Every Unix box has a root account, or an account that has absolute control over the machine, its files and controls.

From all accounts, admins should use this account sparingly, only for cases where cross-system control is needed. You can make big mistakes (i.e. wipe out the system with a badly-worded command) from root. If you have work to do that can be done from a user account, use that instead.

If you want to do root commands, you issue them from your account through the "sudo" command. basically sudo allows you to issue commands from another user's account (assuming you have the password).

The idea behind this is that not only will it limit the mistakes you may make, but also reduce the attack footprint of your server. A cracker, trying to get in via SSH, doesn't even get the option to guess the password to the root account to gain entry, because root can't log in from SSH at all.

Sudo actually has an option (sudo -i) that will allow you to work within a shell of a user account entirely--this means you evoke sudo once and then every thing you do from the command line is done from the account you've sudo'd in from, such as root. which is pretty neat, and eliminates the need to be able to access root from the outside (i.e. via SSH).

Obtaining Root permissions:

For a user that wished to deploy root commands through sudo to work from the root prompt, they have to, from the root account, enter the user or the user's group into the /etc/sudoers file. This must be done by using the visudo command (not through a plain text editor). Open up the sudoers file:

$sudo visudo

In CentOS, users with sudo priveleges are often kept in the "wheel" group (in Ubuntu, it is usually the "sudo" group. So you should enter, or uncomment, this line into the /etc/sudoers file:

%wheel ALL=(ALL) ALL

Then, hopping back out of /etc/sudoers to the command line, add the desired user to the "wheel" group:

 sudo usermod -aG wheel 

(DigitalOcean users can find out more info here)

Removing Root Access:

It's a pretty good idea to remove the ability to SSH into your Linux deployment with the root password. Automated hacker tools all the time be trying to guess the passwords to Linux boxes by automatically churning through password possibilities for the root account.

To disable SSH access to root, simply edit the /etc/ssh/sshd_config file and set the "PermitRootLogin" parameter to no, by finding the "PermitRootLogin" line, uncommenting and changing "yes" to "no," if this is not done already:

 PermitRootLogin No 

More info here.

Most distros, including Ubuntu, disable the root account by default.

But if you already enabled root on your Ubuntu, how do you un-enable it? Simple, from the root account, use the psswd command to "lock" the account, i.e. make it inaccessible from outside users. "passwd -l root"

Back

Blog

Writing

Hacks

Photos

About

Data