l

MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

* DocIndex - Administration

Being 'root' II

* Becoming 'root' With 'su'
* 'su' Going Graphical: 'kdesu'
* 'su' Made Convenient: 'sudo'

Related Resources:

man su
kdesu -h
man sudoers
man sudo

Article on sudo

Revision / Modified: Feb. 11, 2002
Author: Tom Berger

 

* Becoming 'root' With 'su'

Administrative tasks do not require you to login anew, instead you just type

su

at a (virtual) shell prompt and supply the root password. Now you are 'root' and can run any program as 'root', even graphical ones. You can return to your user account by hitting <CTRL d>.

A convenient way saving you many 'su's is to open a virtual terminal, running su once and use it for all the 'root' tasks during your session.
Of course you have to be sure that no one has physical access to your computer during this session. Furthermore it is advisable to close this terminal or to log out of the 'root' account while you are online.

One important thing to keep in mind are the different $PATH settings for users and root:

  • user:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/user/bin:
  • root: /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin

So, if there is an executable in '/usr/local/bin', 'root' will have to supply the full path to run this application, otherwise the shell will just return 'not found'. Same goes for executables in the 'sbin' directories and users.

If you want to preserve environment variables like $PATH, use

su -p

Now root's $PATH is the same as the user's who su'd. Note that this command will show the user's home directory as root's home directory (since $HOME is preserved)!
The disadvantage of this switch is that directories which usually contain administrative commands like '/sbin/' and '/usr/sbin' are now no longer part of 'root's' $PATH. You have to supply the full path now if you want to run executables from this directory or adjust the $PATH setting.

Another convenient option for 'su' is '-c':

su -c "command"

will execute command as 'root' and then immediately return to the user account. One drawback is that command line completion doesn't work with su -c, so if you want to install an RPM, you better typerpm -i rpm<TAB> first and then put su -c in front of it. Do not forget to add the quotes around the command to be executed.
Another drawback is that you can't start graphical programs this way.

You can shorten this somewhat arduous procedure procedure by adding this line to '/etc/inputrc':

"\C-xs": "\C-e\"\C-asu -c \""

and from the next session on you just hit <CTRL x> on any given command line to turn it into su -c "command"!

* section index * top

* 'su' Going Graphical: 'kdesu'

'kdesu' is KDE's way to run applications with 'root' privileges on a user's desktop. The syntax is like that of 'su':

kdesu -c "command"

This will pop up a small window asking for the root password and then execute the program as 'root'.

You can run any program as 'root' via a graphical login window, you just have to create an entry in the menu for it and use the 'kdesu -c ""' command around the command which invokes that program.

Notice that all other desktops and window managers will use 'kdesu', too, as long as the 'kdebase' package is installed. I haven't found out yet what Mandrake Linux provides in case kdebase isn't installed. Maybe some KDE hater can help me out here ;-).

* section index * top

* 'su' Made Convenient: 'sudo'

'sudo' is a highly sophisticated but yet quite easy to use tool to let users do some tasks as root, even in a large network. 'sudo' supports extensive logging in connection with '/etc/syslog.conf' and the internal mailing system.

You can either get the source from 'sudo's home page or install it your Mandrake Linux CD. Control freaks and network administrators should get the source since there are a lot of important options to choose from at compile time, for everyone else (me included :)) the RPM will do.

'sudo's configuration file is '/etc/sudoers'. You configure it with the command visudo (man visudo). For those of you not familiar with the 'vi' editor, here are some basic commands:

  • <i> puts you into 'insert' mode
  • <ESC> <Z> <Z> exits and saves
  • <ESC> <:> <q> <!> exits without saving

However, you can use another editor by setting the system variable $EDITOR appropriately (e.g. export EDITOR=/usr/bin/emacs).

You'll find the main documentation in man sudoers. It is very concise and exhaustive, in most cases however reading the EXAMPLES section will do.
A very simple example of '/etc/sudoers' for a single-user machine would be:

# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias RPM = /bin/rpm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
# User privilege specification
root ALL = (ALL) ALL
jim ALL = NOPASSWD: RPM, SHUTDOWN

The three aliases sections are used to define internal variables which can then be used in the last section.

The first 'ALL' refers to machines in the network, which you can define with Host_Alias. Since this is a stand-alone machine, it doesn't matter.
This sudoers file allows user 'jim' to install and remove RPM's and tarballs, and to shutdown the machine. The syntax is

sudo command (e.g. sudo rpm -i blah.rpm,no quotes!)

'NOPASSWD' means just that: 'jim' won't have to provide a password. You have to specify this option explicitly because by default 'sudo' asks for the account password before executing the command. You should use this option only if no other Linux literate has physical access to your machine. Furthermore you can set the option passwd_timeout min to specify how long the password will be kept in memory. A funny option is insults which will insult everyone who provides a wrong password :-).
There are lots of security related options you should consider carefully if working in an untrusted environment.

To list the sudo rights of the current user, type sudo -l:

User jim may run the following commands on this host:
(root) NOPASSWD: /bin/rpm
(root) NOPASSWD: /usr/sbin/shutdown

This will allow you to do the two most common administrative tasks on your machine more conveniently without compromising your security that much.

* section index * top

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.