Working as Root
The root, or super user account, is a special account and user on UNIX and Linux systems. Super user permissions are required in part because of the restrictive file permissions assigned to important system configuration files. You must have root permission to edit these files or to access or modify certain devices (such as hard drives). When logged in as root, you have total control over your system, which can be dangerous.
When you work in root, you can destroy a running system with a simple invocation of the rm command like this:
matthew@seymour:~$ sudo rm -rf /
This command line not only deletes files and directories but also could wipe out file systems on other partitions and even remote computers. This alone is reason enough to take precautions when using root access.
The only time you should run Linux as the super user is when you are configuring the file system, for example, or to repair or maintain the system. Logging in and using Linux as the root operator isn’t a good idea because it defeats the entire concept of file permissions.
Knowing how to run commands as the super user (root) without logging in as root can help avoid serious missteps when configuring your system. In Ubuntu, you can use sudo to allow you to execute single commands as root and then quickly return to normal user status. For example, if you would like to edit your system’s file system table (a text file that describes local or remote storage devices, their type, and location), you can use sudo like this:
matthew@seymour:~$ sudo nano -w /etc/fstab [sudo] password for matthew:
After you press Enter, you are prompted for a password that gives you access to root. This extra step can also help you “think before you leap” into the command. Enter the root password, and you are then editing /etc/fstab, using the nano editor with line wrapping disabled (thanks to the -w).
Understanding and Fixing sudo
Most Ubuntu users never have a problem here, but sometimes, people who like to experiment break things, especially while learning. This section exists to help you first understand more completely how sudo works and also how to restore sudo access to a specific user when, for some reason, it has ceased to function for that user.
In order for a user to use sudo, the user account must belong to the admin group and also be listed in the /etc/sudoers file. If both conditions are met, the user will be permitted to temporarily use root powers for specific commands that are issued at the command line by that user account by prefacing the command with the word sudo.
A problem can occur for a specific user with sudo when
- A user is taken out of the admin group but should not have been. The permissions for the /etc/sudoers file has been changed to anything other than 440. The /etc/sudoers file has been changed in a way that does not allow members of the admin group to use root powers.
Fixing any of these problems requires the use of root powers. This is an obvious problem because if sudo is not working, then the account does not have access to root. To fix it, we must gain root access. You can do this by booting into recovery mode using the following steps:
- Hold down the Shift key while the computer is booting.
- When the GRUB menu page appears, use the arrow keys on your keyboard to scroll to the entry that ends with (recovery mode) and press Enter to select it.
- When the boot process finishes, you have several options. Select the menu entry for root, which is described as Drop to Root Shell Prompt. You are now at the command line with full root access to the computer.
- Ubuntu mounts filesystems as read-only by default in recovery mode, so you need to remount the root filesystem, /, as read-write so that you can fix the problem. Enter the following:
root@seymour:~# mount -o rw,remount /
If the problem exists because the user account was removed from the admin group, enter
root@seymour:~# adduser username admin
If the problem exists because the permissions for /etc/sudoers are wrong, enter
root@seymour:~# chmod 440 /etc/sudoers
If the problem exists because of an internal problem in /etc/sudoers, make a backup of the existing file and use visudo to edit it (this is a special use of the vi editor, covered in Chapter 10, “Command-Line Master Class,” that runs a check on the file after editing to be certain that it is correct—this particular problem usually occurs when someone edits the file using another editor that does not make this check). The contents of the file should be the following:
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
After your fix is complete, exit the root command line:
You return to the recovery mode menu. Select resume, described as Resume Normal Boot, to finish and return to a normal boot. When the boot completes, you should be able to use sudo correctly again.
When a Linux system administrator creates a user, an entry in /etc/passwd for the user is created. The system also creates a directory, labeled with the user’s username, in the /home directory. For example, if you create a user named heather, the user’s home directory is /home/heather.
Use the adduser command, along with a user’s name, to quickly create a user:
matthew@seymour:~$ sudo adduser heather
After creating the user, you must also create the user’s initial password with the passwd command:
matthew@seymour:~$ sudo passwd heather Changing password for user heather. New password: Retype new password: passwd: all authentication tokens updated successfully.
Enter the new password twice. If you do not create an initial password for a new user, the user cannot log in.
The adduser command has many command-line options. The command can be used to set policies and dates for the new user’s password, assign a login shell, assign group membership, and other aspects of a user’s account. See man adduser as well as Chapter 11, “Managing Users,” for more info.
Use the deluser command to delete users from your system. This command removes a user’s entry in the system’s /etc/passwd file. You should also use the command’s --remove-all-files and --remove-home option to remove all the user’s files and directories (such as the user’s mail spool file under /var/spool/mail):
matthew@seymour:~$ sudo deluser --remove-all-files --remove-home andrew
If you do not use the -r option, you have to manually delete the user’s directory under /home, along with the user’s /var/spool/mail queue.
Shutting Down the System
Use the shutdown command to shut down your system. The shutdown command has a number of different command-line options (such as shutting down at a predetermined time), but the fastest way to cleanly shut down Linux is to use the -h or halt option, followed by the word now or the numeral zero (0), like this:
matthew@seymour:~$ sudo shutdown -h now
matthew@seymour:~$ sudo shutdown -h 0
To incorporate a timed shutdown and a pertinent message to all active users, use shutdown ’s time and message options, as follows:
matthew@seymour:~$ sudo shutdown -h 18:30 "System is going down for maintenance this evening at 6:30 p.m. Please make sure you have saved your work and logged out by then or you may lose data."
This example shuts down your system and provides a warning to all active users 15 minutes before the shutdown (or reboot). Shutting down a running server can be considered drastic, especially if there are active users or exchanges of important data occurring (such as a backup in progress). One good approach is to warn users ahead of time. This can be done by editing the system Message of the Day (MOTD) motd file, which displays a message to users when they log in using the command-line interface, as is common on multi-user systems.
It used to be that to create a custom MOTD you only had to use a text editor and change the contents of /etc/motd. However, this has changed in Ubuntu as the developers have added a way to automatically and regularly update some useful information contained in MOTD using cron. To modify how the MOTD is updated, you should install update-motd and read the man page.
You can also make downtimes part of a regular schedule, perhaps to coincide with security audits, software updates, or hardware maintenance.
You should shut down Ubuntu for only a few very specific reasons:
- You are not using the computer, no other users are logged in or expected to need or use the system, such as your personal desktop or laptop computer, and you want to conserve electrical power.
- You need to perform system maintenance that requires any or all system services to be stopped.
- You want to replace integral hardware.
Rebooting the System
You should also use the shutdown command to reboot your system. The fastest way to cleanly reboot Linux is to use the -r option, and the word now or the numeral zero (0):
matthew@seymour:~$ sudo shutdown -r now
matthew@seymour:~$ sudo shutdown -r 0
Both rebooting and shutting down can have dire consequences if performed at the wrong time (such as during backups or critical file transfers, which arouses the ire of your system’s users). However, Linux-based operating systems are designed to properly stop active system services in an orderly fashion. Other commands you can use to shut down and reboot Linux are the halt and reboot commands, but the shutdown command is more flexible.