## page was renamed from BeginnersTeam/FocusGroups/Education/Events/01172009
#title Beginners Team Education Focus Group
##
##Please use the following icons
##Tutorial  -  {{attachment:IconsPage/32pixel/32linuxhw.png}}
##General Knowledge  -  {{attachment:IconsPage/32pixel/32books.png}}
##Security Related  -  {{attachment:IconsPage/32pixel/32neotux.png}}
##Terminal Used  -  {{attachment:IconsPage/32pixel/32term.png}}
##
##List items can have multiple icons associated with them
##
##If you need more icons added please contact PrivateVoid

<<Include(BeginnersTeam/FocusGroups/Education/Includes/Header)>>
-----

'''IRC Question and Answer Session'''<<BR>>
'''topic''': sudo and root<<BR>>
'''date''': 17^th^ January 2009<<BR>>
'''time''': start 1800 UTC end ???<<BR>>
'''location''': IRC - #ubuntu-classroom on freenode.net<<BR>><<BR>>

{{attachment:IconsPage/32pixel/32linuxhw.png}} {{attachment:IconsPage/32pixel/32books.png}} {{attachment:IconsPage/32pixel/32term.png}} An Introduction to the Concept of Root and Sudo

Understanding the usage of sudo not only gives the new Linux user a powerful tool to work with the system, but also teaches him/her one of the essential concepts of Ubuntu.

The concept of Sudo and Root is linked with such themes like "Terminal Usage", "Terminal Commands" or "Linux Permissions".

During the course the ubuntu beginner will lose the fear of the terminal and learn how to operate with sudo and when better not to act as root.

Schedule :

    * Introduction
    * Differences between sudo and root account
    * Advantages/Disadvantages
    * Usage and Examples
    * Question Round

=== logs ===

{{{#!irc
18:00 <MichaelGodawski>	Education Focus Group:
18:00 <MichaelGodawski>	Introduction to Root and Sudo
18:01 <MichaelGodawski>	by Michael.Godawski and forestpixie
18:01 <MichaelGodawski>	Short Introduction
18:01 <MichaelGodawski>	Welcome to the first course prepared by the Education Focus Group; a group from the Beginners Team on the Ubuntuforums.org. As mentioned this is our first course so we are glad to hear your feedback afterwards.
18:01 <MichaelGodawski>	First I wanted to ask how many of your are here for the course
18:01 <linkmaster03>	me
18:01 <Bodsda>	me
18:01 <forestpixie>	o/
18:02 <diogenes>	o/
18:02 <MichaelGodawski>	good not much but better then none :)
18:03 <MichaelGodawski>	Let's go quickly over the formalities:
18:03 <MichaelGodawski>	here is our site: https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education
18:03 <MichaelGodawski>	new courses, articles, and resources will be published here.
18:03 <MichaelGodawski>	We are going to work with the terminal a bit so open it ( Applications > Accessories > Terminal )and also open a web-browser.
18:03 <MichaelGodawski>	Root and Sudo
18:03 <MichaelGodawski>	This course is aimed at the very beginners of Ubuntu/Linux; during the course we will cover some very basic terminal commands. So for some of you it might be boring, but for some still new and exciting
18:03 <MichaelGodawski>	Please bear in mind, we have to cover as much as possible and as easy as possible.
18:03 <MichaelGodawski>	Let's start.
18:04 <MichaelGodawski>	The root is the administrator of the system. He can change, edit, delete everything. He/she has absolute power over the system.
18:04 <MichaelGodawski>	But doing basic stuff like browsing the Internet, using applications etc. does not require the root access, it can be even harmful. The argument which often comes up, is that Ubuntu is restricting the user.
18:04 <MichaelGodawski>	The root account password is indeed locked as default in Ubuntu. This means you cannot login as root directly. Sometimes however you need root privileges for instance to install a piece of software or do some administrative tasks.
18:04 <MichaelGodawski>	Here is the grand entrance of sudo; "since the root account physically exists it is still possible to run programs with root-level privileges."
18:04 <MichaelGodawski>	So you can just add sudo in front of a command, type in your user password, and execute it as root.
18:04 <MichaelGodawski>	Sudo gives you root privileges temporally.
18:05 <MichaelGodawski>	Sudo can be split into: You do the command as super-user, as root.
18:05 <MichaelGodawski>	Let's do some basic terminal tasks now. We will create a new directory in your /home folder first. Sounds easy? It is.
18:05 <MichaelGodawski>	command:     mkdir ~/test
18:05 <MichaelGodawski>	The ~ is a symbol for /home/user-name. Open your home folder with Nautilus. And check if the test folder is there.
18:06 <MichaelGodawski>	is it?
18:06 <linkmaster03>	yes :D
18:06 <MichaelGodawski>	To delete it we can use the rm command. On the forums there are many users who cannot operate with this command properly and they delete their whole system because they execute it with sudo and with a wrong syntax.
18:06 <MichaelGodawski>	The syntax is as follows:
18:06 <MichaelGodawski>	rm [OPTION]... FILE...
18:06 <MichaelGodawski>	Always specify a path to directory or folder after the rm command,
18:07 <MichaelGodawski>	command:    rm ~/test
18:07 <MichaelGodawski>	What happens? You get an error:
18:07 <MichaelGodawski>	rm: cannot remove `/home/michael/test': Is a directory
18:07 <Bodsda>	yes
18:07 <MichaelGodawski>	rm is for removing files. We will use rm -r to delete recursively.  rm -r removes directories and their contents recursively so be careful with it.
18:08 <MichaelGodawski>	command:    rm -r ~/test
18:08 <MichaelGodawski>	Everything is fine? Than we proceed.
18:08 <linkmaster03>	yep
18:08 <MichaelGodawski>	So for instance you want to create a directory in /usr.
18:08 <MichaelGodawski>	Let us check if there is no folder called test in /usr
18:08 <MichaelGodawski>	command:    ls /usr/
18:09 <MichaelGodawski>	command:     sudo mkdir /usr/test
18:09 <MichaelGodawski>	Navigate into the /usr directory with
18:09 <MichaelGodawski>	command:     cd /usr
18:09 <MichaelGodawski>	Use the command ls to list the directories located there. The test directory should be visible.
18:09 <MichaelGodawski>	Now we want to remove the test directory. Using the rm command via the terminal and especially with root privileges is very dangerous and must be executed with alertness and a cautious mind.
18:10 <MichaelGodawski>	The correct command to remove the test directory we have just created is:
18:10 <MichaelGodawski>	command:     sudo rm -r /usr/test
18:10 <MichaelGodawski>	Always remember to specify a path to the directory or file after the rm command or you are in big trouble.
18:10 <MichaelGodawski>	Questions so far? I hope your system is still there :)
18:11 <linkmaster03>	a ton of text is scrolling by and it is removing /boot
18:11 <linkmaster03>	is that good?
18:11 <MichaelGodawski>	not good
18:11 <linkmaster03>	just kidding lol
18:11 <MichaelGodawski>	i was dying
18:11 <linkmaster03>	:P
18:11 <MichaelGodawski>	next point then ::))))) no jokes :)
18:11 <coolbhavi>	MichaelGodawski, I have a doubt
18:12 <MichaelGodawski>	next point then:
18:12 <MichaelGodawski>	Advantages/Disadvantages of Sudo
18:12 <MichaelGodawski>	Pros:
18:12 <MichaelGodawski>	You have only one password. This is a good thing when you are a forgetful person.
18:12 <MichaelGodawski>	Your actions are somewhat supervised by the precondition to enter your sudo/root password.
18:12 <MichaelGodawski>	Brute-force attacks on the root-account become meaningless because there is no root-account.
18:12 <MichaelGodawski>	The transfer of rights is very flexible and highly customizable. (via sudoers file)
18:13 <MichaelGodawski>	The default authentication is limited to a specific amount of time - 15 min (can be changed). So if you leave the machine, you do not leave an open root-terminal forever.
18:13 <MichaelGodawski>	Basically you can say using sudo is safer than a root account by default. The "restriction" to type in the password each time after sudo gives you a break to really think about the consequences of your next actions. Sudo can save you from your own genius.
18:13 <coolbhavi>	MichaelGodawski, for removing/ making files of the user you dont need sudo in general right?
18:13 <Bodsda>	coolbhavi, you can remove and make files/folders in your /home dir because you own it
18:14 <MichaelGodawski>	everything what happen in your /home folder is done without sudo
18:14 <MichaelGodawski>	yes Bodsda thx :)
18:14 <linkmaster03>	we have two MichaelGodawski's cool
18:14 <MichaelGodawski>	feel free to jump in and help me out if you know better :)
18:14 <MichaelGodawski>	Cons
18:14 <Bodsda>	if you did chown -R <username> /    then you would a) bugger everything up, and b) be able to create files folders anywhere without sudo -- i think :)
18:14 <coolbhavi>	MichaelGodawski, yup that was what I was trying to tell :) Thanks
18:15 <MichaelGodawski>	Ok now the cons:
18:15 <MichaelGodawski>	A real life example:
18:15 <MichaelGodawski>	http://ubuntuforums.org/showthread.php?t=1001804
18:15 <MichaelGodawski>	Basically it can be summarized with: "Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents. You could also pass the whole command to a shell process run under sudo to have
18:15 <MichaelGodawski>	 the file written to with root permissions, such as sudo sh -c ls > /root/somefile.
18:15 <MichaelGodawski>	This is just an info to be complete; you have not to understand the syntax of these commands now. Perhaps it is a topic for another course. For now it is sufficient to say that sudo needs a specifiic syntax when more than one command is executed at once.
18:16 <easwar>	or when you are redirecting,as in this case
18:16 <MichaelGodawski>	Let's proceed we have some more topics ..... true easwar
18:17 <MichaelGodawski>	next point then:
18:17 <MichaelGodawski>	auth.log and .bash_history
18:17 <MichaelGodawski>	All your commmands started with sudo, executed with root privileges are stored in this log:
18:17 <MichaelGodawski>	/var/log/auth.log
18:17 <MichaelGodawski>	You can either access it by System - Administration - System Log - auth.log, or by typing into the terminal
18:17 <MichaelGodawski>	nano /var/log/auth.log
18:17 <MichaelGodawski>	This log is very useful if you messed something up, and want to look up the commands executed with sudo.
18:17 <easwar>	MichaelGodawski, wouldn't be easier with cat /var/log/auth.log
18:17 <Bodsda>	or nano can be replaced by any editor
18:18 <MichaelGodawski>	yes cat / less what you want :)
18:18 <linkmaster03>	ooh i didn't know that one
18:18 <easwar>	neither I
18:18 <MichaelGodawski>	wanted just to introduce one cli editor at this point
18:18 <coolbhavi>	or more also some times I think :)
18:18 <linkmaster03>	so will that log contain all commands execute as sudo?
18:18 <MichaelGodawski>	we all should no gedit and vim is complex
18:18 <Bodsda>	coolbhavi, more is primitive less
18:19 <MichaelGodawski>	linkmaster03, The usual entry login and usage of a sudo command looks as follows:
18:19 <coolbhavi>	:)
18:19 <easwar>	emacs!I don't know anything about it though,I prefer vim
18:19 <MichaelGodawski>	Dec 4 10:35:37 michael-laptop sudo: michael : TTY=pts/0 ; PWD=/home/michael ; USER=root ; COMMAND=/usr/bin/apt-get install ubuntu-restricted-extras
18:19 <forestpixie>	can we cut the chat please
18:19 <MichaelGodawski>	thx forestpixie
18:19 <linkmaster03>	ah yes i see it thank you MichaelGodawski
18:19 <MichaelGodawski>	you see the command executed and the user in this example the root
18:19 <MichaelGodawski>	There is also a log which stores every command you type into the terminal. It is located here:
18:20 <Bodsda>	MichaelGodawski, may i ask a question?
18:20 <easwar>	linkmaster03, that file contains all the commands with executed as sudo
18:20 <MichaelGodawski>	can we wait till the end of this section with questions and remarks?
18:20 <MichaelGodawski>	thx
18:20 <Bodsda>	sure, sorry
18:20 <MichaelGodawski>	There is also a log which stores every command you type into the terminal. It is located here:
18:20 <MichaelGodawski>	~/.bash_history
18:20 <MichaelGodawski>	So open it with nano ~/.bash_history and have a look at all your commands used so far. Notice that you do not need the sudo in front of the nano command, because the .bash-history is located in your home directory. In this directory the user has read, write and execute permissions.
18:21 <MichaelGodawski>	Other possibilities to open the log are:
18:21 <MichaelGodawski>	cat .bash_history |grep sudo
18:21 <MichaelGodawski>	If it was recent use tail as well
18:21 <MichaelGodawski>	cat .bash_history |grep sudo |tail
18:21 <MichaelGodawski>	Questions so far?
18:22 <Bodsda>	MichaelGodawski, does auth.log store unsuccessful sudo attempts?
18:22 <MichaelGodawski>	good question let's try it out :) what do you mean by unsuccessful?
18:22 <MichaelGodawski>	wrong password?
18:22 <MichaelGodawski>	command not found?
18:22 <Bodsda>	wrong password > 3 times -- or wrong password once
18:23 <forestpixie>	I will try and report back
18:23 <MichaelGodawski>	we can solve this here I guess... just try it out everybody
18:23 <Bodsda>	iirc sudo will re-prompt three times, if still unsuccessful it just doesnt run the command
18:23 <MichaelGodawski>	run this command: sudo apt-get installl foo
18:23 <MichaelGodawski>	does it occur in the log?
18:24 <forestpixie>	 1 incorrect password attempt
18:24 <forestpixie>	so yes it does Bodsda :)
18:24 <MichaelGodawski>	Jan 17 19:24:14 michael-laptop sudo:  michael : TTY=pts/0 ; PWD=/home/michael ; USER=root ; COMMAND=/usr/bin/apt-get installl f
18:24 <Bodsda>	Jan 17 18:24:03 bod sudo:      bod : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/bod ; USER=root ; COMMAND=/usr/bin/apt-get install foo
18:24 <Bodsda>	bod@bod:~
18:24 <linkmaster03>	yup it does
18:24 <Bodsda>	yep :)
18:24 <MichaelGodawski>	nice question empirically solved
18:25 <Bodsda>	so if you wanted to see if anyone had tried to use your computer while you were away
18:25 <Bodsda>	you could
18:25 <easwar>	I didn't enter anything as password,and it just reported an authentication failure
18:25 <easwar>	not an "incorrect password attempt"
18:25 <Bodsda>	cat /var/log/auth.log | grep incorrect
18:25 <Bodsda>	or tail it first for recent incorrect attempts
18:25 <easwar>	zilch results
18:26 <easwar>	of course,I was only running sudo apt-get update
18:26 <Bodsda>	easwar, it doesnt matter about the command
18:26 <linkmaster03>	can we let the course go on :P
18:26 <Bodsda>	easwar, the authentication error was still logged, but not as an incorrect attempt because you didnt attempt anything
18:26 <MichaelGodawski>	Jan 17 19:26:20 michael-laptop sudo: pam_unix(sudo:auth): authentication failure; logname=michael uid=0 euid=0 tty=/dev/pts/1 ruser= rhost=  user=michael
18:27 <easwar>	Bodsda, hmm
18:27 <easwar>	MichaelGodawski, exactly
18:27 <MichaelGodawski>	so you see everything is somehow logged. Especially useful while helping new users on the forums
18:28 <MichaelGodawski>	who have executed commands, and cannot remember how they nuked their system :)
18:28 <MichaelGodawski>	Let's come back to the theory. When you are asking yourself "what does this and that command actually do" run man commandname in the terminal for details.
18:28 <MichaelGodawski>	So for instance :
18:28 <MichaelGodawski>	man sudo
18:28 <MichaelGodawski>	There we read:
18:29 <MichaelGodawski>	DESCRIPTION
18:29 <MichaelGodawski>	sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file.
18:29 <MichaelGodawski>	Next question: what is the sudoers file?
18:29 <MichaelGodawski>	"The sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what)."
18:29 <MichaelGodawski>	Here is an example of a sudoers file:
18:29 <MichaelGodawski>	http://www.gratisoft.us/sudo/sample.sudoers
18:29 <easwar>	MichaelGodawski, one point I would like to make(later if you say so)
18:30 <forestpixie>	later
18:30 <MichaelGodawski>	sure at the end of every sections is time to aks and speak
18:30 <MichaelGodawski>	And this is our default Ubuntu sudoers file:
18:30 <Bodsda>	just a quick fyi, the sudoers file is located here: /etc/sudoers
18:30 <MichaelGodawski>	https://help.ubuntu.com/community/Sudoers#The Default Ubuntu Sudoers File
18:31 <MichaelGodawski>	good Bodsda
18:31 <MichaelGodawski>	Editing the sudoers file should be only done when you know what you are doing. A usual user, who just wants to work with the system, will never have to open this file if he/she does not want to.
18:31 <MichaelGodawski>	If you want more info on how to change the sudoers file ( but it is a rather rare task to do and some changes like removing the prompt for the sudo password are not supported by Canonical) have a look at:
18:31 <MichaelGodawski>	http://www.wlug.org.nz/SudoHowto
18:31 <MichaelGodawski>	https://help.ubuntu.com/community/Sudoers
18:32 <MichaelGodawski>	ok questions and remarks
18:32 <MichaelGodawski>	now
18:32 <MichaelGodawski>	:)
18:32 <easwar>	[23:57]<MichaelGodawski> so you see everything is somehow logged. Especially useful while helping new users on the forums[23:58]<MichaelGodawski> who have executed commands, and cannot remember how they nuked their system :)<--If they have run sudo rm -rf /,even /var/log/auth.log won't be able to tell you what they've done
18:32 <Bodsda>	lol, correct
18:32 <MichaelGodawski>	worst case scenario
18:32 <linkmaster03>	/var is one of the last directories to be removed though
18:32 <MichaelGodawski>	true
18:32 <forestpixie>	but I assume that they will be able to remeber that one :)
18:33 <MichaelGodawski>	questions to the audience from me if you run the sudo rm -rf command is there anything you can do to stop it??
18:33 <easwar>	forestpixie, not,if they've run one of those "hex code gibberish" ways
18:33 <linkmaster03>	Ctrl+C
18:33 <Bodsda>	ctrl+c
18:34 <MichaelGodawski>	anybody tried this out ?  joke please do not try to replicate this :)
18:34 <easwar>	linkmaster03, I don't know that,but why would /var be one of the last directories to be removed?
18:34 <Bodsda>	easwar, those should never be run untill you can personally read all of the code (usually)
18:34 <linkmaster03>	easwar: because it is alphabetically after most other directories in /
18:34 *	Bodsda sets up VM to disobey orders :)
18:34 <forestpixie>	yes on a vm MichaelGodawski 
18:34 <forestpixie>	it works ;)
18:34 <linkmaster03>	easwar: so /boot, /bin, /etc, /home and stuff would be removed before it even got to /var
18:34 <easwar>	Bodsda, I know,but those things were (unfortunately) disguised as help
18:34 <MichaelGodawski>	virtualization heaven :)
18:35 <easwar>	linkmaster03, citation needed
18:35 <forestpixie>	there are I believe some safeguards in jaunty 
18:35 <Bodsda>	easwar, yes, the forums will catch them pretty quick now, and kmandla has posted a harmful commands sticky thread explaining some of them
18:35 <linkmaster03>	eh google it
18:35 <easwar>	Bodsda, I know that,that's where I found out
18:36 <MichaelGodawski>	ok next point then: :)
18:36 <easwar>	and I wrote a thread too,asking exactly how they were disguised
18:36 <MichaelGodawski>	The Standards
18:36 <MichaelGodawski>	sh sh sh
18:36 <MichaelGodawski>	To enhance the security of Linux-Systems administrative tasks can only be executed with super-user (Administrator) privileges.
18:36 <MichaelGodawski>	With the prefix sudo the user can run a command with these privileges and change the system freely and without restrictions.
18:36 <MichaelGodawski>	Root is the Super-user in Linux. The Root can be compared to the Administrator in Windows. The root may do everything. The root may nuke his system, Linux/Ubuntu will kindly ask if the user really wants this to happen, and then it will explode.
18:36 <MichaelGodawski>	The Root can edit every single file on the system. Therefore it is rather dangerous to act as root the whole time.
18:36 <MichaelGodawski>	Root privileges are bound to time. So if the task at hand is accomplished, the super-user becomes a "normal" user again. This is reasonable, because every attacker which might somehow gain control over the system gains also the normal user rights, and not the root privileges.
18:37 <MichaelGodawski>	The Linux Standard
18:37 <MichaelGodawski>	During the installation a root account with a corresponding root password was created. Additional users with restricted rights were also set up. To do administrative tasks the user had use the Terminal: he/she had to switch with su (substitute user identity) and the root password into the role of the root. With exit the root became a normal user again.
18:37 <MichaelGodawski>	For a long period of time this was the usual procedure - but this method has some disadvantages:
18:37 <MichaelGodawski>	When you forget to exit the root mode, the system becomes vulnerable.
18:37 <MichaelGodawski>	You have to remember two different passwords: the root and the user password.
18:38 <MichaelGodawski>	The root account can be very seducing and can entice to do real damage
18:38 <MichaelGodawski>	The Ubuntu Standard
18:38 <MichaelGodawski>	of that the first user is able to activate root rights temporally.
18:38 <MichaelGodawski>	sry
18:38 <MichaelGodawski>	The Ubuntu developers followed a different path. A root account does exist, but it is disabled by default. Instead of that the first user is able to activate root rights temporally.
18:38 <MichaelGodawski>	This happens with the help of the terminal: sudo (super-user, do) in front of a command executes it with root right. Graphical applications are launched with gksudo or kdesudo respectively.
18:38 <MichaelGodawski>	So when Ubuntu asks you for a password, it is always the user (login) password. You won't see the password when you type it in into the Terminal; you have to type blindly, so to speak.
18:39 <MichaelGodawski>	Only users which belong to the admin group can gain root privileges. More precisely "for sudo, you do not need to be in the admin group; you only need access in the sudoers file, or in a group specified in the sudoers file; for su, you need to be in the admin group."
18:39 <MichaelGodawski>	More info on this topic can be found here:
18:39 <MichaelGodawski>	https://help.ubuntu.com/community/AddUsersHowto
18:39 <MichaelGodawski>	One disadvantage of this method might be the time-limited effect of the sudo command. You can extend the period however:
18:39 <MichaelGodawski>	https://help.ubuntu.com/community/RootSudoTimeout
18:39 <MichaelGodawski>	But it definitely has its advantages:
18:40 <MichaelGodawski>	More than once super-user can exist; they can have different rights.
18:40 <MichaelGodawski>	Time-limitations is set to 15 minutes, after this period of time the password must the re-entered.
18:40 <MichaelGodawski>	You have to remember only one password.
18:40 <MichaelGodawski>	The educational effect is bigger, because every time you do an important administrative task, the sudo password reminds you of it.
18:40 <MichaelGodawski>	Another advantage of sudo, it allows a graded access to root. The commands su (root environment) is all or none; but you can configure sudo such that a user may run some commands , but not others.
18:40 <MichaelGodawski>	To increase the time in which one have root privileges, for instance to run several commands, you can enter a pseudo-root-shell:
18:40 <MichaelGodawski>	command :     sudo -i
18:41 <MichaelGodawski>	and you can exit the root environment with the command :     exit
18:41 <MichaelGodawski>	END
}}}

----
CategoryBeginnersTeam