Managing Root Access

Aside from logging in as root, there are two different ways to grant a user

account the superuser privileges of the root account. Debian delivers the two

programs su and sudo as ways to provide root access for non root accounts.

su

The su program changes the effective uid of the account to that of another

account. In order to successfully change the uid, the password for that account

must be entered. For this reason, in order to use su to gain root access, you

must know the password of the root account. This means for each person who

needs root access with su, yet another person must know (and remember) the

password for the root account.

Now, if a user has their account password compromised, only that account is

open for illegitimate access. When the root password is compromised, the

whole system becomes vulnerable to attack. For this reason it is advisable to

take more care with the root password than with anything else. Giving that

password out to more than the System Administrator is begging for disaster.

So, what good is su? The safe usage of su is to use it to change from one user

account to another. You, of course, must know the password of the account

you wish to move to. This is sort of like logging into the other account, but

with su the environment of the old account is carried over into the new account

session. This is very useful if you have your user account set up with particular

default environment conditions, and wish to work under an account that is set

up different.

194