Results 1 to 10 of 10

Thread: su -> root

  1. #1
    Join Date
    Apr 2021
    Beans
    8

    Question su -> root

    I'm somewhat new to Ubuntu server (used ~10 years ago). On my current UNIX servers I'm able to create a user and give permission to "su" (as part of wheel group).
    It would be really nice to have the same on Ubuntu server (18.04 and above). I found out that by default root is disabled and I have to passwd root to enable it.

    • sudo su, sudo bash etc is not an option
    • PermitRootLogin Yes in sshd_config isn't an option either


    The only option is to have a user (we can call it joe) who can execute su (/bin/su) and become root itself.

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,263
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: su -> root

    Don't give root a password. Use sudo instead. Anyone in the sudo group can use sudo, and they then have to give their own (not root's) password. That way, there's no root password to share around.
    You can run single commands as sudo: "sudo shutdown now", or run bash as root if you want to run multiple commands without prefixing every one with sudo: "sudo -i".
    Last edited by The Cog; April 30th, 2021 at 08:14 PM.

  3. #3
    Join Date
    Mar 2007
    Beans
    1,075

    Re: su -> root

    If you want a root session you can use sudo -i. It's pretty close to the Unix su command it makes you in root with /root as the home directory.
    Of course you could enable root password and use the su command.

    I'm a little curious why you need this and some form sudo won't work. You can even set sudo to not require a password and restrict which commands it has access to.

  4. #4
    Join Date
    Apr 2021
    Beans
    8

    Re: su -> root

    Here is the scenario: sudo is configured via LDAP, sometimes LDAP breaks so I need a backup user.

  5. #5
    Join Date
    Apr 2021
    Beans
    8

    Re: su -> root

    Of course you could enable root password and use the su command.<- this is what I'd like to do, how can I do it?

  6. #6
    Join Date
    Mar 2007
    Beans
    1,075

    Re: su -> root

    Quote Originally Posted by lacid2 View Post
    Here is the scenario: sudo is configured via LDAP, sometimes LDAP breaks so I need a backup user.
    I don't run LDAP on any of my computers, you can configure sudo locally, all you have to do is add the users you want to the sudo group
    Code:
     usermod -aG sudo newuser
    but depending on the number of servers it could be a pain to maintain.

    I also always have one local user on every server just in case.

    You can enable the root account simply by adding a password for it.

  7. #7
    Join Date
    Jul 2005
    Location
    I think I'm here! Maybe?
    Beans
    Hidden!
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: su -> root

    In my 16+ years of running Ubuntu or Ubuntu based distros I have not once found any need to enable a root account or password.
    In fact I am also running both Debian and Arcolinux without a separate root account and password and I think it is extremely unlikely that you really need to enable a root password or account on your machine.

    See RootSudo in my signature below for details, taking particular note of the advantages mentioned there of using sudo.

  8. #8
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: su -> root

    Sounds like the LDAP needs a backup server to handle failures. Fix that.

    There is nothing special to enable the root account on Ubuntu. I think it is against forum policy to explain how, however. Perhaps the thought is that if you have to ask, then you shouldn't do it? IDK. There is no magic, no incantation, no group, nothing specific to Ubuntu or Debian required. Links in posts above have more details from Ubuntu Wiki and Community help pages.

    Back when I ran LDAP, I never had failures that impacted sudo capabilities. LDAP should cache users and groups for any active logins for at least a day. People use LDAP on disconnected laptops.

    If you need a local kbackup user, then make a local user for that purpose. There are all sorts of failures on Ubuntu when running GUI applications as root, so that really isn't an option.

    Just like any other Unix system, it is very possible to create a local user with the same uid/gid and groups as what a user inside LDAP supports. Just point the HOME to the same location and you'll be able to login using either. Sssssh. Don't tell anyone this trick. Doing things that aren't normally taught is what Unix experts can do to solve specific issues. Only the admin can decide whether this is pure stupidity or genius. That is often a fine line.

  9. #9
    Join Date
    Apr 2021
    Beans
    8

    Re: su -> root

    Thank you, this worked, I have an automatization editing bunch of files, it also edited /etc/pam.d/su which denies su
    May 3 14:59:02 ubuntu.hostname.com su[14306]: pam_authenticate: Permission denied
    May 3 14:59:02 ubuntu.hostname.com su[14306]: FAILED su for root by joe

    I need to find a way to allow only user joe to do su

  10. #10
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: su -> root

    Quote Originally Posted by lacid2 View Post
    I need to find a way to allow only user joe to do su
    Code:
    sudo -i
    if "joe" is in the sudo group, as stated above. sudo can do thousands of other things, BTW.

    No other method exists to my knowledge.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •