/root question(s)

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

/root question(s)

Post by IanM2 »

From reading, I understand that /root is the admin users account. A couple things I don't understand is, what all is in there? That and why does Timeshift rsync exclude it by default, whereas Btrfs includes it? If it was included in the rsync snapshot, what are the consequences?

linux-rox
Level 3
Level 3
Posts: 113
Joined: Sun Jul 19, 2020 9:17 pm

Re: /root question(s)

Post by linux-rox »

Root means three different (albeit related) things: the root of the file system (/), the root user, and the root directory (or folder). So, /root is effectively the home folder of root-the-user. As the root account isn't active in Ubuntu/Mint, there's no reason to worry about backing up that folder. Which, in turn, is why Timeshift excludes it by default. To see for yourself, open File Manager, right-click, Open as Root, and look in the folder.

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

Thanks. When I look in /root and enable hidden there is quite a lot of folders and files. See screen capture.
Root.jpg

linux-rox
Level 3
Level 3
Posts: 113
Joined: Sun Jul 19, 2020 9:17 pm

Re: /root question(s)

Post by linux-rox »

That's not much. I don't add /root to Timeshift. Simple rule. Follow defaults unless you have a good reason for doing otherwise.

You, of course, are free to do what you like.

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

Surely there are more members that can provide some guidance on this?

linux-rox
Level 3
Level 3
Posts: 113
Joined: Sun Jul 19, 2020 9:17 pm

Re: /root question(s)

Post by linux-rox »

Good luck second guessing all the design decisions made by developers. There are thousands of them.

User avatar
Flemur
Level 18
Level 18
Posts: 8455
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: /root question(s)

Post by Flemur »

IanM2 wrote:
Sat Aug 01, 2020 3:18 pm
Surely there are more members that can provide some guidance on this?
There's not much in /root because you don't normally login to a "graphics environment" as root, so there aren't a bunch of settings for the desktop; rather you login as a regular user then possibly use the root account - which by default isn't even activated - to install software and such. My Mint20 root folder doesn't have much in it except synaptic log files and login settings (I activated the root account by giving it a password), .bashrc and .profile.
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

(I activated the root account by giving it a password), .bashrc and .profile
Could you elaborate a bit on what activating it does (benefits, reason for doing it) and how do you activate it? I don't understand .bashrc and .profile
Thanks.

User avatar
Flemur
Level 18
Level 18
Posts: 8455
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: /root question(s)

Post by Flemur »

IanM2 wrote:
Sat Aug 01, 2020 7:13 pm
(I activated the root account by giving it a password), .bashrc and .profile
Could you elaborate a bit on what activating it does (benefits, reason for doing it) and how do you activate it? I don't understand .bashrc and .profile
Thanks.
You generally don't need the root account and probably shouldn't use it unless you have a good reason, which is why it's not there by default. I mess with the OS in unauthorized ways and here's an example of why root is better than sudo (can create a file in e.g. /usr/bin)

Code: Select all

$ pwd
/usr/bin
$ sudo ls > a
bash: a: Permission denied
$ su
Password:  [ROOT password, not the user's password]
# whoami
root
# ls > a
#   [IOW, as root I can create the file '/usr/bin/a' which I couldn't create with sudo]
The other thing is if you're doing a lot of 'sudo' commands, logging-in as root lets you not type 'sudo' all the time. Not a big deal.
Anyway, to activate it:

Code: Select all

sudo passwd root
then enter the root account password you want to use.

The files .profile and .bashrc set a bunch of low-level parameters, like the $PATH, the terminal prompt, aliases for commands, etc.
Try

Code: Select all

more $HOME/.bashrc
more $HOME/.profile
(then hit CR to see more output...)

Also try these two commands -

Code: Select all

alias
env
...many of those settings are set in .bashrc or .profile
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?

rene
Level 16
Level 16
Posts: 6521
Joined: Sun Mar 27, 2016 6:58 pm

Re: /root question(s)

Post by rene »

Flemur wrote:
Sat Aug 01, 2020 8:15 pm
$ sudo ls > a
bash: a: Permission denied
That is only though since by that command line only ls as such is executed with root privileges, whereas the output redirection > a is still handled by your own shell. That's why you often see e.g. ls | sudo tee /usr/bin/a or sudo bash -c "ls > /usr/bin/a" type of advise on this forum.

Moreover, sudo -i opens a root shell, so that also works without the root account active for login. I feel the best answer as to "why" is convenient login access as root on a text console, the Ctrl-Alt-F1/F6 consoles. Allows for example for easy fix if e.g. having typo-ed /etc/sudoers causes you not have sudo access any more, or for things such as moving your actual user's home directory around, or...

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

Thanks Flemur
I live alone in an isolated location. I disabled most of the requirements for passwords with

Code: Select all

sudo visudo
to

Code: Select all

ALL=(ALL:ALL) NOPASSWD: ALL
I have also set some menu launchers like Timeshift to open without needing the password. The launcher command is

Code: Select all

sudo -i pkexec timeshift-gtk
So I suppose I have been unaware I was changing my root account. I'll look into those commands you left. Again thanks, appreciate the response and welcome anything else you might want to add.

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

Allows for example for easy fix if e.g. having typo-ed /etc/sudoers causes you not have sudo access any more, or for things such as moving your actual user's home directory around, or...
Thanks rene
I'm in over my head LOL
This is like being in Algebra 1 and trying to understand trigonometry. I do see why it's excluded in Timeshift by default. You'd only enable it there for good reason. Although Btrfs snapshots include it - I think.

User avatar
Moem
Level 20
Level 20
Posts: 11409
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: /root question(s)

Post by Moem »

IanM2 wrote:
Sat Aug 01, 2020 8:47 pm
I live alone in an isolated location.
It's a good thing you don't use the internet, then. :wink:
Seriously: if your computer is connected to the net, it's not isolated at all.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Flemur
Level 18
Level 18
Posts: 8455
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: /root question(s)

Post by Flemur »

IanM2 wrote:
Sat Aug 01, 2020 8:47 pm
I live alone in an isolated location. I disabled most of the requirements for passwords with
As per Moem, you might not want to do that! If you don't like typing, just make the password short.

Also read rene's response to "why a root account".
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?

rene
Level 16
Level 16
Posts: 6521
Joined: Sun Mar 27, 2016 6:58 pm

Re: /root question(s)

Post by rene »

IanM2 wrote:
Sat Aug 01, 2020 11:50 pm
I do see why it's excluded in Timeshift by default. You'd only enable it there for good reason. Although Btrfs snapshots include it - I think.
As fas as I'm concerned it's excluded by default in Timeshift simply because home directories are excluded by default in Timeshift, and /root is nothing other than the home directory of user "root". Which wouldn't by the way be to say I use Timeshift or btrfs so no idea about that part; first sentence of this paragraph to me sounds complete enough to stop thinking and continue picking my nose...

I by the way didn't comment on the somewhat interesting chaining of sudo and pkexec but note that you may want to arrange for that more directly. I see that Timeshift is requesting authorization for the in.teejeetech.pkexec.timeshift-gtk action (click open "details" on the authorization dialogue at its startup to see such) which you can provide more direct password-less access by locally logged in administrator users to by creating a file e.g.

/etc/polkit-1/localauthority/50-local.d/in.teejeetech.pkexec.timeshift-gtk

Code: Select all

[in.teejeetech.pkexec.timeshift-gtk]
Identity=unix-user:0;unix-group:sudo;unix-group:admin
Action=in.teejeetech.pkexec.timeshift-gtk
ResultActive=yes
The thing is that you are currently running all of Timeshift under user root which while it is convenient also means that a bug in it can, generally, have more dire consequences, what with the program having full access to any and all, i.e., including for example for deleting any and all. Although a note in this specific case is that the name of the action sort of implies it being in the end functionally little other than what you are doing now anyway, and the thing even being able to read all that it is supposed to back up implies needing pretty full root permission anyway. But certainly as a general rule finer-grained as per above is better.

Even in fact when you as for example per your /etc/sudoers edit do not insist on finer-grained access purely permission-wise: it's just a matter of not surprising potentially buggy software with being able to wreak havoc. Purely permission-wise you can also go less fine-grained and put the below "polkit equivalent" to your /etc/sudoers edit in place instead of the above Timeshift-specific one:

/etc/polkit-1/localauthority/50-local.d/admin.pkla

Code: Select all

[admin]
Identity=unix-user:0;unix-group:sudo;unix-group:admin
Action=*
ResultActive=yes
which has anything that uses polkit, and for anything, shut up about passwords, again for locally logged in administrator users. Do of course note that when you do anything quite as specifically geared towards "lessening security" as that you will not be allowed to come complain to anyone when it backfires --- but on a definitively single-user desktop without potentially buggy/compromisable servers running it's in essence fine.

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

rene
Thanks
Maybe I should take the NOPASSWD out of sudo visudo edit. I've done it since 17.x with no security issues that I'm aware of. I do enable the firewall. I tried the

Code: Select all

[admin]
Identity=unix-user:0;unix-group:sudo;unix-group:admin
Action=*
ResultActive=yes
and it works okay for those items. I just have a thing about passwords all the time. How about this in sudo visudo edit instead:
Get rid of NOPASSWD: in the 3 default categories as such:

Code: Select all

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
Then at the end I do this instead:

Code: Select all

ian     ALL=(ALL) NOPASSWD:ALL
Would this be more secure?

rene
Level 16
Level 16
Posts: 6521
Joined: Sun Mar 27, 2016 6:58 pm

Re: /root question(s)

Post by rene »

IanM2 wrote:
Sun Aug 02, 2020 3:17 pm
Would this be more secure?
Slightly, but note that I wouldn't feel it overly necessary normally. What I tend to with the suitable warnings attached advise is, restore /etc/sudoers itself to pristine, and create a file

/etc/sudoers.d/admin consisting of

Code: Select all

%sudo	ALL=(ALL) NOPASSWD:ALL
%admin	ALL=(ALL) NOPASSWD:ALL
followed by sudo chmod 440 /etc/sudoers.d/admin.

This gives neither ALL as before nor just user ian password-less sudo access but, as the admin.pkla file does as well, any administrator user. Note: UNIX-group admin is not in fact in use any more on Ubuntu/Mint but present in there just so as to synchronize usage with the polkit definition of "administrator" which does on Ubuntu/Mint OOTB still include members of said group; you may leave it out if you care, and also from the admin.pkla file, but I do not as a matter of consistency. Using group sudo rather than user ian is probably not a practical difference vs. your own suggestion what with you probably having no other administrator users set up in the first place, but again, consistency.

The reason to have it as a separate file in /etc/sudoers.d/ is that simply looking in that directory then reminds you of what you did in this context as well as it allowing for convenient disable/enable by renaming it to e.g. /etc/sudoers.d/admin.disabled and back again rather than having to edit the main /etc/sudoers file. Again same is true for the /etc/polkit-1/localauthority/50-local.d/admin.pkla file.

Note by the way that "the firewall" tends to do not one useful thing on a standard setup with you behind a modem and/or NAT-router. If you don't have an actual LAN in any sense, i.e., no multiple systems that you want to be able to reach from one another, it also doesn't matter much, but if you do all it tends to do on Linux is interfere with legitimate LAN-traffic.

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

Again thanks rene
I like your idea of creating the file /etc/sudoers.d/admin.
Before I do this I ask is it a security issue while I'm online? I use a router, no other users, no local network, no software (other than Chrome) that's not from the Software Manager and very little of that. Just gparted, grysync, and a card game, plus an extra text editor. I do sync my Chrome so my bookmarks and extensions are saved. No one ever has physical access to my machine.
edit:
I did the sudo visudo edit and removed all 3 NOPASSWD
I made a text file named admin and saved it to the directory /etc/sudoers.d/
Then ran

Code: Select all

sudo chmod 440 /etc/sudoers.d/admin
Now I'm getting this when I try any sudo command:

Code: Select all

sudo: /etc/sudoers.d/admin is owned by uid 1000, should be 0
What did I do wrong?

rene
Level 16
Level 16
Posts: 6521
Joined: Sun Mar 27, 2016 6:58 pm

Re: /root question(s)

Post by rene »

IanM2 wrote:
Sun Aug 02, 2020 4:34 pm
Before I do this I ask is it a security issue while I'm online?
Not realistically no, and certainly not as compared to your own ALL rule which you have been using, as it's only less encompassing. What the suggested "admin" sudoers and polkit files do is provide "administrator users", i.e. members of UNIX-group sudo, who are logged in on your machine (and in the polkit case specifically locally logged in on your machine rather than over e.g. SSH) with password-less access to sudo and to via polkit authenticating tools, i.e., most current GUI-tools that need authentication in the first place.

As alluded to in that polkit case you may not want to provide that access also to users when logged in over the network but if you're not even running e.g. openssh-server in the first place the only way in which said "login" would happen is via some extremely serious and exceedingly unlikely bug in e.g. your browser if you're not running all sorts of potentially buggy servers.

For the paranoid typing your password over and over again while sitting alone behind a single-user desktop and while not being of specific interest to hackers in the first place may be worth it. Largely like outfitting themselves with aluminium headgear may be. But what that password in fact defends against is someone physically passing by your system and compromising it, either maliciously or through e.g. inexperience (children, say). If that's definitively not an issue for you, it's not an issue for you.

[EDIT] You created the file as your user rather than as root: sudo chown root: /etc/sudoers.d/admin

User avatar
IanM2
Level 1
Level 1
Posts: 9
Joined: Thu Jul 30, 2020 5:53 pm

Re: /root question(s)

Post by IanM2 »

Thanks rene
Before reading your post I saw my file properties was ian, i changed it to root and it worked. I'll start over and save it as root. Timeshift still needs my password unless I modify the menu launcher to the command:

Code: Select all

sudo pkexec timeshift-gtk

Post Reply

Return to “Newbie Questions”