Home --> IAQ -->

Granting Root Access

By Jeffrey Howard
All rights reserved unless noted otherwise

Occasionally, you need to allow non-privileged users to execute some commands that are traditionally reserved for root. New linux system administrators sometimes ask how to delegate superuser priveleges to another user without divulging their root password.

Easy and Insecure

First, let me strongly urge you not to give other random users superuser priveleges. They can read from and write to every file on the system. They'll be able to use packet sniffers to read all the traffic that goes in and out of the system. Do you really have good reason to believe that your root password is particularly safe after you've given someone unrestricted access to your system? If they really wanted to, they could simply replace the login program with a variant that can record passwords.

If you must, however, the means is simple. Linux, like many other UNIX systems, identifies users by a user identification number (UID). These UID's are stored in the /etc/passwd file. The format will look something more or less like:

root:x:0:0:root:/root:/bin/bash
jrandom:x:500:500::/home/jrandom:/bin/bash

Except a real /etc/passwd file would have many more lines in it. Notice the two numbers in the file on every line. For one user, jrandom, those numbers are 500. For root, they're 0. The left-hand number is the UID for that user. (The right-hand number, if you're interested, is a GID, or group identification number. It acts much like a UID, but groups of users can be members.)

Change both the UID and the GID of the target user to 0. In our example, change the file to read:

root:x:0:0:root:/root:/bin/bash
jrandom:x:0:0::/home/jrandom:/bin/bash

The user, jrandom, now has root priveleges. The system will treat jrandom just as it would root, though they'll retain different passwords. Do expect some problems, though. Most UNIX systems don't really expect multiple users to have the same UID; they are supposed to be unique user identification numbers, after all. Really, all around, the solution below is better.

A Better Solution

A better option would be to delegate very specific capabilities to your users. Why grant unrestricted access to your machine when you can limit them to running particular programs as root. A program called sudo allows this option.

While much better, this solution still requires care. Many programs can be tricked, with spurious inputs, into providing a root shell or running arbitrary other programs as root. Allowing users to run only one program as root may still give them tthe means to seize more general superuser permissions.