Just the other day we were having a discussion on using the root shell in Ubuntu. Now, remember, the root user account is disabled with no assigned password on a default Ubuntu system so administrative tasks need to be done using the sudo
command. For nearly all of the administration you would need sudo
will be adequate. There are occasionally those fringe cases where you might require a root shell. Below I have a few alternatives and then, if you must, the correct way of opening a root shell.
For more information please see the RootSudo page on the Ubuntu Community Wiki.
Alternatives To A Root Shell
One of the most common reasons that a user might need a root shell is due to output redirection not working as expecting while using sudo. This can be bypassed fairly easily. Let me outline an example:
sudo echo "foo" > /root/somefile
The above example will not work because the normal user does not have access to write to the root user home directory, and combining the redirection in the command we’ve lost sudo access.
An alternative that will work would look something like this:
echo "foo" | sudo tee /root/somefile
This will echo the output on the console but the tee command ('man tee
‘ for more information) will also take that output and write it to the file as expected. Also note that 'tee -a'
will work in the same fashion as >>, appending the data to the current file vs overwriting
.
The Proper Way To A Root Shell
If you still need a root shell (perhaps you’ve come across a different scenario? perhaps you’re just lazy? perhaps you’re coming from another distribution?) let me outline the proper way to gain a root shell.
DISCLAIMER: This should be avoided if at all possible. It is not suggested to run a root shell on an Ubuntu system. Use at your own risk. See examples above, etc.
sudo -i
The command sudo -i is the equivalent to the 'su -'
command. This will properly change to the root user, switch to the root user’s home directory, use his (her?) environment values, etc.
sudo -s
The command sudo -s is the equivalent to the 'su'
command. This will change to the root user but will not properly use his (her?) environment values, etc.
The WRONG Way To A Root Shell
Please DO NOT use the following methods to gain root access:
sudo bash, sudo sh, sudo su -, sudo su, sudo -i -u root
If you currently do use these methods this post was written for you!
UPDATE: Based on the feedback in the comments for this post I’ll try to expand the reasoning on *why* the right way is the preferred way.
First of all we need to understand some background information. When a user creates a session there are a number of environment values that are set. To have a look at some of these try this command:
env
This will output a number of details about the current working environment. These environment values may be different for different users. Some of the values are generated by way of the .bashrc file (assuming a bash shell, of course), the .bash_profile, etc. Take a look at the .bashrc in your users home directory and compare it with the .bashrc in root’s home directory.
diff -u ~/.bashrc /root/.bashrc
You should see some differences, and this is just from one of the multiple files that are read during a proper login.
When creating a root shell by using ‘sudo bash
‘ you are not incorporating the root environment properly. You are creating a shell with root privileges but the env
output is still that of your user. Each user, whether unprivileged or root, should have unique environment settings to truly be that user. This will be the case for ‘sudo bash
‘, ‘sudo su
‘ and ‘sudo sh
‘.
I keep hearing that “sudo bash” is bad, but i never see an explanation.
Why is “sudo bash” considered harmful?
Interesting post. I do use sudo su. An explanation as to why this should not be used will be very helpful. Thanks!
@alphager – ‘sudo bash’ will no longer have any of the benefits of the sudo system. ie; auditing, granular access controls, environment inheritance, etc. See the link to the wiki for more benefits of sudo, most of which are lost using ‘sudo bash’ or similar.
I get root access in a way that isn’t even listed here – I just went into recovery mode and made a password for the root account.
Personally I like it this way – for basic tasks I just use sudo, but for the more involved tasks I can use su.
Whats wrong with “sudo su -“?
Seriously– this is a nice article but it’s missing the most important part–educating the reader about what’s wrong with sudo bash!
Because that’s what I almost always use… so what am i doing wrong?
@mirada
next time, try :
$sudo passwd
What makes “the right way” right?
What makes “the wrong way” wrong?
I was hoping PolicyKit would solve the need for “sudo nautilus” or “sudo gedit”, but it didn’t. It’s such a pain to re-do work if you forget to put sudo in front…
@Vadim – check out the RootSudo link I have posted. You should be using ‘gksudo gedit’ or ‘gksudo nautilus’ instead as well.
I don’t see the differences between sudo -s (the one I use) and sudo bash.
In both I don’t get to use the root’s environment values.
To avoid a lot of garbage being sent to the console when zcatting a binary file, you can redirect to /dev/null:
zcat file.gz | sudo tee /dev/device >/dev/null
Now that more closely resembles the behavior you would expect from:
sudo zcat file.gz > /dev/device
BTW, this used to work using Gutsy. What exactly has changed in Hardy?
I see the issue with “sudo bash” but why wouldn’t “sudo su -” get the proper environment?
Hmm. “sudo su -” to do the job.
Unless there’s some sort of security issue with what I do know, I honestly can’t think of any way my life could possibly be improved by using “sudo -i” instead. Not that it would hurt either, but my fingers are well-trained to my current method.
Manuel: Correct, in neither case you get the root’s environment.
However, (if I understand this article correctly?), in the “sudo -s” case, you don’t get the environment of any particular user, while with “sudo bash” you get the environment of your normal user. The latter is considered bad. But why?
Thankyou! I’ve always used sudo su -, but the X display env var doesn’t get set. Using -i it does!!!
Hugo- I don’t get it either. I’ve never had any issue with the normal user environment…
W
Count me as another that wants to know what’s the difference between “sudo -i” and “sudo su -” Either way you get root’s env, so what difference is it? Ditto on “sudo -s” v “sudo su” Either way, no root env…
The reason why “sudo su” and “sudo su -” are considered the wrong way is that they take unnecessary detours. At least that’s my take on it.
“sudo -s” becomes root when executed, reads the password, then starts a shell.
“sudo su” becomes root when executed, reads the password, then starts su, which looks whether it needs to read the password, discovers that it is already root, says “huh?” to itself, and starts a shell.
The extra work just feels wrong to me.
Whereas “sudo -s” starts the shell mentioned in $SHELL (or /etc/passwd if $SHELL is not set), “sudo bash” always invokes bash. I wouldn’t say that makes it wrong, just different. But I can see how “sudo -s” would follow the principle of least astonishment, where the user gets their normal shell they are used to without having to remember what exactly that shell is.
Interesting… I diffed ‘sudo su -‘ and ‘sudo -i’:
– = sudo su –
+ = sudo -i
-MAIL=/var/mail/root
-PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+SUDO_USER=user
+SUDO_UID=1000
+USERNAME=root
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
+SUDO_COMMAND=/bin/bash
+SUDO_GID=1000
+DISPLAY=:0.0
+XAUTHORITY=/home/user/.Xauthority
+COLORTERM=gnome-terminal
So I guess the author is wrong – ‘sudo su -‘ seems to be the cleanest approach. sudo -i however allows you to start X apps, so it’s more convenient.
I did another diff:
– = sudo su –
+ = direct root login from console
-TERM=xterm
+TERM=linux
+HUSHLOGIN=FALSE
-PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
There’s also “sux” if you want the X stuff put through. “sudo sux -“
Could always add the menu entry for a root shell through System > Preferences > Main Menu. The option is under System Tools.
(assuming you use gnome)
I think “huz” really showed why you do not want to use sudo su. One reason sudo is used instead of direct root access is to allow auditing what you did with your root access. Based on that output, it looks like sudo su may defeat the auditing, but I am not a system administrator and do not know the low-level system commands so I could be way off base here.
Someone posted a link to this URL on my blog saying:
“…link above states that you should not use “sudo su” to create a root shell, but instead use “sudo -i” or “sudo -s”…”
I liked the post, but it’s made me wonder a bit here…
One thing to clarify though sudo -s is the equivalent of sudo su (which is mentioned here), using either command will provide root permissions. So… I’m not really sure what the difference would be? – Because this still gives me root’s environment. Right?
However, if I sudo -i then I’ll again get root permissions AND change the (now rooted access) to the user’s (my root) environment (home directory, etc.) I think sudo -i is best used when security is an issue? Is that right? But isn’t that what sudo -s does?
Please could you clarify? 🙂 I’m not by any stretch of the imagination a Linux expert, but I’d really like to know what the difference is?
It just seems to me that with sudo su (sudo -s) and sudo -i, I still get root’s environment.
Am I missing something here? 🙂
Thanks!
A very crisp explanation of how to do it 😉
You do not need to use ‘sudo sux’ just ‘sux’ will work fine. This is my old-skool perfered way to get root.
If you check out the various sudo docs, you can set up sudo where users do not even have to enter the sudo password. Or you could set it up where you dont need the sudo password, for specific programs/commands.
‘sudo su’ makes no sense – you can’t get root twice.
The annoying thing in Ubuntu is, that even after I created a working root account with ‘sudo passwd’, i don’t get a working root shell (even when “cleaning” a runlevel to have a non “X” or “kdm/gdm…” init).
In Kubuntu 8.04 64bit there is no ‘sbin’ directory in the path.
That makes it complaining about missing packages, but they are there, and makes it breaking scripts.
I see no point in all this security blah blah.
The standart home “play a bit around” user will normally don’t loose much, even if he has to reinstall everything because he broke his system – ( and if you read all the forums out there, that’s what most of them do, if they don’t know any further)
And the admin of a production system should know what he does, when being root because he can’t do it without a proper root shell.
I want to have full control over my system – if I want to be locked out of “dangerous” things and if I want to have things hidden before me, I can use Vista bcause that’s what it reminds me of, if I have to manipulate 1000 things before I can work the way I need and want to…
If you have your user environment set up the way you want/need it for sudo bash to work for you, then it doesn’t matter. It is much easier to sudo -i than to spend hours or days fiddling with your env, however much fun that might be for some ubergeeks 🙂
I am a professional Win-PC-Supporter, know ALL tricks in Windoofus.
This Linux is better than Win, but not really "good". If I would develop a system, I wouldn't ever dream of making it controllable by complex shell commands. This Linux is INTERIORALLY well-built, ordered, but the noob as well as the a LITTLE more experienced users have NO way of getting to know QUICKLY how certain CRUCIAL and TOTALLY necessary parts of the system can be accessed.
Currently, I am trying (and succeeded in) installing Antivir from AVIRA. All went fine, he's even telling me the proggy is running, also the Zudoku or whatever went fine.
BUT I dont SEE the program! ALL hints how to bring up one small symbol of Antivir resulted in NOTHING. Just NADA, YADA YADA happnens when I type "antivir-gui" or something.
Now, ALSO, I cannot even bring up ANY shell. I downloaded Hotwire shell thru the Kubuntu-setup ( I got Kubuntu), there, nothing too.
Also, the system tells me root logins are not allowed when I try to login as root.
I think Linux lacks EASY transparency. You just can't see whaAAAz SAPPENIN in behind…. oh well, most win-users don't either… really many people are so paranoid in the wrong way…
… for me, in Linux, its like on a snowboard. I skied since 2 yrs old, now I monoski, but SNOWBOARD, there, I get further like 2 meters in some 10 minutes. Not used to this. Even me, world's best pc supporter. Its a long way to the top if ya wanna rockn roll….
oh, I really forgot to mention I am using Kubuntu under VMWARE 6.5 in WinXP64.
I got Antivir in my base XP64.
But I think it should also "work", in Kubuntu under VMWare, I mean Antivir in Kubuntu IS installed AND running, I just can't access it, not even thru any command as mentioned on Wiki and at other sites. I know already that the proggy is installed into usr/lib/Antivir or something.
I would like to go into a shell, go into that directory, and be able to really execute commands or scripts from there. HOW? Google NOT ONE, but really MANY nights thru for that? Wont' someone… give a gun… oh, well its for my pc…. (suede, altered)
ok guys n gals, that guy im gonna cite now just wrote all that stuff that comes right now after – he is saying EXACTLY the PUREST system truth about (k)ubuntu. ITS THAT I ALSO asked myself when I chose some ssystems to install on my vmware 6.5. Kubuntu SEEMED like a good mod of ubuntu, which IS userfriendly, BUT WHEN you got a problem THEN u got one, for SURE, AND for goode. NOT GOODE AT ALL. I ALSO want control over my sys. HEY HEY. For a supporter, Kubuntu is a nono. Ill go into debian and mandrake or somethin. also mandriva is a crap like uschmuntu. in german "jetzt wirds mir ZU BUNTU" (Now it gets too coloured for me, adios!")
–> the truth about kubuntu: "
'sudo su' makes no sense – you can't get root twice.
The annoying thing in Ubuntu is, that even after I created a working root account with 'sudo passwd', i don't get a working root shell (even when "cleaning" a runlevel to have a non "X" or "kdm/gdm…" init).
In Kubuntu 8.04 64bit there is no 'sbin' directory in the path.
That makes it complaining about missing packages, but they are there, and makes it breaking scripts.
I see no point in all this security blah blah.
The standart home "play a bit around" user will normally don't loose much, even if he has to reinstall everything because he broke his system – ( and if you read all the forums out there, that's what most of them do, if they don't know any further)
And the admin of a production system should know what he does, when being root because he can't do it without a proper root shell.
I want to have full control over my system…"
ok, I found out I just gotta use whatever commands executable in a terminal, openable by some path along the startmenu shortcuts, BUT as SOON as i try to up FRIGGIN DATE, huhu, that mister anitivir under mister kubuntu, it says oh no sireee weezer i dont give ya permission bro, nono hehe, like that:
UserX@MAchineX:/usr/lib/AntiVir$ avupdate –product='Guard'
Updating, please wait…
Error: Open file /var/log/avupdate.log failed. Error: Permission denied
userX@MachineX:/usr/lib/AntiVir$ avupdate -c –product='Guard'
Checking for updates…
Error: Open file /var/log/avupdate.log failed. Error: Permission denied
–> as i said, rather some serious version of linux than this. Im sure there are several solutions, please post if u REALLY know one, but its all not so clear than in Win, sadly, STILL. this COULD be diffrent, just gotta find MY linux.
its clear what you and i all wanna do. execute that avupdate under root account privileges. HOW? as many others i shout out to the net, please bring me the seven percent solution, i dont wanna search oll those millionso of acres of haystacks — i seen the needle and the damage done, a little part of it in evryone, but evry junkie's like a settin' sun… (neill young)
uhuh, before i go into some kind of button on the right of a conqueror or so, its called oh i forgot, ill take another sip, u never know hu .-)))) cut then, suddenly a window pops up with other colors than mine, where u can access stuff under root privs. i wonder if i can execute that updater file like in that terminal… gosh my cat always miouws he is old and now has cancer…. they all wanna be taken care of, systems as well as pets and humans… i should make more ads for my support service and gain lots dough…. but until i can support linux, its a long way til you're over the top like Sly with his son in the truck…. .-)))
all is well xept roswell,
–> " :/usr/lib/AntiVir/gui/bin$ sudo avupdate –product='Guard'
[sudo] password for st:
Updating, please wait…
Updated files:
hbedv_key
Update finished successfully" .-)
you just type in sudo avupdate while being in the directory of antivir in usr/lib and thats it. now how i will access the gui of antivir is a whoe different question, but im happy with the console version too…
“The command sudo -s is the equivalent to the ‘su’ command.”
This is a falsehood. ‘su’ will change to the user and run the default shell of the target user. ‘sudo -s’ is functionally equivilent to “sudo $SHELL”: it changes to the user but runs the default shell of the calling user.
For superstitious reasons I never change the default shell of the root account, but you can be sure I customize my own account extensively. And /bin/bash (or /bin/sh) is not my first choice of shell. When I want to be root, almost always want my default shell and my environment. Your tastes may vary, but I’ve been including settings based on the current user in my dot files since the mid-90s.