Subtitles of the Movie

No discussion of talking about user accounts would be complete without talking about the Root account a little bit. Now, we're going to talk about security later on in the course but we want to touch on a little bit here so that you know that the Root account is a special account that should be used in a special way. So we're going to cover some things about managing the Root account. Now, the Root account, or the super-user account, as some people call it, should be used very sparingly. Even by people who have access to it; the administrators of the box. The reason we say that is that any process that runs while a user is logged in as Root runs with Roots permissions and as we know, Root can do some dangerous things to the system. It has complete control over the system so we really don't want that to happen, some dangerous things to happen while Root is logged in so you should normally use an ordinary user account whenever possible and only log in to Root when you need it. Now, of course, there are times when you need to be able to log in as Root or at least have Root access in order to be able to perform certain actions. There's a couple utilities built in so that you can change to Root's login and Root's permissions without logging out and logging back in as Root and those two utilities or the S-U or SU and Sudo and you can use those instead of logging in directly as Root. We'll talk about those right now. OK, we're in our Free BSD virtual machine and what I'd like to do right now is log in as Billy. We have been logging as Root up until now and we need to start changing that a little bit and using the SU and Sudo commands. So we're logged in as Billy and Billy's default shell of course is Bash and we can see that because Bash uniquely displays the user name there and what I'd like to do is I'd like to change to the Root account without logging in and I can use that, use the SU command to do that. Now, I don't necessarily want to do anything special but what I might want to do is have Root's profile because some of Root's profile is important to have if you're going to run commands as Root; the path and so forth because just running SU and running command may not help. We also want to get in the habit of using Root's profile normally. So we'll SU and put the Dash there and it's going to say sorry; bad SU, Billy to Root. It means he couldn't SU because he's not allowed to. Now, how does someone get allowed to log in as Root? Just a normal user can't do it. Well, what we have to do is we need to have somebody standing there with us that is the Root account or we have to login as Root in order to make this change to Billy's account so he can do it. So let's login and we're going to login as Root now and now that we're logged in as Root, what we want to do is we want to look at two things. First of all let's look at /etc /home.D Directory /su and as you can see, this basically has the defaults for the SU service. It allows us to set certain things for people who can login using the SU and SU into Root's account. You might want to edit that file if you think there are some different settings you want in there but you don't necessarily have to. In order to give Billy the permissions he needs, what we need to do, simply type in PW User Mod and Billy's name and we want to make him a member of the Wheel group. By default, the Wheel group is a special maintenance group and people who are in the Wheel group have the ability to login, route to SU as Root. So we're going to put him in there and the other in there and let's go ahead and exit out and we're going to exit out of Root's login and that's going to give us back to Billy's login and as you figured out already, we can have multiple logins for a session or we could have simply changed virtual terminals and logged in as Root on another virtual terminal if we didn't want Billy to see what we were doing. So now that we're back in Billy's account, how can we achieve the Root login here? We actually can go SU Dash and now instead of telling us we can't do it, it's going to ask us for our password. We're going to need a password to confirm that that's what we want to do so we're going to login as Root, put our password in. Not Root's password, but our password and hit Enter. And guess what. Now we're Root. Now we can perform some things if we like, perform some commands, we can add users, do other things that only Root can do and so forth and now that we've done those things that only Root can do, let's log out and get back to our normal account. How do we do that? By hitting the Exit command. Typing in Exit command rather. And so now we're just Billy again and we have normal user abilities. Now, the problem with SU is that once you're, you've SU'd, you can do anything you want and that's good because you may need to do several things but you may want to not allow Billy to do everything that Root can do so it's not like you have a choice between Billy's permissions or full Root. They've actually got something in between you can use and that's where Sudo comes in and we're going to cover Sudo a little bit more in depth when we talk about security, but basically the Sudo command allows you to assign certain users only certain Root privileges, so they can only do certain things. That way they don't have all of Root's privileges, just the minimum they need to get along and basically they type in the word Sudo and the command and that's all they can do. And they are prompted by a password and the good thing about Sudo is that it's logged so when a user uses Sudo, there's an accountability log that shows exactly what they did and when. So later you can go back and say hey, Billy, you did this as Root so you're the one responsible for this. You're the one who messed this up or you're the one who made this change. So Sudo is a much better way to do this than just SU, but SU is even better than just logging in as Root. We'll cover Sudo a little bit later in the course when we talk about security and you'll see why it's probably the best way to assume Root privileges when you're a normal user. So we've covered a little bit about the Root account and how you should manage it, how you should not be logging into it all the time and we talked about using SU instead.