Difference between root account and administrative account

Disabling root

You have to have a root account. The only things you can do with it, in terms of "disabling" it, are:

  1. Lock the account

    $ sudo passwd -l root
    
  2. Give root an unusable password

    $ sudo usermod -p '!' root
    

sudo - as user root

Remember that when a user with "administrative privileges" is making use of sudo they're running commands with elevated privileges as the user root!

You can see that this is true with a simple ps command:

$ sudo sh -c "ps -eaf | grep [s]udo"
root      2625 26757  0 04:19 pts/10   00:00:00 sudo sh -c ps -eaf | grep [s]udo

The above shows that when the ps command is executed, you're effectively the user root.

Booting

Also when booting into a system in single user mode (from GRUB), you'll need to login using the root account. Typically you're passing either the word single to GRUB or the number 1.

What sudo permissions do I have?

On a system where one has been given sudo permissions you can use the command sudo -l to see what rights you do have. These are not a complete set of everyone's rights, just the user that's running the command.

For example:

$ sudo -l
Matching Defaults entries for saml on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User saml may run the following commands on this host:
    (ALL) ALL
    (root) NOPASSWD: /usr/lib/jupiter/scripts/bluetooth, (root) /usr/lib/jupiter/scripts/cpu-control, (root)
    /usr/lib/jupiter/scripts/resolutions, (root) /usr/lib/jupiter/scripts/rotate, (root) /usr/lib/jupiter/scripts/touchpad, (root)
    /usr/lib/jupiter/scripts/vga-out, (root) /usr/lib/jupiter/scripts/wifi

NOTE: The commands one's been granted access to are everything after the line, "User saml may run the following ....".

Limiting access via sudo

Sudo has a fairly rich facility for limiting access to specific commands, groups of commands, specific users, and/or specific groups of users. There are some caveats however with sudo.

You can grant full access to everything with this line in /etc/sudoers:

aaditya      ALL=(ALL)    ALL

You could also give a user what appears to be simple access to vim certain files:

aaditya      ALL=/usr/bin/vim

This would be a huge mistake however, since many editors such as vim allow you to invoke a subshell from within them. So the user aaditya would be able to gain access to a shell with root permissions, even if the sudo permissions didn't intend for that to happen.

Tags:

Sudo

Root