6

On Debian when I am logged on as root, I don't have to write sudo before each command.

On Ubuntu I have to write sudo or I use su -

Is there a way to remove sudo on Ubuntu so that when I am logged on as root, I write all commands directly such as mkdir, rm etc...?

Zanna
  • 70,465
yarek
  • 191
  • 7
    If it makes you type sudo, su, gksu or gksudo it means you are not signed on as root. You are just a regular user with root privileges that allows you to temporary elevate to root using sudo, etc. – WinEunuuchs2Unix Mar 27 '18 at 22:56
  • I use both Ubuntu and Debian and I don't see a difference. I'm guessing you have created a user account called 'root' (which is not the root user which by default is disabled in Ubuntu). If you id do you show as root (uid=0,gid=0..) or a user (uid>0,gid>0,..) – guiverc Mar 27 '18 at 23:45
  • @guiverc You don't have to call a root user account root. When I first started learning Ubuntu I created a root user account called Superman. I spent a couple of minutes looking for the link I followed a few years ago but didn't find it. There are other links now but they don't have the screen shots the old link had. – WinEunuuchs2Unix Mar 28 '18 at 01:58
  • @WinEunuuchs2Unix I realize that; my guess was the OP used 'root' as their username (user account, uid=1000) believing they would have root privileges b/c their $USER == 'root' (I also realize $UID is only part...) – guiverc Mar 28 '18 at 02:58
  • @WinEunuuchs2Unix This question does not appear to be a duplicate of How do I login as root?; nor does any of the answers address his issue. The content is different. The OP isn't asking how to login as root. Of how to use the sudoer tools. He mentions that he's already using the tools. He's trying to learn not to remove the prompts for the elevated access. The answer is that he can't remove the elevated access prompt. Reading the other question and answers don't address this. – L. D. James Mar 29 '18 at 15:47
  • 1
    It looks very similar to me, there are even similarities between your answer here and this one there. Granted your is of much higher quality. I would have liked to see your answer merged into the answers at the called duplicate personally... – Elder Geek Mar 29 '18 at 16:50
  • @ElderGeek I meant to express in my answer, that the direct answer is, no, you can't disable it... it works the same in both Debian and Ubuntu. After the answer, I added more info of how to appreciate what he has already indicated in his question that he knows (which is common with the info in the ""duplicated"" question/answer. Then I also added a different way of logging in as root (which wasn't his question, but something additional that he might benefit by testing. – L. D. James Mar 29 '18 at 18:14
  • 2
    Possible duplicate of How do I login as root? I don't see any reason for this to have been reopened. As @ElderGeek says, not just the question but also the answers here and there seem to cover the same ground. If we reclose this, we can ask for merging, which seems like a more reasonable alternative to me. I also don't see how "no, you can't disable it... it works the same in both Debian and Ubuntu" is really the core of the answer to this. What the OP wants can be done. (Also, you can remove sudo from a Debian system...) – Eliah Kagan Mar 30 '18 at 22:11
  • To be honest, I don't really see these as direct duplicates. Merging would require extensive editing of the answers here so they'd fit the answers on the suggested dupe. Why not just leave them both open? – terdon Apr 05 '18 at 12:30

3 Answers3

15

The short answer is, no, you can't disable it.

Ubuntu, which is Debian based, works the same as Debian. If you are logged in as root (which is userID 0 you will not have to use sudo for the elevated privilege, you'd already have it.

The difference is that when you install Ubuntu, it'll prompt you for a username and password for logging it and add this user to the sudoers group. As mentioned in the comments, by default on Ubuntu (which is another difference) the root account is disabled. While it's not advisable, you could enable it just by setting up a password for it with:

$ sudo passwd root

Then you could log in as root... which would be the same as logging in as root on Debian.

A security risk (among many) to having the root account enabled it that the root account is common on all Linux systems. Hackers run scripts to try to break into computers as root. Having the root account disabled is a layer of defense.

As far as disabling sudo, that's not something you can do on Debian or Ubuntu. A normal user on both OSes will have to have sudoers access to use elevated commands. By the content in your question, you are already familiar with the sudo, and sudo su - variations.

If there were a way to make normal users have full root access, it would be the exact same process with Ubuntu as with Debian.

Note:

By default user IDs below 1000 are hidden and aren't shown on the login screen. You can configure lightdm to allow manual logins with these steps:

  1. Edit the /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf configuration file.
  2. Add this line: greeter-show-manual-login=true
  3. Restart the lightdm service with: sudo systemctl restart lightdm
  4. Then use the new Login option to manually type in the root userID and password.

To disable the root account (taking it back to the default) run this command:

$ sudo passwd -dl root

You can find other details about how this works on Ubuntu at:
RootSudo - Community Help Wiki

terdon
  • 100,812
L. D. James
  • 25,036
  • I think you want to make the last Ubuntu and Debian formatted like the preceding Debian and Ubuntu? That said I think there are more steps than just sudo passwd root but can't say for sure.. – WinEunuuchs2Unix Mar 28 '18 at 02:04
  • Setting a password will enable the root account. It user won't be visible in the Lightdm login manager. This can be done by adding greeter-show-manual-login=true to the /usr/share/lightdm/lightdm.d/50-unity-greeter.conf file, then restarting the lightdm service. I'll add that step for the answer for clarification. I don't understand your first statement. Please feel free to edit the answer to clarify what I might be confusing. Thanks. – L. D. James Mar 28 '18 at 02:22
  • Yes those sound like the steps I was thinking of. Also I changed Ubuntu and Debian from code blocks to Ubuntu and Debian bold text as you pointed out I should do. – WinEunuuchs2Unix Mar 28 '18 at 02:32
  • 1
    "By default userID below 500 are hidden". Isn't it <1000? – pLumo Mar 28 '18 at 06:49
  • @RoVo You're right. I'll update the answer. By the way, I had been going by the figuration in /etc/lightdm/users.conf. – L. D. James Mar 28 '18 at 10:33
  • Anecdote: At work we have some SLES servers (SuSE) with permissions.paranoid enabled to maximise security. Yes, that is the actual name. One of the measures is removing the setuid bit from both sudo and su effectively disabling them for non-root users. Only root is allowed to login via ssh (no password, only key). This approach differs from Ubuntu and is meant for servers, not desktops. – PerlDuck Mar 30 '18 at 13:49
  • @PerlDuck I find that systems that use one name and password for users to share a single User ID to be very vulnerable. A law firm hired me for some maintenance. I noticed they had an administration username and password which all their managers shared (who needed that type of access). All the regular office workers shared the same username and ID for the normal user. I immediately told them it was bad practice. They should give a separate username and password to each person. That way if they had a reason to restrict a person's access it wouldn't affect everybody... (continued) – L. D. James Mar 30 '18 at 14:44
  • ... (continued) Within six months of my advice, they had a reason to fire an employer with administrative access. It's good that they had taken my advice. We only had to disable his account without having to change the passwords for all the users. It's just a level of security, which your method would be lacking. I especially wouldn't want to allow direct root ssh access under any occasions, even with the ssh-key. By the way, I had noticed suspicious activity from the Lawyer's account which caused me to advise limiting his access before he was fired... (continued) – L. D. James Mar 30 '18 at 14:51
  • ... (continued) While it's possible, it wouldn't be as easy to trace suspicious activity to an individual when everybody shares the same Username/ID (ie root). Also, the root account would be compromised one of the worker's with root access had their computer lost or compromised. – L. D. James Mar 30 '18 at 14:54
  • Of course you can disable sudo: log in as root and apt remove sudo. Less drastically, you can also remove all users from the sudoers. – fkraiem Nov 12 '19 at 22:57
5

You don't have to disable sudo to get a root shell. Run:

sudo -i

And now every command you type is as the root user.

Also when you are logged in as root, you don't have to preprend every command with sudo anymore. If think, you are confused here. You sudo before a command when you run it as a user, but once root, you dont need it.

It is obvious you should be extra carefull when you do that. Use a colored prompt (red, enabled by default) to always know when you are in a root shell.

Also, it could be a good idea to set an timeout on your root session by using the TMOUT environment variable

In /root/.bashrc, add the line

export TMOUT=300

for a 5 minutes timeout.

solsTiCe
  • 9,231
  • Thanks for sharing TMOUT. I knew it and thought it would apply only to ssh sessions but it works in ordinary terminal windows as well. I just tried. – PerlDuck Mar 30 '18 at 14:06
1

Just use sudo su to login as root from a user in the sudo group. If you want to disable this, you have to set a root passwd, then remove the other user from the sudo group. This will require you to su - root to login as root whenever root privileges are needed.

Once you sudo su from a sudo user to root, and type whoami, it will display root. The root account is disabled from direct login by default in debian, but I wouldn't say that it's somehow more or less secure than other linux distros. In the end, the sudo user's password envokes root privileges, so... It's not much different than knowing the root user name. If you know the sudo group users, you can still attack their passwords to get to the same goal.

P9a3
  • 11