{{Header}}
{{Title|
title=Safely Use Root Commands
}}
{{#seo:
|description=Tips on using sudo / root (privileged) commands safely
|image=Root123123.jpg
}}
[[image:Root123123.jpg|250px|thumb]]
{{intro|
The root account is a special user account in Unix-based operating systems that has complete access to all files and commands on a system. It is typically used only for system administration tasks that require unrestricted access. This page gives tips on using sudo / root (privileged) commands safely.
}}
= Rationale =
What is the point on a typical single user Linux desktop computer of separating privileged administrator account (called root account) and limited user accounts (such as for example user user)?
It is assumed that most desktop computer users are single user computers. I.e. computers being used by only one person. Rather it is assumed that most users are only using a single login user account which will be refereed to as user user.
Quote [https://xkcd.com/1200/ xkcd authorization]:
If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.
[https://askubuntu.com/questions/16178/why-is-it-bad-to-log-in-as-root Quote] user discussion:
Most people will consider their home directory as more important than root dirs
Once a malicious program has access to my home folder, I dont care if it also has access to the admin content
This is true for most users using single user computers, using only one user account and no virtual machines. As a counter measure this is why this documentation [[Special:Search/compartmentalization|recommends compartmentalization]], that is, running different activities in different virtual machines or even on different hardware.
The rationale of prevention of root compromise has the following goals: [
Also see: [[Dev/Permissions|Permissions]].
]
* Protect the host operating system: Malware breaking out of the virtualizer is a lot harder without root access. [
https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301316132
] (Applies only when using virtual machines.)
* Protect the virtualizer: It is harder to attack the virtualizer without root access. (Applies only when using virtual machines.)
* Protect the hardware: A compromised host operating system might result in malware infecting the hardware, i.e. to avoid a persistent hardware backdoor (such as in BIOS or other firmware) surviving even re-installation of the host operating system. In many cases, root access is required before hardware can be attacked. [
For example flash utilities for Linux require root access. In theory, it's conceivable of software bugs in firmware of hardware resulting in hardware compromise without prior root compromise. No such examples happening in the wild where known to the author at time of writing.
]
* Protect against compromised non-root users: it is harder for potentially compromised other, non-root users (such as www-data) to access user user or other parts of the system.
* Sandboxing: Sandboxing applications can prevent applications getting exploited by attackers [
An exploit or payload might require a function which is unavailable inside the sandbox.
] or limit the severity of the exploit since if sandboxing is successfully, malware will be trapped inside the sandbox. Sandboxing is a lot harder, less efficient or even impossible when applications are running as root. See also [[AppArmor]], [[apparmor.d|apparmor.d (Full System AppArmor Profile)]] and [[sandbox-app-launcher]].
{{project_name_short}} implements various security hardening to [[Dev/Strong_Linux_User_Account_Isolation|Enforce Strong Linux User Account Isolation]].
Once proposal [[Dev/boot_modes|Multiple Boot Modes for Better Security (an Implementation of Untrusted Root)]] has been implemented there will be a strong guidance for users to better separate their limited (everyday use) account (user) and administrative account (admin). This would result in a robust [[root#Prevent Malware from Sniffing the Root Password|Prevention of Malware Sniffing the Root Password]].
= Default Passwords =
{{Default_Passwords}}
The default root account is locked (or should be locked). [
In new builds of {{project_name_long}} version ]15.0.0.3.6. Earlier {{project_name_long}} builds did not lock the root account by default and should be locked.
This is a purposeful security feature -- see below for further details.
It is [[Post_Install_Advice#Change_Passwords|recommended to change passwords]].
= General Security Advice =
Commands that require root permissions should be run individually using sudo. In all cases:
* Do not login as root.
* Do not run sudo su.
= Inappropriate Use of Root Rights =
Do not think of root as a shortcut to fix issues.
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text =
It is very much discouraged to establish the following behavior:
application problem → "try sudo / root".
Only use sudo / lxsudo / root if there is a strong rationale for doing so. Otherwise...
}}
Inappropriate Use of Root Rights:
* Can cause additional non-security related issues. [
* Applications supposed to be run as user but run as root might create root owned files. These file permissions error can lead to additional issues.
* Inter process communications such as with dbus might be broken.
] Related is also later chapter [[#Graphical Applications with Root Rights|Graphical Applications with Root Rights]].
* Security issue.
= Permissions Fix =
After [[#Inappropriate Use of Root Rights|inappropriate use of root rights]], attempt to fix:
{{Open a product ws terminal}}
Run the following command to reset permissions of user user's home folder /home/user back to owner user and group user.
{{CodeSelect|code=
sudo chown --recursive user:user /home/user
}}
= Graphical Applications with Root Rights =
'''1.''' Do not run graphical user interface (GUI) with sudo!
It is discouraged to run [https://www.computerhope.com/jargon/g/gui.htm graphical user interface (GUI)] applications with sudo gui-application.
* Never login as root as explained above.
* This includes, never use sudo su and then start GUI applications.
Doing so would be an [[#Inappropriate Use of Root Rights|Inappropriate Use of Root Rights]]. That would fail in many cases and is a limitation inherited from Debian. If this action is attempted, error messages like those below will appear. [
* https://help.ubuntu.com/community/RootSudo#Graphical_sudo
* https://www.psychocats.net/ubuntu/graphicalsudo
]
No protocol specified
cannot connect to X server :0
'''2.''' If there is a legitimate reason to start GUI applications with root rights, use lxsudo instead. [
* Reason primarily: not breaking the system, reliability. Non-reason: security.
* https://askubuntu.com/questions/270006/why-should-users-never-use-normal-sudo-to-start-graphical-applications
* In past there was ]gksudo, kdesudo. Nowadays with more and more applications using PolicyKit or polkit, these applications are no longer available as of Debian buster. lxsudo is an alternative.
Syntax:
{{CodeSelect|code=
lxsudo application-name
}}
For example to start the partition manager gparted by default with root rights.
{{CodeSelect|code=
lxsudo gparted
}}
[
]sudo with -H / --set-home would also be OK. Syntax:
{{CodeSelect|code=
sudo -H application-name
}}
Or.
{{CodeSelect|code=
sudo --set-home application-name
}}
For example to start the partition manager gparted by default with root rights.
{{CodeSelect|code=
sudo -H gparted
}}
Or.
{{CodeSelect|code=
sudo --set-home gparted
}}
'''3.''' To edit files which can only be edited with root rights. Use the following syntax.
Note: Replace /path/to/file/name with the actual path to the file.
{{Open with root rights|filename=
/path/to/file/name
}}
For example to open file /etc/default/keyboard with root rights, use.
{{Open with root rights|filename=
/etc/default/keyboard
}}
= Polkit PolicyKit pkexec =
Use of [https://en.wikipedia.org/wiki/Polkit Polkit] (formerly PolicyKit) (pkexec) might also be appropriate for running GUI applications with root rights. Usually such applications should have desktop shortcuts or wrappers which make use of pkexec. There are no (or rare) known cases where users need to run pkexec on the command line.
= Wayland =
Running GUI applications as root (lxsudo, sudo --set-home, pkexec will no longer work when {{project_name_long}} has been ported from X11 to Wayland or when using [[Other Desktop Environments]] using Wayland because Wayland prohibits running GUI applications as with root rights.
For applications doing actions that require root rights to be compatible with Wayland, application developers need to modify these to run the GUI part of the application as non-root and then use pkexec (or sudo --non-interactive with sudoers exceptions) to run the parts which actually require root rights.
Update: It might be possible to run applications as root on Wayland. Untested.
{{CodeSelect|code=
sudo QT_QPA_PLATFORM=wayland XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR application-name
}}
= Root Account =
== Enable Root Account ==
For [[#Rationale|security reasons]] the root account is locked and expired by default in {{project_name_short}} 15.0.0.3.6 and above. For most users there should be no need to use the root account. If it must be enabled for some reason, run the following commands.
([[Qubes|{{q_project_name_long}}]]: {{project_name_gateway_long}} Template)
If you can use sudo, you can skip the following box.
{{box|text=
If you cannot use sudo:
* [[Qubes|{{non_q_project_name_short}}]]: Boot into [[Recovery#Recovery_Mode|recovery mode]].
* [[Qubes|{{q_project_name_short}}]]: Open a [[#qubes root console|Qubes Root Console]].
}}
'''1.''' Unexpire the root account.
{{CodeSelect|code=
sudo chage --expiredate -1 root
}}
'''2.''' Set a root password.
According to the [[Post_Install_Advice#Change_Password|Change Password]] instructions. Note: These instructions are for the the user user account. Replace user user with root.
== Disable Root Account ==
[[Old Stable and Earlier Releases|Earlier versions]] of {{project_name_short}} (version numbers lower than 15.0.0.3.6) come with the root account enabled by default. Most users should disable it by running the following commands.
([[Qubes|{{q_project_name_short}}]]: {{project_name_gateway_short}} Template).
Lock the account.
{{CodeSelect|code=
sudo passwd --lock root
}}
[
No longer expiring the root account since this broke adduser, see: https://forums.whonix.org/t/restrict-root-access/7658/59
(To prevent SSH login, see: [https://www.cyberciti.biz/faq/linux-locking-an-account/ Linux Locking An Account]. This might prevent other login methods but this requires further investigation.)
{{CodeSelect|code=
sudo chage --expiredate 0 root
}}
]
In the future, [[#General Security Advice|use sudo instead]] when it is necessary.
{{Anchor|unlock}}
= Reset User Account Password =
The following steps can be used in case the password has been forgotten and needs to be reset.
{{Box|text=
'''1.''' Launch a root terminal.
* [[Qubes|{{non_q_project_name_short}}]]: Boot into [[Recovery#Recovery_Mode|recovery mode]].
* [[Qubes|{{q_project_name_short}}]]: Open a [[#qubes root console|Qubes Root Console]].
'''2.''' Notes.
* This process will be similar to the [[Post_Install_Advice#Change_Password|change password]] wiki chapter which is recommended to read as it contains instructions / links on how to change and test the keyboard layout.
* This is [[unspecific|unspecific to {{project_name_short}}]]. It should be a very similar process on Debian or most other Linux distributions. It can also be resolved as per [[Self Support First Policy]].
'''3.''' Set a new password.
Run the following command.
{{CodeSelect|code=
sudo passwd user
}}
'''4.''' Reboot.
{{CodeSelect|code=
sudo reboot
}}
'''5.''' Done.
The process of password reset has been completed.
}}
= Unlock User Account: Excessive Wrong Password Entry Attempts =
The following steps can be used in case the user entered the wrong password too many times which resulted in the user account being automatically locked.
{{Box|text=
'''1.''' Launch a root terminal.
* [[Qubes|{{non_q_project_name_short}}]]: Boot into [[Recovery#Recovery_Mode|recovery mode]].
* [[Qubes|{{q_project_name_short}}]]: Open a [[#qubes root console|Qubes Root Console]].
'''2.''' Run the following command.
* {{project_name_short}} 16 and above: {{CodeSelect|code=
sudo faillock --user user --reset
}}
}}
{{Anchor|console}}
= Console Unlock =
{{Box|text=
'''1.''' Launch a root terminal.
* [[Qubes|{{non_q_project_name_short}}]]: Boot into [[Recovery#Recovery_Mode|recovery mode]].
* [[Qubes|{{q_project_name_short}}]]: Open a [[#qubes root console|Qubes Root Console]].
'''2.''' Run the following command. Replace user with the linux user account name which should be allowed to login on the console.
{{CodeSelect|code=
sudo addgroup user console
}}
}}
= Advanced Users =
== Prevent Malware from Sniffing the Root Password ==
Any graphical application can see what is typed in another graphical application, for any user. [
[https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html Quote] Joanna Rutkowska, security researcher, founder and advisor (formerly architecture, security, and development) of Qubes OS: ]One application can sniff or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one, etc.
[If an application is compromised with an exploit due to a security vulnerability, it can be used as malware by the attacker. Once/if the application is not effectively confined by a mandatory access control (MAC) framework like AppArmor or firejail, it can compromise the user account where it is running and then proceed from there.] Therefore it is [[#Rationale|safer]] to create a special, new user account that is less likely to have been compromised, since this reduces the chances of malware sniffing the password to gain root access.
This process is currently for advanced users only since it is quite cumbersome, i.e. has bad usability. The usability of this will be improved once proposal [[Dev/boot_modes|Multiple Boot Modes for Better Security (an Implementation of Untrusted Root)]] has been implemented.
To more securely perform administrative tasks that require root access:
# Prerequisite knowledge: [[Desktop#Virtual_Consoles|how to switch to a different virtual console]], [[SysRq|usage of the SysRq key]] and [[Login spoofing|login spoofing]].
# These instructions are ideally applied after installing the host / VM when it is still considered free of [[Malware and Firmware Trojans|malware]].
# Create a new user account admin.
# Add it to the group sudo.
# Login as user admin.
# Remove user user from group sudo.
# Only then perform administrative tasks according to the instructions below.
This setup only needs to be completed once.
([[Qubes|{{q_project_name_short}}]]: {{project_name_workstation_long}} Template)
{{Box|text=
'''1.''' Create a new user account admin.
{{CodeSelect|code=
sudo adduser admin
}}
'''2.''' Add user admin to group sudo.
{{CodeSelect|code=
sudo addgroup admin sudo
}}
}}
Perform the following steps securely using sudo. Use one of the methods below.
=== Non-GUI Environment Method ===
* Advantage: can keep current user session(s) and/or graphical session (X Window System) running.
* Disadvantage: cannot use graphical session during administrative tasks. [
Unless perhaps advanced users manage to run a different X server on a different virtual console. This might not be possible, secure. Depends on if the exclusive lock of X can be suspended while using an X server in a different virtual console. This has not been researched.
]
{{Box|text=
'''1.''' Make sure keyboard gets disconnected from X Window System to [[Login spoofing|defeat login spoofing]]. (unraw) [
This step might be unnecessary. Not researched yet.
]
[[SysRq]] + w
(Press Alt + SysRq + w)
'''2.''' Switch to another [[Desktop#Virtual_Consoles|virtual console]].
(Press Alt + Crtl + F2) [
Pressing ]Alt + Crtl + F7 results in tty2.
This is to make these instructions compatible with most Linux distributions as well as Qubes.
* Most Linux distributions login CLI virtual consoles on tty1 (Alt + Crtl + F1) by default and X Window System on tty7 (Alt + Crtl + F7).
* Qubes X Window System by default runs on tty1. (Alt + Crtl + F1)
tty2 (Alt + Crtl + F2) will be most most users an unused virtual console which can be used for the purpose of this chapter.
'''3.''' Press Secure Access Key also to [[Login spoofing|defeat login spoofing]].
[[SysRq]] + k
(Press Alt + SysRq + k)
'''4.''' Login as user admin from that non-graphical environment ([[Desktop#Virtual_Consoles|virtual console]]). [
A X Window System non-root user cannot sniff key strokes of different (non-)root users utilizing a different virtual console (]tty).
'''5.''' Perform any necessary administrative tasks.
'''6.''' Remove user user from group sudo.
Note: This only needs to be performed once.
{{CodeSelect|code=
sudo delgroup user sudo
}}
'''7.''' Logout user admin.
{{CodeSelect|code=
logout
}}
'''8.''' Switch back to previous virtual console.
X Window System runs in:
* most Linux distributions: virtual console 7 (Press Alt + Crtl + F7)
* Qubes: virtual console 1 (Press Alt + Crtl + F1)
'''9.''' Re-login if needed and continue usual work as user user.
}}
=== Logout Method ===
* Advantage: can use graphical session (X Window System) during administrative tasks using privileged user admin.
* Disadvantage: cannot keep graphical session of unprivileged user user running. In other words, simplified, all applications run under user user will be terminated. [
Non-simplified: applications run by user ]user in a different virtual console or run through systemd (user) services can be left running.
{{Box|text=
'''1.''' Terminate all running applications in current graphical (X) session.
'''2.''' Log out.
start menu -> log out
'''3.''' Make sure keyboard gets disconnected from X Window System to [[Login spoofing|defeat login spoofing]]. (unraw) w
(Press Alt + SysRq + w)
'''4.''' Press Secure Access Key also to [[Login spoofing|defeat login spoofing]].
[[SysRq]] + k
(Press Alt + SysRq + k)
'''5.''' Login as user admin.
'''6.''' Perform any necessary administrative tasks.
'''7.''' Remove user user from group sudo.
Note: This step only needs to be performed once.
{{CodeSelect|code=
sudo delgroup user sudo
}}
'''8.''' Logout user admin.
'''9.''' Re-login as user user.
'''10.''' Continue usual work as user user.
}}
== Substitute User (su) Command ==
The majority of users do not need to utilize the su command. [
]su is sometimes incorrectly referred to as the ''superuser'' command. [http://www.linfo.org/su.html It allows]:
... a change to a login session's owner (i.e., the user who originally created that session by logging on to the system) without the owner having to first log out of that session.
Although su can be used to change the ownership of a session to any user, it is most commonly employed to change the ownership from an ordinary user to the root (i.e., administrative) user, thereby providing access to all parts of and all commands on the computer or system.
By comparison, sudo makes it possible to execute system commands without the root password.
.
In {{project_name_short}}, by default:
* [https://github.com/{{project_name_short}}/security-misc/blob/master/usr/share/pam-configs/wheel-security-misc group sudo membership is required to use su]. [
Implemented in package [https://github.com/{{project_name_short}}/security-misc security-misc].
]
* User user is a member of group sudo. ([[Dev/boot_modes|This might change in a later release.]])
{{Box|text=
To permit the su command from user user, complete the following steps.
([[Qubes|{{q_project_name_short}}]]: perform these steps in {{project_name_gateway_short}} Template.)
'''1.''' [[#Enable Root Account|Enable the root account]].
'''2.''' Add user user to group root.
{{CodeSelect|code=
sudo adduser user root
}}
'''3.''' [[SUID_Disabler_and_Permission_Hardener#Re-enable_Specific_SUID_Binaries|Re-enable SUID]].
Set suid. Note: It is okay if the second command fails.
{{CodeSelect|code=
sudo permission-hardener /bin/su
sudo permission-hardener /usr/bin/su
}}
[
{{CodeSelect|code=
sudo chmod 4755 /bin/su
sudo chmod 4755 /usr/bin/su
}}
]
'''4.''' [[SUID_Disabler_and_Permission_Hardener#Whitelist_Specific_SUID_Binaries|Add SUID whitelisting]].
{{CodeSelect|code=
sudo mkdir -p /etc/permission-hardener.d
}}
{{Open with root rights|filename=
/etc/permission-hardener.d/20_user.conf
}}
Add.
{{CodeSelect|code=
/bin/su exactwhitelist
/usr/bin/su exactwhitelist
}}
'''5.''' Save.
'''6.''' Done.
Steps to permit su command from user user are complete.
}}
{{Anchor|login}}
== Root Login ==
Root login within a [[Desktop#Virtual_Consoles|virtual console]] will be disabled by default after upgrades. [security-misc ][https://github.com/{{project_name_short}}/security-misc/blob/master/etc/securetty.security-misc /etc/securetty] is empty by default. [When trying to login as root in a [[Desktop#Virtual_Consoles|virtual console]] it will reply: ]
Login incorrect.
Without previously asking for a password. This is not the worst case for usability and is better than asking for password and then failing.
To enable login from a [[Desktop#Virtual Console|virtual console]], first apply the [[#Enable Root Account|Enable Root Account]] instructions further above, then complete the steps below.
{{Box|text=
'''1.''' To allow root login, /etc/securetty must be configured. [
]sudoedit will not follow symlinks, therefore realpath is used.
{{Open with root rights|filename=
$(realpath /etc/securetty)
}}
'''2.''' Add the following content.
Note: Add one or more tty depending on your circumstances; see file /etc/securetty.security-misc-orig.
* [[Qubes|{{non_q_project_name_short}}]]:
{{CodeSelect|code=
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
}}
* [[Qubes|{{q_project_name_short}}]]:
{{CodeSelect|code=
hvc0
}}
'''3.''' Save the file.
}}
== Recovery Mode ==
Root login is possible using [[Recovery#Recovery_Mode|recovery mode]]. [
https://forums.whonix.org/t/restrict-root-access/7658/46
]
When the root account is disabled, passwordless root login using recovery mode is possible; see below for the security impact.
{{anchor|qubes root console}}
== Qubes Root Console ==
{{Box|text=
'''1.''' Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
'''2.''' Run the following command.
Replace vm-name with the name of the actual VM where you want to open a root console.
{{CodeSelect|code=
qvm-run -u root vm-name xfce4-terminal
}}
}}
== Passwordless Recovery Mode Security Discussion ==
This is only relevant on the host and not inside virtual machines.
Passwordless recovery mode is allowed because a locked root password would break the rescue and emergency shell. Therefore the [https://github.com/{{project_name_short}}/security-misc security-misc] package enables a passwordless rescue and emergency shell. This is the same solution that Debian will likely adapt for Debian installer. [
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
* /etc/systemd/system/emergency.service.d/override.conf
* /etc/systemd/system/rescue.service.d/override.conf
]
With passwordless root login, using recovery mode is allowed (through use of the security-misc package) on the host. To prevent adverse security effects posed by lesser adversaries with physical access to the machine, set up BIOS password protection, bootloader grub password protection and/or [[Full_Disk_Encryption|full disk encryption]].
{{Anchor|dsudo}}
== dsudo - default password sudo ==
dsudo is a {{project_name_short}} specific feature. [
https://forums.whonix.org/t/dsudo-default-password-sudo/8766
]
As long as still using the [[#Default Password|default password]] (not having [[Post_Install_Advice#Change_Passwords|changed sudo password]]), commands can be run as root without entering a password. This is useful for users having issues with [[Keyboard Layout|changing the keyboard layout]] and for testing VMs.
Instead of using
{{CodeSelect|code=
sudo
}}
use
{{CodeSelect|code=
dsudo
}}
= See Also =
* [[SysRq|System Recovery using SysRq Key]]
* [[Login spoofing]]
* [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
= Development =
* {{project_name_short}} code: [https://github.com/{{project_name_short}}/security-misc/pull/22 Restrict access to the root account].
* https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/68
* https://forums.whonix.org/t/should-lesser-adversaries-with-physical-access-be-part-of-the-threat-model-of-whonix-whonix-host-kicksecure/7997
= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}