This site is now 100% read-only, and retired.

How do you get superuser privileges on machines you administer?

Submitted by dkg on Sat 28 Jul 2007

log in as root at a vt  <-> 6% 117 votes
log in as root through an X11 display manager  <-> 0% 14 votes
su  <-> 43% 821 votes
sudo  <-> 32% 609 votes
ssh to root  <-> 12% 243 votes
choose something like "root terminal" from a GUI menu  <-> 1% 24 votes
crack the running kernel  <-> 3% 59 votes
other  <-> 0% 16 votes
Total 1903 votes

 

 

 

Re: How do you get superuser privileges on machines you administer?
Posted by ajt (84.12.xx.xx) on Sat 28 Jul 2007 at 10:39
[ View Weblogs ]
On Linux boxes I almost always use sudo, if I want to be root for a while I tend to do sudo su -

On AIX boxen at work we had sudo for a while on a test system, but the admin couldn't get his head round it, so it's su only on AIX at the moment.

On any box I control you can't remote login as root at all, even users need a key to get in vis SSH.

Once I cracked the kernel on Solaris 2.6 after I forgot the root password. I since installed sudo on the box. One of these days I'll add some more disk to the box and install Debian Etch on it while SPARC32 is still supported.

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by Anonymous (87.219.xx.xx) on Tue 31 Jul 2007 at 20:46
And why not simply sudo -s for a root shell? Just for the environment or are there any other reason?

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by ajt (84.12.xx.xx) on Tue 31 Jul 2007 at 21:02
[ View Weblogs ]

I saw that a while ago and tried it. When I do a sudo su - you get a shell and the normal initialisation, which in my case gives me a visually different prompt amongst other things, sudo -s doesn't do that. I like having my prompts to remind me I'm "god" rather than me.

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by daemon (146.231.xx.xx) on Mon 6 Aug 2007 at 14:35
[ View Weblogs ]

IME that's just what sudo -i does -- to quote the manpage:

-i The -i (simulate initial login) option runs the shell specified in
the passwd(5) entry of the user that the command is being run as.
The command name argument given to the shell begins with a - to
tell the shell to run as a login shell. sudo attempts to change to
that user's home directory before running the shell. It also ini-
tializes the environment, leaving TERM unchanged, setting HOME,
SHELL, USER, LOGNAME, and PATH, and unsetting all other environment
variables. Note that because the shell to use is determined before
the sudoers file is parsed, a runas_default setting in sudoers will
specify the user to run the shell as but will not affect which
shell is actually run.

I certainly use sudo -i quite a bit, and it even picks up my garish bright-red $PS1 which reminds me that I'm playing god at the time...

Cheers.
:wq

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by ajt (85.211.xx.xx) on Mon 6 Aug 2007 at 14:51
[ View Weblogs ]
I don't know how secure it is but it seems better than the -s option and is shorter to type than sudo su -

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by dkg (216.254.xx.xx) on Tue 7 Aug 2007 at 16:42
[ View Weblogs ]
Thanks for pointing this out, daemon. I'd been wanting this, but hadn't yet gone to the trouble of digging in the man page. I'll be using this on those machines still configured with sudo.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by Anonymous (213.224.xx.xx) on Sat 28 Jul 2007 at 11:02
It's not completely correct, but you might want to add "Login to Webmin as root".

I've worked at a company where the wife of the boss said she couldn't administer a Linux server decently without it. Luckily (?) the clients had an even poorer understanding of Linux.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by kaerast (82.47.xx.xx) on Sat 28 Jul 2007 at 18:19
[ View Weblogs ]
sudo, and I'm considering centralising the sudo configuration using puppet. In my opinion tt's about time the Debian installer defaulted to installing sudo with no root password and giving the first user sudo privileges.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by daemon (155.232.xx.xx) on Sat 28 Jul 2007 at 20:45
[ View Weblogs ]

you might want to take a look at sudo-ldap...

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by dkg (216.254.xx.xx) on Wed 1 Aug 2007 at 16:13
[ View Weblogs ]
If you're already using libnss-ldap, what advantages does sudo-ldap give you?

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by daemon (146.231.xx.xx) on Wed 1 Aug 2007 at 21:10
[ View Weblogs ]

Well, I'm only just starting to look at it (it's been on my to-do list for months though ;-), but essentially, it allows you to keep the sudo configuration, basically everything that used to go in /etc/sudoers, in a LDAP directory.

If you're rolling out a centralised infrastructure, it's one less thing that cfengine/puppet needs to sync, and means that there's only one place that you need to mess around with who can do what (as far as sudo is concerned).

In fact, with your mention of libnss-ldap, the sudo-ldap config goes in /etc/libnss-ldap.conf. So if you're using libnss-ldap (which you probaby are anyway if you're messing with LDAP), you don't have to worry about any more files cluttering up your /etc/ tree.

Cheers.
:wq

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by dkg (216.254.xx.xx) on Wed 1 Aug 2007 at 22:12
[ View Weblogs ]
Ah, i see. that makes sense: it's the sudo configuration itself, stored in LDAP, not just the ability to look up users in LDAP. Not sure why i couldn't figure that out with my own stalled brain. That is indeed worth looking into, though it seems like a generalized approach for syncing /etc is gonna be necessary no matter what, so i'm not sure how much benefit this provides (weighed against breaking your sudo configuration if your LDAP servers become unreachable).

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by Anonymous (86.12.xx.xx) on Sat 28 Jul 2007 at 20:18
On all Debian systems i use 'su' for root. On Ubuntu systems i look after i sudo passwd root and create a user for the root password, then disable sudo access.


Just habit, while i tell many people to leave the defaults on Ubuntu (sudo for first created user during install) i don't use it myself.

sno

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by daryl (60.234.xx.xx) on Sat 28 Jul 2007 at 23:27
[ View Weblogs ]
First things I read and learned about Linux that you should never use root!
Always su.... On my server all root connections are disabled

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by drgraefy (74.73.xx.xx) on Sun 29 Jul 2007 at 20:15
[ View Weblogs ]
I'm curious about what people think are the pros and cons of the various methods. I personally "ssh to root" on all machines I administer other than my trusted personal console (TPC). On my TPC I use sudo. Some people seem to think that allowing root to login via ssh is a bad idea, but if the root account is only accessed via pubkey auth, I don't see how it's more insecure than a standard user account that has sudo privledges. If someone can explain why they think it's bad, I would be interested to hear it.

It seems pretty clear to me that doing anything X-related as root is a very bad idea, so the "log in as root through an X11 display manager" should definitely be avoided.

The "su", "sudo", and "choose something like 'root terminal' from a GUI menu" options require remembering a separate root password for each administered machine, which seems like a pain to me. I'm into trying to reduce the number of passwords I have to remember. The beauty of the "ssh to root" option in conjunction with pubkey auth is that you only have to remember a password for the key used to access root on the various machines.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by ajt (84.12.xx.xx) on Mon 30 Jul 2007 at 08:38
[ View Weblogs ]
I suppose the main supposed advantage of sudo is that where there are multiple admins on multiple machines, it's possible to allow the various admins various different admin privileges on each machine without giving any of them root's password or full permissions.

Allowing root access vis SSH is considered weak I suppose because there IS a root account and it doesn't lock if you try to brute-force it. A SSH key is a lot more secure than a password over SSH, but then the SSH key is only as secure as the security on another box - which itself could be compromised. I don't allow root over SSH by any method, others do and are able to sleep at night...

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by mcortese (213.70.xx.xx) on Mon 30 Jul 2007 at 18:24
[ View Weblogs ]
On a system with more administrators, you want to know who of them logged in as root and possibly what he did. If you allow remote root login you'll never know who is getting root rights.

[ Parent ]

user logins
Posted by dkg (166.84.xx.xx) on Tue 31 Jul 2007 at 22:50
[ View Weblogs ]
If you make sure your /etc/ssh/sshd_config contains:
LogLevel VERBOSE
Then it will log the RSA keys used to grant access. The logs look like this:
Jul 31 17:44:00 chimpsky sshd[23418]: Found matching RSA key: 25:cd:3f:6a:79:cb:58:ae:56:6f:b4:aa:b0:57:30:35
Jul 31 17:44:01 chimpsky sshd[23418]: Accepted publickey for root from 127.0.1.1 port 45283 ssh2
Note that since OpenSSH 4.4 you can also use the ForceCommand and Match keywords together to achieve something similar to the capabilities granted via sudo.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by Anonymous (59.95.xx.xx) on Wed 8 Aug 2007 at 06:55
Simply the way to go when you are the sole administrator.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by hardik (122.169.xx.xx) on Mon 30 Jul 2007 at 09:51

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by mario (150.185.xx.xx) on Mon 30 Jul 2007 at 15:55
[ View Weblogs ]
I ssh as a normal user then sudo if I need it.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by randallb (74.94.xx.xx) on Mon 30 Jul 2007 at 17:25
How about booting into single user mode? :)

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by ajt (84.12.xx.xx) on Mon 30 Jul 2007 at 20:32
[ View Weblogs ]
Unusual.. At least my Debian boxes still challenge for passwords I think Red Hat's drop you in as root without a prompt...

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by randallb (74.94.xx.xx) on Mon 30 Jul 2007 at 20:52
Yes, and after you provide the "root password for maintenance", you are root. (By the way, you can bypass the password prompt in Debian's single user mode by also specifying "init=/bin/bash" as a boot option.)

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by mcortese (213.70.xx.xx) on Tue 31 Jul 2007 at 15:32
[ View Weblogs ]
That's why you should set a password in Grub or Lilo or whichever boot loader you use! And you you should set a password to the BIOS as well, to prevent from booting out of a rescue CD or floppy.

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by sneex (63.139.xx.xx) on Mon 6 Aug 2007 at 15:39
[ View Weblogs ]
Well, there are machines that require a BIOS h/w boot password or they won't boot. =)

Besides, Linux had a few possibly still unknown hacks that allow escalated privileges. Redhat had a libc file association hack I used to harrass students with (how would you fix a situation where a student does `chmod a-rwx /bin/chmod` ?) and I thought I read something about invoke-rc.d but I can no longer find it.

http://youve-reached-the.endoftheinternet.org/

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by Anonymous (71.175.xx.xx) on Sun 5 Aug 2007 at 04:26
often times, I'll simply run a gui program using kdesu. so for a konsole "kdesu konsole"

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by Anonymous (98.200.xx.xx) on Mon 6 Aug 2007 at 17:36
I ssh into my box as a restricted user and then use su to gain root rights.. does the trick for me :D

[ Parent ]

Re: How do you get superuser privileges on machines you administer?
Posted by endecotp (86.6.xx.xx) on Thu 9 Aug 2007 at 17:24
[ View Weblogs ]
I find that the difference between a $ and a # prompt is a bit too subtle. So I use terminals with different colour schemes; normally black-on-light-something for normal use and white-on-dark-something for root. I start these terminals with keybindings that run commands like

x-terminal-emulator -bg darkgreen -fg white -e ssh root@machine
x-terminal-emulator -bg lightgreen -fg black -e ssh machine

The colours are per-machine, which makes it more likely that I run the command on the machine I intended to. I also try to mnemonically associate the colour name with the machine name, and also with the keybinding that starts the shell.

Using this system, I have never accidentally run something as root when I shouldn't have, or run a command on the wrong machine.

[ Parent ]