RHCSA Rapid Track
Escalate privilege to run commands as the superuser.
Objectives
After completing this section, students should be able to run commands as the superuser to administer a Linux system.
The root user
Most operating systems have some sort of
superuser, a user that has all power over
the system. This user in Red Hat Enterprise Linux is the root user.
This user has the power to override normal privileges on the
file system, and is used to manage and administer the system.
In order to perform tasks such as installing or removing software
and to manage system files and directories, a user must escalate
privileges to the root user.
Most devices can only be controlled by root, but
there are a few exceptions. For instance, removable devices,
such as USB devices, are allowed to be controlled by a normal user.
Thus, a non-root user is allowed to add and remove files and
otherwise manage a removable device, but only root is allowed
to manage "fixed" hard drives by default.
This unlimited privilege, however, comes with responsibility.
root has unlimited power to damage the system: remove
files and directories, remove user accounts, add backdoors, etc.
If the root account is compromised, someone else
would have administrative control of the system.
Throughout this course, administrators will be encouraged to log in
as a normal user and escalate privileges to root
only when needed.
The root account on Linux is roughly equivalent
to the local Administrator account on Windows. In Linux, most
system administrators log into an unprivileged user account
and use various tools to temporarily gain root privileges.
Warning
One common practice on Windows in the past is for the local Administrator
user to log in directly to perform system administrator duties.
However, on Linux, it is recommended that system administrators
should not log in directly as
root. Instead, system administrators should
log in as a non-root user, and use other mechanisms
(su, sudo,
or PolicyKit, for example) to temporarily
gain superuser privileges.
By logging in as the administrative user, the entire desktop environment unnecessarily runs with administrative privileges. In that situation, any security vulnerability which would normally only compromise the user account has the potential to compromise the entire system.
In recent versions of Microsoft Windows, Administrator disabled by default, and features such as User Account Control (UAC) are used to limit administrative privileges for users until actually needed. In Linux, the PolicyKit system is the nearest equivalent to UAC.
Switching users with su
The su command allows a user to switch to a different user account. If a username is not specified, the root account is implied. When invoked as a regular user, a prompt will display asking for the password of the account you are switching to; when invoked as root, there is no need to enter the account password.
su [-] <username>
[student@desktopX ~]$su -Password:redhat[root@desktopX ~]#
The command su username
starts a non-login shell, while the command
su - username
starts a login shell. The main distinction is su - sets up the shell environment as if this were a clean login as that user, while su just starts a shell as that user with the current environment settings.
In most cases, administrators want to run su - to get the user's normal settings. For more information, see the bash(1) man page.
Note
The su command is most frequently used to get a command line interface (shell prompt)
which is running as another user, typically root. However, with the -c
option, it can be used like the Windows utility runas to run an arbitrary program as
another user. See info su for details.
Running commands as root with sudo
Fundamentally, Linux implements a very coarse-grained permissions model:
root can do everything, other users can do nothing
(systems-related). The common solution previously discussed is to allow standard users to
temporarily “become root” using the
su command. The disadvantage is that while
acting as root, all the privileges (and
responsibilities) of root are granted. Not
only can the user restart the web server, but they can also remove
the entire /etc directory. Additionally, all users requiring superuser privilege in this manner must know the root password.
The sudo command allows a user to be permitted to run
a command as root, or as another user, based on settings in the
/etc/sudoers file. Unlike other tools such as
su, sudo requires users to enter
their own password for authentication, not the password of the account
they are trying to access. This allows an administrator to hand out
fine-grained permissions to users to delegate system administration
tasks, without having to hand out the root password.
For example, when sudo has been configured to allow the user student to run the command usermod as root, student could run the following command to lock a user account:
[student@serverX ~]$sudo usermod -Lusername[sudo] password for student:password
One additional benefit to using sudo is that all commands executed using sudo are logged by default to /var/log/secure.
[student@serverX ~]$ sudo tail /var/log/secure
...
Feb 19 15:23:36 localhost sudo: student : TTY=pts/0 ; PWD=/home/student ; USER=root ; COMMAND=/sbin/usermod -L student
Feb 19 15:23:36 localhost usermod[16325]: lock user 'student' password
Feb 19 15:23:47 localhost sudo: student : TTY=pts/0 ; PWD=/home/student ; USER=root ; COMMAND=/bin/tail /var/log/secure
In Red Hat Enterprise Linux 7, all members of group wheel can use sudo to run commands as any user, including root. The user will be prompted for their own password. This is a change from Red Hat Enterprise Linux 6 and earlier. Users who were members of group wheel did not get this administrative access by default in RHEL 6 and earlier.
To enable similar behavior on earlier versions of Red Hat Enterprise Linux, use visudo to edit the configuration file and uncomment the line allowing the group wheel to run all commands.
[root@desktopX ~]#cat /etc/sudoers...Output omitted... ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ...Output omitted...
Warning
RHEL 6 did not grant group wheel any special privileges by default.
Sites which have been using this group may be surprised when RHEL 7 automatically
grants all members of wheel full sudo privileges.
This could lead to unauthorized users getting superuser access to RHEL 7 systems.
Historically, membership in group wheel has been used by Unix-like
systems to grant or control superuser access.
Most system administration applications with a GUI
use PolicyKit to prompt users for
authentication and to manage root access. In Red Hat Enterprise Linux 7,
PolicyKit may also prompt members of group wheel
for their own password in order to get root
privileges when using graphical tools.
This is similar to the way in which
they can use sudo to get those privileges at the shell prompt.
PolicyKit grants these privileges based on its own
configuration settings, separate from sudo.
Advanced students may be interested in
the pkexec(1) and polkit(8) man pages for details
on how this system works, but it is beyond the scope of this course.
References
su(1), visudo(8) and sudo(8) man pages
info libc (GNU C Library Reference Manual)
Section 29.2: The Persona of a Process
(Note that the glibc-devel package must be installed for this info node to be available.)