Superuser

Last updated

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser [i.e., uid=0], regardless of the name of that account; [1] and in systems which implement a role-based security model, any user with the role of superuser (or its synonyms) can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

Contents

Unix and Unix-like

In Unix-like computer OSes (such as Linux), root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user). Alternative names include baron in BeOS and avatar on some Unix variants. [2] BSD often provides a toor ("root" written backward) account in addition to a root account. [3] Regardless of the name, the superuser always has a user ID of 0. The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024.

The name root may have originated because root is the only user account with permission to modify the root directory of a Unix system. This directory was originally considered to be root's home directory, [4] but the UNIX Filesystem Hierarchy Standard now recommends that root's home be at /root. [5] The first process bootstrapped in a Unix-like system, usually called init , runs with root privileges. It spawns all other processes directly or indirectly, which inherit their parents' privileges. Only a process running as root is allowed to change its user ID to that of another user; once it has done so, there is no way back. Doing so is sometimes called dropping root privileges and is often done as a security measure to limit the damage from possible contamination of the process. Another case is login and other programs that ask users for credentials and in case of successful authentication allow them to run programs with privileges of their accounts.

It is often recommended that root is never used as a normal user account, [6] [7] since simple typographical errors in entering commands can cause major damage to the system. Instead, a normal user account should be used, and then either the su (substitute user) or sudo (substitute user do) command is used. The su approach requires the user to know the root password, while the sudo method requires that the user be set up with the power to run "as root" within the /etc/sudoers file, typically indirectly by being made a member of the wheel, [8] adm, [9] admin, or sudo group.

For a number of reasons, the sudo approach is now generally preferred – for example it leaves an audit trail of who has used the command and what administrative operations they performed. [10]

Some OSes, such as macOS and some Linux distributions (most notably Ubuntu [6] ), automatically give the initial user created the ability to run as root via sudo – but this is configured to ask them for their password before doing administrative actions. In some cases the actual root account is disabled by default, so it can't be directly used. [6] In mobile platform-oriented OSs such as Apple iOS and Android, superuser access is inaccessible by design, but generally the security system can be exploited in order to obtain it.[ citation needed ] In a few systems, such as Plan 9, there is no superuser at all. [11]

Microsoft Windows

In Windows NT and later systems derived from it (such as Windows 2000, Windows XP, Windows Server 2003, and Windows Vista/7/8/10/11), there must be at least one administrator account (Windows XP and earlier) or one able to elevate privileges to superuser (Windows Vista/7/8/10/11 via User Account Control). [12] In Windows XP and earlier systems, there is a built-in administrator account that remains hidden when a user administrator-equivalent account exists. [13] This built-in administrator account is created with a blank password. [13] This poses security risks as local users would be able to access the computer via the built-in administrator account if the password is left blank, so the account is disabled by default in Windows Vista and later systems due to the introduction of User Account Control (UAC). [13] Remote users are unable to access the built-in administrator account.

A Windows administrator account is not an exact analogue of the Unix root account – Administrator, the built-in administrator account, and a user administrator account have the same level of privileges. The default user account created in Windows systems is an administrator account. Unlike macOS, Linux, and Windows Vista/7/8/10 administrator accounts, administrator accounts in Windows systems without UAC do not insulate the system from most of the pitfalls of full root access. One of these pitfalls includes decreased resilience to malware infections. To avoid this and maintain optimal system security on pre-UAC Windows systems, it is recommended to simply authenticate when necessary from a standard user account, either via a password set to the built-in administrator account, or another administrator account.

In Windows Vista/7/8/10/11 administrator accounts, a prompt will appear to authenticate running a process with elevated privileges. Usually, no user credentials are required to authenticate the UAC prompt in administrator accounts but authenticating the UAC prompt requires entering the username and password of an administrator in standard user accounts. In Windows XP (and earlier systems) administrator accounts, authentication is not required to run a process with elevated privileges. This poses a security risk that led to the development of UAC. Users can set a process to run with elevated privileges from standard accounts by setting the process to "run as administrator" or using the runas command and authenticating the prompt with credentials (username and password) of an administrator account. Much of the benefit of authenticating from a standard account is negated if the administrator account's credentials being used has a blank password (as in the built-in administrator account in Windows XP and earlier systems), hence why it is recommended to set a password for the built-in administrator account.

In Windows NT, 2000 and higher, the root user is the Administrator account. [14]

Novell NetWare

In Novell NetWare, the superuser was called "supervisor", [15] later "admin".

OpenVMS

In OpenVMS, "SYSTEM" is the superuser account for the OS.

Older personal systems

On many older OSes on computers intended for personal and home use, anyone using the system had full privileges. Many such systems, such as DOS, did not have the concept of multiple accounts, and although others such as Windows 95 did allow multiple accounts, this was only so that each could have its own preferences profile – all users still had full administrative control over the machine.

See also

Related Research Articles

A home directory is a file system directory on a multi-user operating system containing files for a given user of the system. The specifics of the home directory are defined by the operating system involved; for example, Linux / BSD (FHS) systems use /home/⟨username⟩ or /usr/home/⟨username⟩ and Windows systems since Windows Vista use \Users\⟨username⟩.

The Unix command su, which stands for 'substitute user', is used by a computer user to execute commands with the privileges of another user account. When executed it invokes a shell without changing the current working directory or the user environment.

passwd Tool to change passwords on Unix-like OSes

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

The Security Account Manager (SAM) is a database file in Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled. Administrative shares cannot be accessed by users without administrative privileges.

sudo Command on Unix systems to temporarily assume root privileges

sudo is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and this remains its most common usage; however, the official Sudo project page lists it as "su 'do'". The current Linux manual pages for su define it as "substitute user", making the correct meaning of sudo "substitute user, do", because sudo can run a command as other users as well.

Unix-like operating systems identify a user by a value called a user identifier, often abbreviated to user ID or UID. The UID, along with the group identifier (GID) and other access control criteria, is used to determine which system resources a user can access. The password file maps textual user names to UIDs. UIDs are stored in the inodes of the Unix file system, running processes, tar archives, and the now-obsolete Network Information Service. In POSIX-compliant environments, the shell command id gives the current user's UID, as well as more information such as the user name, primary user group and group identifier (GID).

Windows Services for UNIX (SFU) is a discontinued software package produced by Microsoft which provided a Unix environment on Windows NT and some of its immediate successor operating-systems.

In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.

Safe mode is a diagnostic mode of a computer operating system (OS). It can also refer to a mode of operation by application software. Safe mode is intended to help fix most, if not all, problems within an operating system. It is also widely used for removing rogue security software.

Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

<span class="mw-page-title-main">User Account Control</span> Security software

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

<span class="mw-page-title-main">Login</span> Process by which an individual gains access to a computer system

In computer security, logging in is the process by which an individual gains access to a computer system or program by identifying and authenticating themselves.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

In computing, runas is a command in the Microsoft Windows line of operating systems that allows a user to run specific tools and programs under a different username to the one that was used to logon to a computer interactively. It is similar to the Unix commands sudo and su, but the Unix commands generally require prior configuration by the system administrator to work for a particular user and/or command.

Windows XP and Windows Vista differ considerably in regards to their security architecture, networking technologies, management and administration, shell and user interface, and mobile computing. Windows XP has suffered criticism for security problems and issues with performance. Vista has received criticism for issues with performance and product activation. Another common criticism of Vista concerns the integration of new forms of DRM into the operating system, and User Account Control (UAC) security technology.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

References

  1. "getpwuid". opengroup.org. Archived from the original on 22 August 2015. Retrieved 12 January 2019.
  2. The Jargon File (version 4.4.7) Archived 2021-04-18 at the Wayback Machine , catb.org
  3. "What is this UID 0 toor account?" Archived 2020-12-22 at the Wayback Machine , freebsd.org
  4. "What is root? - definition by The Linux Information Project". LINFO. Archived from the original on 2021-05-08. Retrieved 2012-08-07.
  5. "/root : Home directory for the root user (optional)". Archived from the original on 2005-05-25. Retrieved 2015-05-11.
  6. 1 2 3 "RootSudo". ubuntu.com. Archived from the original on 5 November 2011. Retrieved 16 September 2015.
  7. "4.4. Administrative Controls". redhat.com. Archived from the original on 5 June 2015. Retrieved 16 September 2015.
  8. "2.3. Configuring sudo Access". redhat.com. Archived from the original on 2019-12-22. Retrieved 16 September 2015.
  9. "difference adm - root". Archived from the original on 5 November 2016. Retrieved 1 August 2016.
  10. Brian Wotring (2005). Host Integrity Monitoring Using Osiris and Samhain. Elsevier. p. 32. ISBN   978-0-08-048894-3. Archived from the original on 2024-05-24. Retrieved 2018-12-17.
  11. Cox, Russ; Grosse, Eric; Pike, Rob; Presotto, Dave; Quinlan, Sean, Security in Plan 9, Bell Labs, archived from the original on 11 July 2018
  12. "Microsoft Corporation". Microsoft.com. Archived from the original on 2012-07-11. Retrieved 2012-08-07.
  13. 1 2 3 "Enable and Disable the Built-in Administrator Account". microsoft.com. 25 July 2008. Archived from the original on 2013-11-27. Retrieved 2014-02-26.
  14. "The LocalSystem Account". microsoft.com. Microsoft. Archived from the original on 13 March 2016. Retrieved 16 September 2015.
  15. "Supervisor (Bindery) User Created on Every NetWare 4 Server" Archived 2017-11-07 at the Wayback Machine , 01 Feb 1996, novell.com