Difference between root account and administrative account
Disabling root
You have to have a root account. The only things you can do with it, in terms of "disabling" it, are:
Lock the account
$ sudo passwd -l root
Give root an unusable password
$ sudo usermod -p '!' root
sudo - as user root
Remember that when a user with "administrative privileges" is making use of sudo
they're running commands with elevated privileges as the user root!
You can see that this is true with a simple ps
command:
$ sudo sh -c "ps -eaf | grep [s]udo"
root 2625 26757 0 04:19 pts/10 00:00:00 sudo sh -c ps -eaf | grep [s]udo
The above shows that when the ps
command is executed, you're effectively the user root.
Booting
Also when booting into a system in single user mode (from GRUB), you'll need to login using the root account. Typically you're passing either the word single
to GRUB or the number 1
.
What sudo permissions do I have?
On a system where one has been given sudo
permissions you can use the command sudo -l
to see what rights you do have. These are not a complete set of everyone's rights, just the user that's running the command.
For example:
$ sudo -l
Matching Defaults entries for saml on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User saml may run the following commands on this host:
(ALL) ALL
(root) NOPASSWD: /usr/lib/jupiter/scripts/bluetooth, (root) /usr/lib/jupiter/scripts/cpu-control, (root)
/usr/lib/jupiter/scripts/resolutions, (root) /usr/lib/jupiter/scripts/rotate, (root) /usr/lib/jupiter/scripts/touchpad, (root)
/usr/lib/jupiter/scripts/vga-out, (root) /usr/lib/jupiter/scripts/wifi
NOTE: The commands one's been granted access to are everything after the line, "User saml may run the following ....".
Limiting access via sudo
Sudo has a fairly rich facility for limiting access to specific commands, groups of commands, specific users, and/or specific groups of users. There are some caveats however with sudo
.
You can grant full access to everything with this line in /etc/sudoers
:
aaditya ALL=(ALL) ALL
You could also give a user what appears to be simple access to vim
certain files:
aaditya ALL=/usr/bin/vim
This would be a huge mistake however, since many editors such as vim
allow you to invoke a subshell from within them. So the user aaditya
would be able to gain access to a shell with root permissions, even if the sudo
permissions didn't intend for that to happen.