[Discussion] Help me understand root and sudo

[Augie77]

During my first install of Debian/Bookworm, I was given the option of setting a root password, or not. Coming from Mint, I knew to use sudo so I chose no root password. I recently needed to use Recovery Mode, which demonstrated the need for a root user. I am perplexed as to the why and why not of sudo and root in the terminal. When to use one over the other? I need some schooling.

[CwF]

viewtopic.php?t=158146

[None1975]

Hello.

Check this

[pbear]

FWIW, I always enable both sudo and the root account. Which I use depends on the task and my mood.

[wizard10000]

...I recently needed to use Recovery Mode, which demonstrated the need for a root user.

I've grumbled about this for quite awhile - Debian's recovery mode requires a root password but Ubuntu's recovery mode does not.

What I do is skip the root password in the installer and set one after first boot. Been doing it that way for years.

[Augie77]

I appreciate the links and comments. My understanding of su / sudo / root are much clearer now. I am not experienced enough in Linux to have a well formed opinion of the matter, but I have started using su in place of sudo, and am discovering I do not need to append sudo to every command in terminal. I do ponder the need for root in recovery mode for the single user, but do see where it would used be in an office environment where there is a need to protect the hardware and software from unsavoury employees. I suppose the problem is the installer app has no idea if the PC is at a persons home, or sitting in an office, in front of an IT admin.

[wizard10000]

...am discovering I do not need to append sudo to every command in terminal

sudo -i will give you as persistent root prompt.

[pbear]

Off-topic, recovery mode is a useful tool, but you would be better off setting up something with a desktop you can boot from "outside." I use a full install flash drive. A live ISO also works.

[Augie77]

Off-topic, recovery mode is a useful tool, but you would be better off setting up something with a desktop you can boot from "outside." I use a full install flash drive. A live ISO also works.

Consider this an open thread where off topic is welcomed, in fact, I would be glad to change the title to 'Help me understand root, sudo and Recovery Mode'. Knowledge is always a good thing and the more I learn, then the more comfortable I am with helping neighbours and others adopt and adapt to Linux.

I have a live .iso of Debian, and a drive with Foxclone that boots, and has a few tools. I feel that one of the biggest hurdles for new users to Linux is how to recover the system without doing a new install, something I frequently see recommended on other sites. We new users tend to not understand the recovery mode or how to get to it, especially in a single boot environment. Recovery Mode is what I want to become familiar with next.

[pbear]

As far as I'm concerned, there are only two scenarios where it makes sense to use recovery mode. One is where the user knows exactly what to type to get the desired result and recovery mode will be faster/easier than booting a USB repair tool and solving the problem that way. The other is when one doesn't have a USB repair tool, so it's recovery mode or stare at a black screen. By contrast, a desktop booted from USB has a real terminal, a file manager, an internet browser (to research solutions), and various GUI system tools (e.g., Disks and GParted). And, on a full install flash drive, you can set up the internet connection in advance, install drivers, install apps you might find useful, have copies of troubleshooting notes, etc. Plus, of course, it'll serve as a temporary operating system (to access files, email, etc.) while you work on fixing the installed system.

[Augie77]

I am extremely uncomfortable with recovery mode, due to lack of knowledge and inexperience. I much prefer the USB live boot method. Presently I use the boot USB from Foxclone, I can use the live .iso for Debian as well, I expect.

[pbear]

The live ISO for whichever version you installed would be much more useful than the Foxclone ISO, which is only designed to create a platform from which to make backups. If you haven't already, take a look at Ventoy. It's a little work to set up, but once up-and-running a breeze to use. No more faffing about burning ISOs. Just copy to the Ventoy drive and boot directly from them. You also can put Foxclone and other utilities on the drive.

Better still, if you have a flash drive at least 30 GB handy, full install is pretty easy. Not suitable for running the OS - flash drives aren't engineered for this sort of thing - but ideal as a recovery tool. You can have both, of course.

[CwF]

I use a a spare bay for a spare sata ssd. For temp use without a bay I take it out and use a sata>usb adapter, works fine.

This ssd can be built, upgraded, used while on a proper sata interface. To test it as usb a vm can boot a vfio usb port, not sure how vbox would do this.

You can fit all you need into a gig+ image utilizing an ~8G+ partition on a any size device.

Not for only recovery, when this ssd has extra space for images then it is the 'flasher' capable of booting s system and imaging to/from its primary boot disk.

[pbear]

... not sure how vbox would do this.

As an aside, VBox calls that function raw disk. There's a section about it in the manual and plenty of articles on the internet.
Will say, the QEMU-KVM implementation of USB boot is easier to set up and more flexible in use.

[friendlysalmon88]

The main reason that Debian give you the option to create a root or superuser account is that i'ts a common Distribution for use on servers such as Web and email server, where you wouldn't want your server to be accessible by regular users. This is commonly done in most distributions such as Ubuntu because they are imed at "new Linux) users. In closing using sudo is actually a good security practice.

[cellSeven]

I hope I am on-topic enough to entwine my question with questions of the OP, so that the responses to my own add to both his/her and my own clarity.
As a beginner, I can only see that sudo is conventient but seems to add a security risk. Afterall, when the password of the ordinary user with sudo privileges is compromised, immediately allows the attacker to perform root-privileged commands, whereas if the ordinary user does not have sudo privileges, his compromised account cannot utilise sudo so as to execute root-privileged commands. I would rather go through the trouble to execute the su command than use sudo.
To me it seems that sudo or the doas alternative cancel out the security benefit of privilege-hierarchy.

And: What would be the significant difference between su and su -?

Sincerely,

cellSeven

[steve_v]

To me it seems that sudo or the doas alternative cancel out the security benefit of privilege-hierarchy.

If you enable sudo for any command, sure.
Many arguments for "desktop" use of sudo miss the point entirely, going for either the "root == always bad" or "easier for newbs to only remember one password" angles.

The real purpose of sudo is to delegate limited superuser authority (e.g. only certain commands), on a per-user or per-group basis (and many other features, via PAM plugins). That kind of thing is of course more applicable to servers or mainframes where there may be more than one administrator, or users that need root priveleges for particular tasks.
As always, the details are in the manual pages.

What would be the significant difference between su and su -?

Whether you want a login shell (the primary effect of which is whether your environment is reloaded according to the new user id).
Again, this is all in the manual:

-, -l, --login
Start the shell as a login shell with an environment similar to a real login:

'su -' is currently the advised invocation on Debian, as it correctly sets root's $PATH, allowing you to execute things in e.g. /usr/sbin.

[cellSeven]

Hello Steve,

I apologise; it looks like I could have done more research. I do not have my intention set on negligence towards present documentation; I hope you understand a newbie can at whiles be a bit bewildered or overwhelmed by said documentation though. Sometimes the data you are looking for simultaneously co-exists with an abundance of information that is presently too advanced for you, and hence seeking understanding through direct human contact can be preferred in order to get a more-tailored answer suited to your present disposition. I especially had this experience with the FreeBSD manual that, though praised, for a newbie actually presents data with a lot of epistemic gaps.
And, thank you indeed for your enlightening answers! I understand that much more now.

Sincerely,

cellSeven

[Augie77]

Wow ... I did not know all this has gone on since my last post, I have not been receiving emails about this thread, and only sometimes on other threads.

@pbear I appreciate the ventoy link and will take a look at it. My Foxclone is primarily for cloning, and somtimes backups, though it does not like to back up to my USB thumb drives for some reason. It is handy in a pince as an alternate boot, but I do have the .iso for my Bookworm XFCE install.

@CwF my pc has a microATX board and case, so no external slots. I do have a number of USB ports and have thought about using a 500gig USB/SSD from SanDisk or Corsair as a live boot drive.


@steve_v I appreciate the additional clarity on sudo and su, it validates what I thought I understood.

Going to save this post now, we have had high winds and storms most of the day, I have lost power 7 times now. I won't bother to set any clocks until tomorrow morning.

Thanks to all.

[Augie77]

The live ISO for whichever version you installed would be much more useful than the Foxclone ISO, which is only designed to create a platform from which to make backups. If you haven't already, take a look at Ventoy. It's a little work to set up, but once up-and-running a breeze to use.
.
.
.

Ventoy was exceptionally easy to install to a 128gig Sandisk Luxe USB thumb drive. The download tar.gz has a GUI executable that once started, you simply pick the drive to install to and then click install. After that I copied over Debian XFCE, Mate, and Cinnamon. Then booted into Cinnamon. The Ventoy worked quite well, it took longer to read a couple of the web pages than to install Ventoy.