A Root Shell On Ubuntu : The Right Way

By | 2008/05/09

Just the other day we were having a discussion on using the root shell in Ubuntu.  Now, remember, the root user account is disabled with no assigned password on a default Ubuntu system so administrative tasks need to be done using the sudo command.  For nearly all of the administration you would need sudo will be adequate.  There are occasionally those fringe cases where you might require a root shell.  Below I have a few alternatives and then, if you must, the correct way of opening a root shell.

For more information please see the RootSudo page on the Ubuntu Community Wiki.

Alternatives To A Root Shell

One of the most common reasons that a user might need a root shell is due to output redirection not working as expecting while using sudo.  This can be bypassed fairly easily.  Let me outline an example:

sudo echo "foo" > /root/somefile

The above example will not work because the normal user does not have access to write to the root user home directory, and combining the redirection in the command we’ve lost sudo access.

An alternative that will work would look something like this:

echo "foo" | sudo tee /root/somefile

This will echo the output on the console but the tee command ('man tee‘ for more information) will also take that output and write it to the file as expected.  Also note that 'tee -a' will work in the same fashion as >>, appending the data to the current file vs overwriting.

The Proper Way To A Root Shell

If you still need a root shell (perhaps you’ve come across a different scenario? perhaps you’re just lazy? perhaps you’re coming from another distribution?) let me outline the proper way to gain a root shell.

DISCLAIMER: This should be avoided if at all possible.  It is not suggested to run a root shell on an Ubuntu system.  Use at your own risk.  See examples above, etc.

sudo -i

The command sudo -i is the equivalent to the 'su -' command.  This will properly change to the root user, switch to the root user’s home directory, use his (her?) environment values, etc.

sudo -s

The command sudo -s is the equivalent to the 'su' command.  This will change to the root user but will not properly use his (her?) environment values, etc.

The WRONG Way To A Root Shell

Please DO NOT use the following methods to gain root access:

sudo bash, sudo sh, sudo su -, sudo su, sudo -i -u root

If you currently do use these methods this post was written for you!

UPDATE: Based on the feedback in the comments for this post I’ll try to expand the reasoning on *why* the right way is the preferred way.

First of all we need to understand some background information.  When a user creates a session there are a number of environment values that are set.  To have a look at some of these try this command:

env

This will output a number of details about the current working environment.  These environment values may be different for different users.  Some of the values are generated by way of the .bashrc file (assuming a bash shell, of course), the .bash_profile, etc.  Take a look at the .bashrc in your users home directory and compare it with the .bashrc in root’s home directory.

diff -u ~/.bashrc /root/.bashrc

You should see some differences, and this is just from one of the multiple files that are read during a proper login.

When creating a root shell by using ‘sudo bash‘ you are not incorporating the root environment properly.  You are creating a shell with root privileges but the env output is still that of your user.  Each user, whether unprivileged or root, should have unique environment settings to truly be that user.  This will be the case for ‘sudo bash‘, ‘sudo su‘ and ‘sudo sh‘.

39 thoughts on “A Root Shell On Ubuntu : The Right Way

  1. alphager

    I keep hearing that “sudo bash” is bad, but i never see an explanation.
    Why is “sudo bash” considered harmful?

    Reply
  2. PRK

    Interesting post. I do use sudo su. An explanation as to why this should not be used will be very helpful. Thanks!

    Reply
  3. Christer Edwards Post author

    @alphager – ‘sudo bash’ will no longer have any of the benefits of the sudo system. ie; auditing, granular access controls, environment inheritance, etc. See the link to the wiki for more benefits of sudo, most of which are lost using ‘sudo bash’ or similar.

    Reply
  4. mirada

    I get root access in a way that isn’t even listed here – I just went into recovery mode and made a password for the root account.

    Personally I like it this way – for basic tasks I just use sudo, but for the more involved tasks I can use su.

    Reply
  5. Waldo

    Seriously– this is a nice article but it’s missing the most important part–educating the reader about what’s wrong with sudo bash!

    Because that’s what I almost always use… so what am i doing wrong?

    Reply
  6. Vadim P.

    I was hoping PolicyKit would solve the need for “sudo nautilus” or “sudo gedit”, but it didn’t. It’s such a pain to re-do work if you forget to put sudo in front…

    Reply
  7. Christer Edwards Post author

    @Vadim – check out the RootSudo link I have posted. You should be using ‘gksudo gedit’ or ‘gksudo nautilus’ instead as well.

    Reply
  8. Manuel

    I don’t see the differences between sudo -s (the one I use) and sudo bash.

    In both I don’t get to use the root’s environment values.

    Reply
  9. Andrew Zajac

    To avoid a lot of garbage being sent to the console when zcatting a binary file, you can redirect to /dev/null:

    zcat file.gz | sudo tee /dev/device >/dev/null

    Now that more closely resembles the behavior you would expect from:

    sudo zcat file.gz > /dev/device

    BTW, this used to work using Gutsy. What exactly has changed in Hardy?

    Reply
  10. Bob

    I see the issue with “sudo bash” but why wouldn’t “sudo su -” get the proper environment?

    Reply
  11. Ami

    Hmm. “sudo su -” to do the job.

    Unless there’s some sort of security issue with what I do know, I honestly can’t think of any way my life could possibly be improved by using “sudo -i” instead. Not that it would hurt either, but my fingers are well-trained to my current method.

    Reply
  12. Hugo Heden

    Manuel: Correct, in neither case you get the root’s environment.

    However, (if I understand this article correctly?), in the “sudo -s” case, you don’t get the environment of any particular user, while with “sudo bash” you get the environment of your normal user. The latter is considered bad. But why?

    Reply
  13. troy

    Thankyou! I’ve always used sudo su -, but the X display env var doesn’t get set. Using -i it does!!!

    Reply
  14. Waldo

    Hugo- I don’t get it either. I’ve never had any issue with the normal user environment…

    W

    Reply
  15. Mackenzie Morgan

    Count me as another that wants to know what’s the difference between “sudo -i” and “sudo su -” Either way you get root’s env, so what difference is it? Ditto on “sudo -s” v “sudo su” Either way, no root env…

    Reply
  16. Kai

    The reason why “sudo su” and “sudo su -” are considered the wrong way is that they take unnecessary detours. At least that’s my take on it.

    “sudo -s” becomes root when executed, reads the password, then starts a shell.

    “sudo su” becomes root when executed, reads the password, then starts su, which looks whether it needs to read the password, discovers that it is already root, says “huh?” to itself, and starts a shell.

    The extra work just feels wrong to me.

    Whereas “sudo -s” starts the shell mentioned in $SHELL (or /etc/passwd if $SHELL is not set), “sudo bash” always invokes bash. I wouldn’t say that makes it wrong, just different. But I can see how “sudo -s” would follow the principle of least astonishment, where the user gets their normal shell they are used to without having to remember what exactly that shell is.

    Reply
  17. huz

    Interesting… I diffed ‘sudo su -’ and ‘sudo -i’:

    - = sudo su -
    + = sudo -i

    -MAIL=/var/mail/root
    -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    +SUDO_USER=user
    +SUDO_UID=1000
    +USERNAME=root
    +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
    +SUDO_COMMAND=/bin/bash
    +SUDO_GID=1000
    +DISPLAY=:0.0
    +XAUTHORITY=/home/user/.Xauthority
    +COLORTERM=gnome-terminal

    So I guess the author is wrong – ‘sudo su -’ seems to be the cleanest approach. sudo -i however allows you to start X apps, so it’s more convenient.

    Reply
  18. huz

    I did another diff:

    - = sudo su -
    + = direct root login from console

    -TERM=xterm
    +TERM=linux
    +HUSHLOGIN=FALSE
    -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

    Reply
  19. Bob

    There’s also “sux” if you want the X stuff put through. “sudo sux -”

    Reply
  20. Trey

    Could always add the menu entry for a root shell through System > Preferences > Main Menu. The option is under System Tools.

    (assuming you use gnome)

    Reply
  21. Myron

    I think “huz” really showed why you do not want to use sudo su. One reason sudo is used instead of direct root access is to allow auditing what you did with your root access. Based on that output, it looks like sudo su may defeat the auditing, but I am not a system administrator and do not know the low-level system commands so I could be way off base here.

    Reply
  22. Roger

    Someone posted a link to this URL on my blog saying:

    “…link above states that you should not use “sudo su” to create a root shell, but instead use “sudo -i” or “sudo -s”…”

    I liked the post, but it’s made me wonder a bit here…

    One thing to clarify though sudo -s is the equivalent of sudo su (which is mentioned here), using either command will provide root permissions. So… I’m not really sure what the difference would be? – Because this still gives me root’s environment. Right?

    However, if I sudo -i then I’ll again get root permissions AND change the (now rooted access) to the user’s (my root) environment (home directory, etc.) I think sudo -i is best used when security is an issue? Is that right? But isn’t that what sudo -s does?

    Please could you clarify? :) I’m not by any stretch of the imagination a Linux expert, but I’d really like to know what the difference is?

    It just seems to me that with sudo su (sudo -s) and sudo -i, I still get root’s environment.

    Am I missing something here? :)
    Thanks!

    Reply
  23. Gill Bates

    You do not need to use ‘sudo sux’ just ‘sux’ will work fine. This is my old-skool perfered way to get root.

    Reply
  24. Gill Bates

    If you check out the various sudo docs, you can set up sudo where users do not even have to enter the sudo password. Or you could set it up where you dont need the sudo password, for specific programs/commands.

    Reply
  25. hein

    ‘sudo su’ makes no sense – you can’t get root twice.

    The annoying thing in Ubuntu is, that even after I created a working root account with ‘sudo passwd’, i don’t get a working root shell (even when “cleaning” a runlevel to have a non “X” or “kdm/gdm…” init).
    In Kubuntu 8.04 64bit there is no ‘sbin’ directory in the path.
    That makes it complaining about missing packages, but they are there, and makes it breaking scripts.

    I see no point in all this security blah blah.
    The standart home “play a bit around” user will normally don’t loose much, even if he has to reinstall everything because he broke his system – ( and if you read all the forums out there, that’s what most of them do, if they don’t know any further)
    And the admin of a production system should know what he does, when being root because he can’t do it without a proper root shell.
    I want to have full control over my system – if I want to be locked out of “dangerous” things and if I want to have things hidden before me, I can use Vista bcause that’s what it reminds me of, if I have to manipulate 1000 things before I can work the way I need and want to…

    Reply
  26. Paul

    If you have your user environment set up the way you want/need it for sudo bash to work for you, then it doesn’t matter. It is much easier to sudo -i than to spend hours or days fiddling with your env, however much fun that might be for some ubergeeks :)

    Reply
  27. WinSupporter

    I am a professional Win-PC-Supporter, know ALL tricks in Windoofus.

    This Linux is better than Win, but not really "good". If I would develop a system, I wouldn't ever dream of making it controllable by complex shell commands. This Linux is INTERIORALLY well-built, ordered, but the noob as well as the a LITTLE more experienced users have NO way of getting to know QUICKLY how certain CRUCIAL and TOTALLY necessary parts of the system can be accessed.

    Currently, I am trying (and succeeded in) installing Antivir from AVIRA. All went fine, he's even telling me the proggy is running, also the Zudoku or whatever went fine.

    BUT I dont SEE the program! ALL hints how to bring up one small symbol of Antivir resulted in NOTHING. Just NADA, YADA YADA happnens when I type "antivir-gui" or something.

    Now, ALSO, I cannot even bring up ANY shell. I downloaded Hotwire shell thru the Kubuntu-setup ( I got Kubuntu), there, nothing too.

    Also, the system tells me root logins are not allowed when I try to login as root.

    I think Linux lacks EASY transparency. You just can't see whaAAAz SAPPENIN in behind…. oh well, most win-users don't either… really many people are so paranoid in the wrong way…

    … for me, in Linux, its like on a snowboard. I skied since 2 yrs old, now I monoski, but SNOWBOARD, there, I get further like 2 meters in some 10 minutes. Not used to this. Even me, world's best pc supporter. Its a long way to the top if ya wanna rockn roll….

    Reply
  28. WinSupporter

    oh, I really forgot to mention I am using Kubuntu under VMWARE 6.5 in WinXP64.

    I got Antivir in my base XP64.

    But I think it should also "work", in Kubuntu under VMWare, I mean Antivir in Kubuntu IS installed AND running, I just can't access it, not even thru any command as mentioned on Wiki and at other sites. I know already that the proggy is installed into usr/lib/Antivir or something.

    I would like to go into a shell, go into that directory, and be able to really execute commands or scripts from there. HOW? Google NOT ONE, but really MANY nights thru for that? Wont' someone… give a gun… oh, well its for my pc…. (suede, altered)

    Reply
  29. WinSupporter

    ok guys n gals, that guy im gonna cite now just wrote all that stuff that comes right now after – he is saying EXACTLY the PUREST system truth about (k)ubuntu. ITS THAT I ALSO asked myself when I chose some ssystems to install on my vmware 6.5. Kubuntu SEEMED like a good mod of ubuntu, which IS userfriendly, BUT WHEN you got a problem THEN u got one, for SURE, AND for goode. NOT GOODE AT ALL. I ALSO want control over my sys. HEY HEY. For a supporter, Kubuntu is a nono. Ill go into debian and mandrake or somethin. also mandriva is a crap like uschmuntu. in german "jetzt wirds mir ZU BUNTU" (Now it gets too coloured for me, adios!")

    –> the truth about kubuntu: "

    'sudo su' makes no sense – you can't get root twice.

    The annoying thing in Ubuntu is, that even after I created a working root account with 'sudo passwd', i don't get a working root shell (even when "cleaning" a runlevel to have a non "X" or "kdm/gdm…" init).

    In Kubuntu 8.04 64bit there is no 'sbin' directory in the path.

    That makes it complaining about missing packages, but they are there, and makes it breaking scripts.

    I see no point in all this security blah blah.

    The standart home "play a bit around" user will normally don't loose much, even if he has to reinstall everything because he broke his system – ( and if you read all the forums out there, that's what most of them do, if they don't know any further)

    And the admin of a production system should know what he does, when being root because he can't do it without a proper root shell.

    I want to have full control over my system…"

    Reply
  30. WinSupporter

    ok, I found out I just gotta use whatever commands executable in a terminal, openable by some path along the startmenu shortcuts, BUT as SOON as i try to up FRIGGIN DATE, huhu, that mister anitivir under mister kubuntu, it says oh no sireee weezer i dont give ya permission bro, nono hehe, like that:

    UserX@MAchineX:/usr/lib/AntiVir$ avupdate –product='Guard'
    Updating, please wait…
    Error: Open file /var/log/avupdate.log failed. Error: Permission denied
    userX@MachineX:/usr/lib/AntiVir$ avupdate -c –product='Guard'
    Checking for updates…
    Error: Open file /var/log/avupdate.log failed. Error: Permission denied

    –> as i said, rather some serious version of linux than this. Im sure there are several solutions, please post if u REALLY know one, but its all not so clear than in Win, sadly, STILL. this COULD be diffrent, just gotta find MY linux.

    Reply
  31. WinSupporter

    its clear what you and i all wanna do. execute that avupdate under root account privileges. HOW? as many others i shout out to the net, please bring me the seven percent solution, i dont wanna search oll those millionso of acres of haystacks — i seen the needle and the damage done, a little part of it in evryone, but evry junkie's like a settin' sun… (neill young)

    Reply
  32. WinSupporter

    uhuh, before i go into some kind of button on the right of a conqueror or so, its called oh i forgot, ill take another sip, u never know hu .-)))) cut then, suddenly a window pops up with other colors than mine, where u can access stuff under root privs. i wonder if i can execute that updater file like in that terminal… gosh my cat always miouws he is old and now has cancer…. they all wanna be taken care of, systems as well as pets and humans… i should make more ads for my support service and gain lots dough…. but until i can support linux, its a long way til you're over the top like Sly with his son in the truck…. .-)))

    Reply
  33. WinSupporter

    all is well xept roswell,

    –> " :/usr/lib/AntiVir/gui/bin$ sudo avupdate –product='Guard'
    [sudo] password for st:
    Updating, please wait…
    Updated files:
    hbedv_key
    Update finished successfully" .-)

    Reply
  34. WinSupporter

    you just type in sudo avupdate while being in the directory of antivir in usr/lib and thats it. now how i will access the gui of antivir is a whoe different question, but im happy with the console version too…

    Reply
  35. Eli the Bearded

    “The command sudo -s is the equivalent to the ‘su’ command.”

    This is a falsehood. ‘su’ will change to the user and run the default shell of the target user. ‘sudo -s’ is functionally equivilent to “sudo $SHELL”: it changes to the user but runs the default shell of the calling user.

    For superstitious reasons I never change the default shell of the root account, but you can be sure I customize my own account extensively. And /bin/bash (or /bin/sh) is not my first choice of shell. When I want to be root, almost always want my default shell and my environment. Your tastes may vary, but I’ve been including settings based on the current user in my dot files since the mid-90s.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *