Ubuntu Tutorials

Just the other day we were having a discussion on using the root shell in Ubuntu.  Now, remember, the root user account is disabled with no assigned password on a default Ubuntu system so administrative tasks need to be done using the sudo command.  For nearly all of the administration you would need sudo will be adequate.  There are occasionally those fringe cases where you might require a root shell.  Below I have a few alternatives and then, if you must, the correct way of opening a root shell.

For more information please see the RootSudo page on the Ubuntu Community Wiki.

Alternatives To A Root Shell

One of the most common reasons that a user might need a root shell is due to output redirection not working as expecting while using sudo.  This can be bypassed fairly easily.  Let me outline an example:

sudo echo "foo" > /root/somefile

The above example will not work because the normal user does not have access to write to the root user home directory, and combining the redirection in the command we’ve lost sudo access.

An alternative that will work would look something like this:

echo "foo" | sudo tee /root/somefile

This will echo the output on the console but the tee command ('man tee‘ for more information) will also take that output and write it to the file as expected.  Also note that 'tee -a' will work in the same fashion as >>, appending the data to the current file vs overwriting.

The Proper Way To A Root Shell

If you still need a root shell (perhaps you’ve come across a different scenario? perhaps you’re just lazy? perhaps you’re coming from another distribution?) let me outline the proper way to gain a root shell.

DISCLAIMER: This should be avoided if at all possible.  It is not suggested to run a root shell on an Ubuntu system.  Use at your own risk.  See examples above, etc.

sudo -i

The command sudo -i is the equivalent to the 'su -' command.  This will properly change to the root user, switch to the root user’s home directory, use his (her?) environment values, etc.

sudo -s

The command sudo -s is the equivalent to the 'su' command.  This will change to the root user but will not properly use his (her?) environment values, etc.

The WRONG Way To A Root Shell

Please DO NOT use the following methods to gain root access:

sudo bash, sudo sh, sudo su -, sudo su, sudo -i -u root

If you currently do use these methods this post was written for you!

UPDATE: Based on the feedback in the comments for this post I’ll try to expand the reasoning on *why* the right way is the preferred way.

First of all we need to understand some background information.  When a user creates a session there are a number of environment values that are set.  To have a look at some of these try this command:

env

This will output a number of details about the current working environment.  These environment values may be different for different users.  Some of the values are generated by way of the .bashrc file (assuming a bash shell, of course), the .bash_profile, etc.  Take a look at the .bashrc in your users home directory and compare it with the .bashrc in root’s home directory.

diff -u ~/.bashrc /root/.bashrc

You should see some differences, and this is just from one of the multiple files that are read during a proper login.

When creating a root shell by using ‘sudo bash‘ you are not incorporating the root environment properly.  You are creating a shell with root privileges but the env output is still that of your user.  Each user, whether unprivileged or root, should have unique environment settings to truly be that user.  This will be the case for ‘sudo bash‘, ‘sudo su‘ and ‘sudo sh‘.

If you’ve used your Ubuntu machine for more than a week you’ve probably run into the sudo command. Particularly if you’ve followed any of my previous tutorials you’ve used it. Sudo allows you to run superuser commands on your machine, without needing a complete superuser account.

Now what happens when you have another user on that machine that needs certain superuser privileges but you don’t want to give them FULL access? Well sudo can be configured to give users sudo access, but limited to only certain commands. Here is a breakdown:

If you use the command:

sudo visudo

you’ll be taken into the self checking sudoers editing file. What you’ll want to look for is near the bottom and appears similar to this:

# User privilege specification
root ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

What this is defining is who has what sudo or superuser privileges on that machine. By default, and in this case root has all power and anyone in the admin group (generally just the initial user) has this control.

Now consider you have a buddy, wife or partner that also uses that machine and needs occasional sudo access but you’d prefer not to give them complete permissions to avoid destroying the world as we know it. Well, you can list them in this file and create a limited list of sudo permissions that they will be granted. An example would be below:

# User privilege specification

root ALL=(ALL) ALL

mike ALL=(root) /usr/bin/aptitude, /usr/bin/apt-get

Let me break this down for you. By adding this new line to the file you’ve done the following:

The first listing, mike, is the user that is being assigned the privilege. For this to apply to a group of users on the machine you would prefix the name with a % as seen in the example above (%admin).

The second listing defines the hosts that these permissions apply to. For your use this will almost always apply to your local machine only so ALL is safe. If this does not apply to you (you will know who you are) you will want to define only the hosts to grant access).

Thirdly, the (root) entry defines what user the first user is applying the command as. In this example we want to run the command as root and not any other user. You can define this to another user (or user daemon) to allow access to their specific privileges.

Lastly we’ve got a comma separated list of commands that the user will have access to. In this case I’m allowing the user mike to add and remove programs from the machine using the apt-get and aptitude programs. Allowing users to add / remove programs from your machine as in this example can be dangerous. This is for example use and may not match your usage.

Sudo is our superhero friend while using Ubuntu. It allows us to temporarily take on a different persona, make changes to the critical parts of the machine and quietly change back again. Allowing other users this privilege can be helpful but it can also be harmful so be sure you understand who you are applying privileges to and to what commands. Security is #1, or should be, so use this knowlege wisely.