Using the Root Account on Debian

by Edd Dumbill

There is one user account on your Debian system that has the power to change anything: the root account. By power, I mean absolute power. The root user account can read, replace, or remove any file. It can read or write to any attached device. It can read or write to any part of the computer's memory. If there's even a mere suspicion that a piece of software is buggy or poses a security risk, there's no way you should run it as root.

Because of the power of the root account, sensible system administrators take a good deal of care when using it. The best rule of thumb is to do only the bare minimum of operations as root. Different users take different views on how to minimize root usage. Increasingly, Unix-like operating systems take the approach of going as far as to disable the root account and to use privilege-gaining tools such as sudo to give normal users the ability to run programs as the root user when required.

This article introduces using sudo to restrict superuser privileges. It is a good idea for you to get used to sudo now, as the rest of this series will use it wherever you need root access to perform a task.

Running Commands As root

There are several ways to access the root account. The first is simply to log in to the machine's console as the root user. In normal operation, this is a bad idea, as it tends to encourage excessive use of the root account. However, when in single user mode for repair tasks, it's perfectly acceptable.

In normal operation, a user logs in to the system under his or her own account and wants to become root in order to run privileged commands. The su program lets you do this. The following example shows what happens when you use su to become root.

Switching to the root account

user@host:~$ su -
enter root's password here
You can use su to switch to any user's account by giving his or her username (and knowing the right password!).

The example shows the normal Debian command-line prompts in full, to show how they change when root successfully logs in. To save space in the future, I will normally use only the $ prompt to denote the use of a normal user account and # to denote a root login.

The hyphen argument (-) to su instructs it to behave as if root had logged in on the console, so that it executes whatever shell customizations are set up. The root user has the home directory /root by default, and using su - will place you in that directory. Terminate the root session by exiting the shell with Ctrl-D or exit.

Using su to start a root shell session is almost as tempting for bad habits as a console login, however. Although you can give the --command option to su to execute a single command, rather than entire shell, retyping root's password each time becomes tiresome. Furthermore, using su means that you have to share the root password with anyone else who wants to run a program as root. Additionally, you can't restrict what those users can do as root. It may well be that you want them to run only one or two commands that require root privileges, not have dominion over your entire system.

The sudo program provides a solution to these problems and allows a more flexible and controllable approach to regulating root privileges. Install it by becoming root conventionally with su and using the aptitude package manager to install the software. An upcoming column in this series will explain fully how to install the software.

$ su -
# aptitude install sudo

After installing sudo, you must give your normal user account full privileges. To do this, run the visudo command as root. This will start up a text editor showing sudo's configuration file. Find the line reading root ALL=(ALL) ALL and copy it, substituting your username for root. Write out the file and quit the text editor.

The cautionary notice is shown only the first time you run sudo.

Now, quit the root login and log in to your regular user account. To test your new privileges, run whoami both with and without sudo.

$ whoami
$ sudo whoami

We trust you have received the usual lecture from the local system
administrator. It usually boils down to these two things:

        1. Respect the privacy of others.
        2. Think before you type.

here, enter your own password

From now on, you can prefix all commands that you need to run as root with sudo and just use your own password. If you use sudo again within 15 minutes, you won't need to reenter the password. If you add your user to the sudo group, you need never enter your password to use sudo. Assign this privilege with extreme care!

Debian System

Related Reading

Debian System
Concepts and Techniques
By Martin F. Krafft

Configuring sudo

The visudo calls your preferred text editor, rather than only vi! On a new system, this is the easy-to-use nano, so don't worry if you're not a vi expert.

The /etc/sudoers configuration file controls the use of sudo. You should never edit the file directly, but only through the use of the visudo command. The expression of permissions in sudoers is very flexible, allowing a tight degree of control over what others can run.

For example, to give the user fred the ability to run the kill program as root, add the following line to sudoers.

fred      ALL = /usr/bin/kill

The ALL means that the command can be run on any machine, which is useful if you are sharing the sudoers configuration over multiple machines on a network. The manual page describes the sudoers file format in detail; read it with man sudoers. Its very powerful flexibility allows fine-grained control over the allocation of privileges to users.

If you are happy with sudo, you may wish to disable root's password completely, meaning that everybody must use sudo to execute privileged commands. Do this with sudo passwd -l root. To reverse the process, run sudo passwd -u root.

Should I Really Always Use sudo?

One or two problems that arise from relying on sudo exclusively can mean you need to be careful. These coincide with the use of systems such as NIS or LDAP to control user accounts--these systems use (possibly remote) databases to provider user information. If an operation you run under sudo causes these services to fail, you will not be able to run sudo again to get out of the mess, due to the system's not being able to find information on your user account.

The answer to this is either to not disable the root login, to perform such dangerous operations in a root shell, or to use sudo -s to start a root shell session. Although such situations are rare, you should be aware of this risk, especially when running a development version of Debian, where failure during software upgrade is a possibility. Also, you can configure NIS or LDAP to fall back to a local user database, in which you can create yourself a backup account.

Finding Out More

The best way to learn about root privileges on your Debian system is to read the manual pages for su and sudo. Do this with the man command.

Edd Dumbill is co-chair of the O'Reilly Open Source Convention. He is also chair of the XTech web technology conference. Edd conceived and developed Expectnation, a hosted service for organizing and producing conferences. Edd has also been Managing Editor for, a Debian developer, and GNOME contributor. He writes a blog called Behind the Times.

Return to the Linux DevCenter.

Copyright © 2017 O'Reilly Media, Inc.