Root 101

If you don’t “get it,” you probably haven’t got it

For many who are accustomed to single-user operating systems like Windows 98 or Mac OS 9, the concept of root is an unfamiliar one. This article is intended to help explain what root access is, whether you need it, what you can do with it, and how you can get it.

Of course, as is common with technology terms, there are two very different definitions of root. Here is an explanation for one, just to get it out of the way:

root(1): a file system term describing the top level directory of a drive or storage volume.

For example, a file in the root directory of a computer running Windows would have a file path such as c:\MyFile.doc. A file in the root directory of a computer running Mac OS 9 would have a file path such as Macintosh HD:My File. A file in the root directory of a computer running a Unix-based operating system (including Mac OS X) would have a file path such as /myfile.txt. Note that, in Unix, the first slash in a file path denotes the root, or highest-level directory on that drive or volume.

As interesting as that is, it doesn’t really relate to the discussion at hand. That would be the other meaning of root:

root (2), or root access: authorization within Unix-based operating systems that allows a user to make system-wide changes. This includes the ability to open and modify files that are off- limits to garden-variety users, such as system files and and files within other users’ home directories.

This leads to another important definition:

super user: a user who has been given root access.

So, this is all well and good, but it doesn’t explain what root access really is. Simply put, it all comes down to log-in permissions. On a Unix system, access and permissions are tied in to a user’s log-in, which is made up of a username and a password.

When a user logs on to a computer running one of the various flavors of Unix, he is prompted to enter his username and password. The system then checks its roster of users to determine if the password and username match. If the user logs in with the username root, using the root password, he will be given permission to do lots of things that other users aren’t allowed to do.

Here are just a few examples of some operations that may require root access:

  • Adding, modifying, and deleting users from the system
  • Changing and overriding user passwords
  • Installing new programs and utilities
  • Starting and stopping system services
  • Setting up boot managers, such as GRUB and LILO
  • Hardware and device driver configuration
  • Mounting file systems
  • Modifying system-level properties, such as network settings, web services, and e-mail configurations
  • Performing remote reboots (though this may vary from system to system)

Many of these examples are things that users are used to doing in their single-user systems. In fact, many users might feel like they are entitled to do these things. However, with multiple-user Unix-based systems, hardware and software configurations are closely controlled because they affect multiple people. Changes made while logged in as root can create potentially disastrous repercussions that affect all users on the system. As we all learned from the movie “Spiderman,” with much power comes much responsibility. Here’s a little comparison that might make this concept a bit more clear.

Consider Harry Homeowner, who owns a split-level 3 bedroom house on a quarter acre in Outer Suburbia. Since Harry has the key to the front door, he has access to his entire house, from crawlspace to kitchen to bedrooms to attic. He—and the bank—own the whole place, so he can pretty much do as he please.

If Harry wants, he can install a new turbo-flush toilet or convert his garage into a studio apartment. He can also replace the GFI receptacles in his kitchen and bathrooms with unprotected outlets, or take a sledge hammer to his hot water heater. Not that he should do either of these last two things — the point is, he could.

Contrast Harry’s situation with that of Albert the Apartment dweller. Albert rents a four-room space (living room, kitchen, bedroom, bathroom) in a multi-story complex in Inner Urbania. Albert has access to his own unit, which is protected from outsiders by a deadbolt and chain lock. In addition, Albert also has access to common areas such as hallways, laundry facilities, and the mail box facility.

Neither Albert nor his neighbors has the right to enter anyone else’s apartment. Moreover, Albert and his fellow residents are prohibited from entering places such as the boiler room, the broom closet, and the main electrical room. The only person with keys to every door in the complex is the building superintendent (or super), who is has the run of the place. The super controls facility services (such as water and power), authorizes structural changes to the building, and can even enter tenants’ apartments if he needs to.

Running a single-user operating system like Windows 98 or Mac OS 9 is a bit like living in a single-family home. Harry’s relationship with his house is like a user’s relationship with a single-user OS. A Windows user running Windows 98 can monkey around with DLLs, edit his Windows registry, and throw .INI files in the recycle bin to his heart’s content. A Mac user running OS 9 can fiddle with extensions, take ResEdit to his System resources, and play a little game called “hide the Finder.”

In other words, a Windows 98 or Mac OS 9 user is totally free to screw up his own system. All of the files that are critical to his computer’s health are accessible and vulnerable to tinkering. If he knows what he’s doing, this user can fine-tune his computer’s performance. If he doesn’t know what he’s doing, he can easily turn his machine into a really expensive paperweight.

In contrast, Unix systems are designed for multiple users. Like an apartment building, many people can be using the system at the same time. Because of this, only one person — or a few select people — are given permission to make changes that affect the whole system. While a tenant can turn off the lights in his living room, a super can shut off power to the entire apartment complex. Of course, there would have to be solid justification to do so. By using root access appropriately, super users can keep their “apartment computers” running smoothly.

If you’re new to Unix, chances are pretty good that you have some more questions about wielding the power of root. Hopefully, you’ll find the answers to those questions below.

>> How can I tell if I have root access?

As the title of this article suggests, with root access, if you don’t know whether you’ve got it, you probably don’t. However, it is possible to be logged in as root without knowing it. There are three different ways to find out whether you are root. The easiest is to look at your command prompt. Generally, your prompt contains your current username. So if you’re logged in as root, you might see something like this:

[root@mymachine /]#

In this example, we’re logged in as root, working in the root directory of the system (as indicated by the “/” in the prompt).

If that seems too simple, there are some special commands that will tell you if you’re root. At the preceding command prompt, you could enter:

[root@mymachine /]# whoami
root

Note that the system returned root, which is your current username. If you weren’t logged in as root, the system would have returned your normal user id.

Another way to find out is to type the following:

id

The system will return your user id, your group id, and a list of all groups you belong to. If you’re logged in as root, your user ID will be 0. (There are some exceptions to this, but this will apply to most cases.)

>> How can I get root access if I don’t have it?

If you’re working on a multi-user system, and want to get root access, you’ll need to talk to the system administrator. If he’s like most admins, he’ll require you to have some really good reasons for wanting to have root access. If you can’t justify it, chances are he won’t allow it. If your reasons are good, if you pay suitable homage in the form of chocolate, caffeinated drinks, and large bags of Cheetos, and if the planets line up just right, you may be given the root password.

On the other hand, if you’re working on a Unix machine that you own and control, you should already have root access. If you know you should have root access, but can’t remember the password, you may be in trouble. See the last question below for more information about this unfortunate situation.

>> Once I have permission, how do I log in as root?

Once you have the root password, you need to log in to get root access. This part is pretty easy. If you’re logging in at the start of a session, do the following:

login: root
root@mymachine’s password: [enter root password here]

If the password is correct, the system should let you in with Godlike privileges.

The second login scenario occurs when you’re already logged in with your regular username and password, and want to shift into root. When this happens, type the following at the command prompt:

su

You might think this stands for “super user,” but you would be wrong. The command is “switch user,” and can be used to log in to the system as anyone else, providing you know the correct passwords. For example, if you wanted to log in as your buddy Mike, you could su mike, enter Mike’s password, and do all sorts of things under his login. You could play a joke and use the passwd command to change Mike’s password. Not that you should do this, but it would be kind of funny. (Note: Mike might not agree with the previous statement.)

When you use the su command without specifying a username, the system assumes you want to switch to root, and asks for the root password. Once you enter the correct password, you’re logged in as root.

The interesting thing about using su is that it gives you root privileges with your own personal environment variables. This means you’ll probably get a prompt that looks something like this:

[root@machinename myname]$

If you check out your path, for example, you’ll see that it hasn’t changed. Here’s what you might see:

[myname@machinename myname]$ su
Password:
[root@machinename myname]$ echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/myname/bin
[root@machinename myname]

This is a pretty skimpy $PATH. If you really want the juice, you’ll need to use su -. (That’s su followed by a space, then a hyphen):

[myname@machinename myname]$ su –

Password:

[root@machinename /root]$ echo $PATH

/usr/local/sbin:/usr/sbin:/sbin:/bin:
/usr/bin:/usr/local/bin:/usr/local/sbin:
/usr/bin/X11:/usr/X11R6/bin:/root/bin

[root@machinename /root]

Note that your $PATH variable is considerably more complex, giving you much more direct access to the various commands, scripts and programs on your machine. When you’re done “rooting around,” here’s how you go back to your initial login:

exit

Hit ENTER and you should be back to your plain old regular non-super self.

If you’re logging into your system remotely, and want to log in as root, it’s a good idea to first use your garden-variety login, then use su – to shift to root once you’re in. Doing this, instead of just jumping in as root from the get-go, can reduce the risk of being hacked.

>> How can I use my root privileges without actually logging in as root?

One of the most important things to know about root access is that it is rarely a good idea to stay logged in as root for very long. When you’re logged in as root, you’re putting your system at risk. There is no “undo” command in Unix, so any file that you delete is immediately gone forever. Even so, it is often necessary to perform actions that require the permissions associated with root.

In situations like this, it is a simple matter to “log in” as root for a single command. This is done with the great little sudo utility. Short for “super user do,” sudo takes the command that follows as if it were executed by someone who was logged in as a super user. For example if you try to edit a file that is owned by root, you might experience the following access trauma:

$ vi rootfile.txt
bash: vi rootfile.txt: Permission denied

Only someone who is logged in as root can edit a file owned by root. At this point, you could su and become root, but that would eventually require you to return to your normal login. Instead, you could do the following:

$ sudo vi rootfile.txt

When you do this, your Unix system will ask you for your password. Key it in and hit ENTER. If the administrator has cleared you for this type of sudo access, the system will open the file for editing. Note that, after you close your text editor, you’re back to using your standard login without the need for an exit command. Though sudo has become a standard add-on in Linux systems, it is not part of the default toolset.

>> Why shouldn’t I just stay perpetually logged in as root?

Root is a “special occasion” thing. Sure — you could run your system while logged in as root. It might make you feel like a really important guy. But you’d be foolish to do so.

First of all, when you’re logged in as root, you’re working with “phenomenal cosmic powers.” If you never ever ever make a mistake, by all means, root yourself. But as we said before, if you screw up, there’s no “undo.” Making a typo while running as root could conceivably bring down your entire system. Permanently. It’s just Not a Good Thing to Do.

You might also think of the su – and root commands as “opening a door” in your system. In your “apartment building,” you might leave the utility room door open for a few minutes while you carry in equipment or perform maintenance. But if you’re managing a secure facility in a city of several million people (and if you’re running a Unix-based system that’s connected to the Internet, this is you), you’re not going to want to leave that door open for very long.

Another reason you don’t want to leave the door open — you’ll let the bugs in. When you’re logged in as root, your system is more vulnerable to viruses and such. The best way to prevent this is to close the door when you don’t need it open. (Heaven knows, enough bugs are already coming in through the Windows, if you catch my drift.)

>> What if I forget my root password?

You’re hosed.

Well, no, not really. But to be honest, you should be hosed. Your root password is the master key to your apartment-style computer; forgetting your root password is almost as bad as displaying it on a sticky note on your monitor. It’s a big no-no.

Forgotten root passwords can never really be recovered. They can, however, be replaced. Since you probably have a really good excuse for forgetting your password — something on par with amnesia or a brain tumor — we’ll give you some hints on how to save your bacon. Note that none of this can be done remotely — they all require direct physical access to the machine in question. Also, please make sure that you only use these techniques on computers that you have been authorized to modify. If you use the information below to bypass security on a computer you’re not supposed to be messing with, you’re probably committing a felony. If you have a computer

Linux OS

If you’re using LILO as your boot manager:

  1. Reboot by using reboot, shutdown -r now, or control-alt-delete.
  2. At the LILO prompt, type linux 1 or linux single. This will boot the system into single user mode. (You’ll notice that it doesn’t ask for a password.)
  3. At the command prompt, type passwd root. When it prompts you, enter a new root password.
  4. Reboot the machine and log in as you do normally.
  5. Don’t forget the new password, you nitwit!

If you’re using GRUB as your boot manager:

  1. Reboot by using reboot, shutdown -r now, or control-alt-delete.
  2. At the bootloader menu, press e to enter editing mode.
  3. You’ll see a boot entry listing. Look for a line that resembles the following: kernel /vmlinuz-2.4.18-0.4 ro root=/dev/hda2
  4. Press the down arrow key until this line is highlighted and press e to edit it.
  5. Add the word single to the end of the line to tell grub to boot into single-user Linux mode.
  6. Press ENTER to acknowledge the change.
  7. You will now see the edit mode screen. Press b to continue booting into single-user Linux mode.
  8. At the command prompt, type passwd root. When it prompts you, enter a new root password.
  9. Don’t forget the new password, you nitwit!

Mac OS X

  1. Restart your computer by clicking restart in the login window, or by clicking the restart icon in the Dock.
  2. While the computer is rebooting, hold down both the command (Apple) key and the S key until you see text scrolling through the window. This boots the computer into single-user mode.
  3. At the Localhost% prompt type: /sbin/mount -uw /
    /sbin/SystemStarter
  4. You should see various services starting up. When you see the Localhost% prompt again, type passwd root. When it prompts you, type your new root password. Then type it again.
  5. Once you’ve created your new password, reboot the machine with the reboot command.
  6. Don’t forget the new password, you nitwit!

If none of these techniques works for you, find a Unix guru and grovel. Make sure not to forget the three most important things about getting things done in this type of Unix environment: chocolate, caffeinated beverages, and Cheetos.

When you’re choosing your root password, make sure to choose something that you can easily remember, but that others won’t be able to guess. Password is probably not a good root password. Neither is your name, your birthdate, your social security number, or anything similar. And for pete’s goodness, please don’t write the password on a piece of paper and tape it to your monitor. This is roughly equivalent to leaving the master key on top of the mat, instead of under it.