Secure Admin Privileges

Using the root account

The standard administrative superuser account on Microsoft Windows is called Administrator. On Unix-like systems, it is called root instead. It’s normally a bad idea to use an administrative account for anything that you can do with a less privileged account, because any time you use any user account at all you expose that particular account to potential threats if the software run under that account’s privileges has a vulnerability that can allow someone to compromise the user account.

If you use Firefox to browse the Web, and it turns out Firefox has some kind of scripting vulnerability that allows a malicious script on a Website to install a backdoor on your system, how vulnerable you are depends to some degree on what user account you use:

  1. With a user account that has no administrative privileges, your user account may be compromised — but the security cracker with access to it via the installed backdoor will only be able to access exactly what that user account can access.
  2. If you are logged in as the root user while using Firefox, the security cracker with access to the account via the installed backdoor may now have access to the entire system, because the root user has administrative privileges over everything.

Obviously, you have to access the administrative account from time to time when you are the system administrator. The key is to use those elevated privileges only for the specific tasks that require them, and sign back out of the root account immediately after that. On a server, this usually means logging in as root at a virtual TTY console, doing whatever you need to get done as root, then typing exit or <Ctrl>+<D> to log out of the root account again.

Using su

The “substitute user” or “switch user” command (also sometimes identified as “superuser”), su, allows convenient and secure access to the root account without having to log out of the current logged in user account on Unix-like systems. It is also commonly used to access normal, unprivileged user account environments from within a root account session by specifying the account whose user environment one wants to access.

Probably the most common use of su these days is as a means of accessing the root account to perform administrative tasks without leaving an X Window System session. One can just open a terminal emulator and type su, enter the password when prompted, and start working with root privileges.

This can provide additional security for remote connections too; the administrator can configure a system to disallow SSH logins as root, requiring a user to connect as some other user account and use su to elevate privileges. This is a quick and easy way to stop remote brute force attacks agains the root account’s password. Some systems, such as FreeBSD, actually install SSH configured that way by default.

Using sudo

There is a great tool for securing and logging the behavior of users who need to perform limited administrative tasks called sudo. Quite a lot can be done with this tool, and as such quite a lot can be said about it. It could, arguably, warrant a book of its own.