set to /bin/false and for security reasons you should not change this. But you can still run for example: sudo -u www-data /bin/sh
Best Answer
You are an administrator, but not
root. Therootuser can do anything. Administrators can perform actions asroot, but ordinarily what administrators do is not done byroot. That way, you have full control over your own system, but only when you choose to use it.Ubuntu asks for your password when you try to do stuff as
root, to make sure it's really you.User Accounts: Human, and Otherwise
Real human users have user accounts to represent them. You created one such account when you installed Ubuntu. But not all user accounts represent real human users.
Real human users are granted (and denied) abilities through their user accounts. They must use their user accounts to use the system; therefore, their user accounts' abilities and limitations apply to them.
User accounts are also used to codify sets of abilities and limitations. Some user accounts--most, actually, unless you have many human users of the machine--exist so that certain programs or commands can be run with their identity, an identity with the right abilities and limitations for the job.
For example, the
www-datauser exists so that if you run a web server, it owns the data the server make accessible. No real human user has to be empowered to make unchecked changes to those data, and the web server doesn't have to be empowered to perform any action unnecessary for serving the web. Consequently, both the web data and the rest of the system are more secure against accidental or intentional breakage, than if the web server were run by some human user who would have all the powers of the web server (and whose powers the web server would possess).The Most Important Non-Human User Account
The superuser, whose username is
root, is a non-human user account with a very specific combination of abilities and limitations: all abilities, and no limitations.root's allowed to do anything. There are still thingsrootcannot do because the system itself cannot perform or make sense out of them. Sorootcannot kill a process that is in uninterruptible sleep, or make a rock too heavy to move, then move it.Many important system processes, like
init, run asroot, androotis used for performing administrative tasks.Can I log in as
root?It's possible to configure the
rootaccount so it's possible to log in with a password, but this is not enabled by default in Ubuntu. Instead, you can think ofrootas being likewww-data,lp,nobody, and other non-human accounts. (Runcat /etc/passwdorgetent passwdto see them all.)Human users log in with their own user accounts, and then if some task is to be performed with another user account, they cause that task to be performed with that identity, without actually having logged in as that user.
It's possible to configure the other non-human users, like
www-data, so one can log in as them, too. That's quite rare, though, whereas in some other Unix-like OSes it's common to log in asrootin a terminal. The risks of running a whole graphical interface asroot, combined with how many graphical programs are not designed to run asrootand may not work properly, mean that you should never attempt to get aroot-owned desktop session.Please note that while logging in as
rootis disabled by default in Ubuntu, there are ways to get arootshell without authenticating asroot, which produce a similar effect: the most common aresudo -sor-i, recovery mode and similar techniques. (Don't worry if you don't know what those things are.) This is not actually logging in: in recovery mode, you becomerootbefore any login would occur; with thesudo-based methods, you're just running a shell as root.Administrators
In Ubuntu, administrators are the users who can do whatever they want as
root, when they choose to do so.System Settings > User Accounts. "Eliah Kagan" is an administrator, so he can do stuff as
root, but he is notroot.I'm an administrator on my Ubuntu system. When I run programs, ordinarily they run as
ek("Eliah Kagan" is the full name that corresponds to theekusername.)When I run AbiWord or LibreOffice, it runs as
ek. When I run Firefox, Chromium, Empathy, or Pidgin, it runs asek. The programs that run to provide the desktop interface run asek.However, I am an administrator, so if I need to perform an administrative task, I can do so.
sudo
On the command line, I would ordinarily use
sudoto run a command asroot:This will prompt me for my password. (Not
root's password;rootdoes not have one.)root. In the default configuration, I must enter my password to do this.root, even by putting in their password.sudocommands will fail if the user running them is not an administrator.Because administrators are perfectly ordinary users except for the ability to perform actions as
root, running a command requiringrootprivileges will still fail, except when the command is run asroot.Screenshot illustrating the need to use
sudoto perform administrative tasks. (Based on "Sandwich" by Randall Munroe.)sudo, Graphically
Graphical programs can run as
rootthrough graphical frontends forsudo, such asgksu/gksudoandkdesudo. For example, to run GParted asrootI could rungksudo gparted. Then I would be prompted graphically for my password.Since I'm prompted graphically, there doesn't have to be a terminal. This is one of the ways administrative tools are run as
root.Polkit
Polkit (once known as PolicyKit) is another way for administrators to do things as
root. A program accesses a service that performs the action. Sometimes, the action is running a whole program; sometimes the action is more limited.These days, many graphical system administration utilities are set up to use polkit by default, rather than to use
sudo.One example of such a utility is the Software Center. It takes full advantage of polkit, requiring the user to put in their password only when they want to do something that requires
rootprivileges. (This is possible withsudo-based authentication also, but it is harder and uglier to accomplish.)In the Software Center, I can find and read about an application; then I'm asked for my password when I want to install it.
How polkit Is Different
Any graphical program can be run as
rootwithgksudoand other graphicalsudofrontends. (The program might not work very well, depending on whether or not it's designed to be used asroot. But the command to start the program will be executed asroot.)While polkit is now more common than
sudoGUI frontends as the way applications on Ubuntu perform actions asrootbehind the scenes, polki will only run a graphical application asrootif there is a configuration file allowing it and indicating what actions may be performed.Polkit, Non-Graphically
pkexecis the command used to run a program with polkit.Like
sudo,pkexeccan run non-graphical commands. (And it does not require a configuration file defining the command's capabilities--it simply runs the command asroot.)pkexecprompts for a password graphically, even if it is run from a Terminal (this is one of the ways its behavior is more similar togksudothan to running straightsudo).(If there is no GUI--for example, if you're logged in from a virtual console or text-only SSH session, or the GUI is not functioning properly--then
pkexecwill degrade gracefully and prompt for your password on the command line.)Once authentication is performed successfully, the command runs in the terminal.
Running Commands as Other Users Besides
rootrootis special because it gets to do anything that can be done. But it's a user account like any account, and the ways of running commands asrootwithsudo(directly or with a graphical frontend) or polkit can be modified slightly to run a command as any other user:What? You just type
sudofirst? How is that security?!Running commands with
sudois sort of like invoking papal infalliblity.When you run a command with
sudo[invoke papal infallibility], Ubuntu [Catholic folks] tries hard to make sure you're really you [really the Pope].Yes, I know papal infallibility (even when normative) is declarative; the parallel is not perfect.
Trying to do something as
rootwithsudo(or polkit) is a big deal--Ubuntu is not just going to let that slide by like all the other times you run a program.You are prompted for your password. (Then, that you have done so is remembered for a short time, so you don't have to constantly enter your password as you administer your system.)
Besides reminding you to be careful, this safeguards against two scenarios:
root(which includes anything installed by the package manager, such as LibreOffice), or alter the system at a deep level.I've heard of
su. What's that? Can I use that?suauthenticates as another user, and runs a command (or starts an interactive shell). It's possible to limit who is permitted to usesu, butsuauthenticates with the target account's password, not the password of the user running.For example,
su username -c 'command...'runscommand...as username, just likesudo -u username command....But when you run a command as
usernamewithsudo, you enter your password. When you run a command asusernamewithsu, you enterusername's password.Since
superforms authentication for the target user, withsuyou can only run commands as users whose accounts are enabled.The
rootaccount (likewww-dataandnobody) is disabled by default. There is no password that will work to log in asroot. So you cannot usesuto run commands asroot.You can use
suto run commands as another user who can log in (which typically includes all the user accounts on your system that represent human beings).When logged in as a guest, you cannot use
suat all.Combining
suandsudoSomeone who is not an administrator can even use
suto runsudoas an administrator. (This is OK though, as they need the administrator's password to run commands as the administrator.) That is, a limited user can usesuto runsudoto run a command asroot. This can look like:(Running graphical programs this way requires special care.)
Wouldn't
sube a more secure way to run commands asroot?Probably not.
What if a user shouldn't be allowed to act as
root?Make them a limited user instead of an administrator.
What if a program running as an administrator tries to
sudotoroot?Unless you have reconfigured
sudoto let it succeed without a password, it will fail.Can't a program that shouldn't be run as
rootpiggyback on a recentsudocommand, so no password is required?This would be very unlikely to succeed. These days, most operating systems (including Ubuntu) have
sudoconfigured by default so that its timestamps apply only in a specific context.For example, if I run
sudo ...in one Terminal tab and authenticate successfully,sudoin another tab (or run by an unrelated GUI program, or that I run from a virtual console or SSH session) will still prompt for a password. Even if it's run immediately afterwards.Doesn't a program running as user X have access to user X's password?
No.
If a malicious program is able to run as an administrator, can't it "listen in" to what's being typed when the administrator authenticates with
sudoor polkit?Potentially, yes. But then it could "listen in" to a password typed in for
su.If I tell someone my password—
Don't tell people your password.
What if someone has to know my password to do something on my behalf, but I don't want to let them administer the system?
Ideally, they should have a separate user account that lets them do what they need to do. For example, can share files between accounts, allowing multiple user to write to them, while still denying access to other users.
However, in a situation where a less-trusted person may be permitted to share your account, it should be a limited user account. You could make a separate account for this purpose (which makes sense--if it's an account for you and someone else who you want to have different capabilities, it should be a different account).
So, would the most secure thing be to disallow both
sudoandsuand make people log in asroot, manually?No, because there are serious disadvantages associated with letting people log in as
rootat all. Whenever possible, the smallest number of actions as possible should be undertaken asroot. Even most acts relating directly to administering a system (e.g., looking at what users are configured, and reading logs) usually don't requirerootprivileges.Also, just as potentially a malicious program could watch what someone types when they run
sudoorsu, or create a fakesudo/supassword prompt, potentially a malicious program could create a fake login screen, too.What makes a user an administrator?
Group membership.
In Ubuntu 12.04 and later, administrators are members of the group called
sudo.In Ubuntu 11.10 and earlier, administrators are members of the group called
admin.When an Ubuntu system before 12.04 is upgraded to 12.04 or later, the
admingroup is kept for backward compatibility (and continues to confer administrative power to users in it), but thesudogroup is used as well.Limited User Accounts
Can I use a limited user account instead of an administrator account?
If you like, sure. Create a limited user account in System Settings > User Accounts, and log in as that user.
Can I make my administrator account a limited user account?
Yes, just remove it from the
sudoandadmingroups (see above).But you should make sure there is at least one other administrator account, so you can administer your system. If there is not, then you'd have to boot to recovery mode or a live CD and make some user an administrator again. (This is similar to resetting a lost administrator password.)
Graphical tools for administering users and groups will usually keep you from creating a system with no administrators, or at least warn you. Command line tools typically will not (trusting that you know what you're doing).