SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
This page is about the
root superuser account in Linux, about rooting phones and other devices, and briefly explains how to manage root access and other privileged access.
Root is the superuser account in Unix and Linux. It is a user account for administrative purposes, and typically has the highest access rights on the system.
Usually, the root user account is called
root. However, in Unix and Linux, any account with user id 0 is a root account, regardless of the name. It is fairly common for certain system
administrators to have their own root accounts on a system, with their own passwords.
Privileged account management refers to managing access to privileged accounts, including root accounts. Deploying privileged access management tools is important for organizations, because root accounts are so powerful. Most cybercrime is perpetrated by internal actors, such as system administrators. Gaining accountability into what they do is important for deterring insider crime and fraud. Furthermore, many cybersecurity regulations and best practice requires deploying privileged access management tools.
Privileged access management tools provide logging and monitoring of access. Typically every root login and every command executed as root is logged.
The passwords for privileged accounts should never be shared. Shared passwords are much more likely to misused, their passwords tend to remain unchanged for extended periods, and often leak when employees change jobs. Also, since they are nobody's personal responsibility and sort fo common knowledge among peers, they tend to not get the same amount of diligence as personal accounts, and are often emailed or written down in notes, files, and password managers.
A superuser account is a generic term for root accounts, Windows administrator accounts, and other similar accounts with generally unlimited privileges on systems.
Tools such as sudo can be used to grant selected users the ability to run selected commands as root. All privileged access management tools also provide this capability. All of these tools can also log the commands performed as root to give accountability into what is done as root.
Root access means performing something using root privileges. In Linux-based systems, this means being able to do something using the user id 0, i.e., as root.
Having root access generally means being able to log into some root account on the server, or being able to run commands as root on the server, for example by using some privilege escalation tool such as
The root account has root privileges. This means it can read and write any files on the system, perform operations as any user, change system configuration, install and remove software, and upgrade the operating system and/or firmware. In essence, it can do pretty much anything on the system.
It is usually preferable to use dedicated service accounts for running applications and for managing various operating system subsystems. Access to the root account should be limited to the absolute minimum number of people and uses.
Root accounts are very powerful, and can do almost anything on a computer. Various operating systems have mechanisms for limiting what root accounts can do. Such systems are primarily used in security-sensitive enterprises with dedicated security teams and in certain military and government organizations.
SELinux is a popular tool for limiting what processes running as root can do. It is primarily targeted for limiting exposure to vulnerabilities in server processes (such as web servers). However, the administrator's shell is just a normal program, and SELinux can also be used to limit what can be done from the shell.
SELinux is also frequently used to make escaping from containers more difficult.
SELinux is included and enabled by default in Red Hat Enterprise Linux and CentOS Linux. On these systems, if root cannot access a file or perform an operation, the most common reason is that SELinux policy prevents the operation.
Apparmor is another tool similar to SELinux.
Systems utilizing multilevel security don't necessarily have a root account or its access rights may be severely limited. However, such systems are rarely used outside classified military environments.
The FreeBSD operating system has file flags, set using the
chflags command, which can be used to prevent even root from performing certain operations on files.
Apple Mac also has a root account. By default, it is only used internally. To enable the root account for logins, follow these instructions.
SSH (Secure Shell) is often used for logging into remote servers as root. However, the default configuration in OpenSSH prevents root login using passwords. To enable root login, change the value of the PermitRootLogin configuration option in /ssh/sshd_config.
One thing system administrators and auditors should know is that in Linux and Unix, programs can be run using a particular user id by changing the owner of the executable to that user, and setting the
setuid bit in the file permissions. For example,
executable && chmod 4755 executable sets the executable to execute as root, regardless of who runs it. It is common for (novice) hackers to hide backdoors into systems by creating a suitable executable with the
setuid bit set. This is something that is often scanned for in basic security scans.
Single user mode is a special mode into which Linux, Unix, and Mac computers can be booted. Booting into single user mode normally requires physical access to the computer, and is typically used for recovering the root password if it has been lost or fixing the operating system or restoring data in case of some catastropic failure or corruption.
Beware that the Intel AMT firmware vulnerability may be used by attackers for booting systems into single user mode. Therefore, it is important to make sure the BIOS firmware has been upgraded on any Intel servers that have Intel Active Management Technology (AMT) enabled.
Some operating systems can be configured to require the root password in order to boot into single user mode. With those systems, it is particularly important to have the password for the root account securely stored, for example in a safe.
As long as disk encryption is not used, it is generally possible to recover a system where the root password has been lost by removing the disk from the computer, connecting it to another computer as a second disk, mounting it there, and then editing the password file on the mounted disk to clear the root password (e.g., edit
/mnt/etc/shadow and copy the encrypted password for root from some other account, possibly from another computer with the same operating system).
If disk encryption is used and the disk encryption password is known, it may still be possible to mount the disk in another computer (by supplying the password using suitable tools, such as
If the disk encryption key has been lost, it may be impossible to recover the system. The best option in that case is probably to reinstall the operating system and restore its data from a backup.
Rooting can also refer to escaping the privileges normally permitted for applications running on restricted devices, such as iPhones, iPads, Android phones, and tablets. The basic idea is to give you root access on your phone, so that you can install arbitrary applications, change the device's configuration, or install your own operating system.
Note that rooting your device is not supported by the manufacturer, usually exploits undocumented vulnerabilities in the operating systems, and there is no guarantee about the quality of the rooting tools or motivations of the people behind them. USE THEM AT YOUR OWN RISK! They may void your warranty, render your device inoperable, or put your data at risk.
Vendors often patch security vulnerabilities that the rooting tools exploit. Thus, the tools are very version specific. When a new version of the device or its operating system comes out, old tools may stop working. Consequently, the state of the art changes rapidly, and old articles about rooting may be out of date.
Each rooting toolkit is different. Some rooting systems require a the phone to be connected to a computers; others are applications run on the device. Some may even operate wirelessly, exploiting vulnerabilities on phones. However, the vulnerabilities needed by the last method can also be used to plant malware, and such vulnerabilities are patched by manufactures as quickly as possible.
There is also a Wikipedia article on rooting that explains what it is about.
Rooting may also help free up storage space on the device. See Top Six Ways to Free Up Storage Space of Android Device.
Malware may also use the same techniques as rooting software. See 10 million Android phones infected by all-powerful auto-rooting apps.
While rooting is legal in most countries, it could be illegal in others. The US Digital Millenium Copyright Act (DMCA) apparently has an exemption allowing it. The European Copyright Directive apparently allows rooting for the purpose of installing alternative software. You should seek your own legal counsel if legality is an issue in your country.
In the Apple world, rooting the IOS operating system on iPhones, iPads, and other devices is usually called jailbreaking.
Tools for rooting an Android device include:
These articles may provide background information:
A few manufacturers, such LG, HTC, and Motorola have published official rooting instructions for some of their models. Google Nexus phones have a document rooting process using the
fastboot oem unlock command.