In addition to regular users, UNIX comes with a number of special users that exist for administrative and accounting purposes. We've already mentioned some of these users. The most important of them is root , the superuser.
Every UNIX system comes with a special user in the /etc/passwd file with a UID of 0. This user is known as the superuser and is normally given the username root . The password for the root account is usually called simply the " root password."
The root account is the identity used by the operating system itself to accomplish its basic functions, such as logging users in and out of the system, recording accounting information, and managing input/output devices. For this reason, the superuser exerts nearly complete control over the operating system: nearly all security restrictions are bypassed for any program that is run by the root user, and most of the checks and warnings are turned off.
As we noted in the section Section 4.1, "Users and Groups " Although every UNIX user has a username of up to eight characters long, inside the computer UNIX represents each user by a single number: the user identifier (UID). Usually, the UNIX system administrator gives every user on the computer a different UID. UNIX also uses special usernames for a variety of system functions. As with usernames associated with human users, system usernames usually have their own UIDs as well. Here are some common "users" on various versions of UNIX:">" earlier in this chapter, any account which has a UID of 0 has superuser privileges. The username root is merely a convention. Thus, in the following sample /etc/passwd file, both root and beth can execute commands without any security checks:
root:zPDeHbougaPpA:0:1:Operator:/:/bin/ksh beth:58FJ32JK.fj3j:0:101:Beth Cousineau:/u/beth:/bin/csh rachel:eH5/.mj7NB3dx:181:100:Rachel Cohen:/u/rachel:/bin/ksh
You should immediately be suspicious of accounts on your system which have a UID of 0 that you did not install; accounts such as these are frequently added by people who break into computers so that they will have a simple way of obtaining superuser access in the future.
The root account is not an account designed for the personal use of the system administrator. Because all security checks are turned off for the superuser, a typing error could easily trash the entire system.
The UNIX system administrator will frequently have to become the superuser to perform various system administration tasks. This change in status can be completed using the su command (discussed later in this chapter) to spawn a privileged shell. Extreme caution must be exercised when operating with superuser capabilities. When the need for superuser access has ended, the system administrator should exit from the privileged shell.
Any process that has an effective UID of 0 (see "Real and Effective User IDs" later in this chapter) runs as the superuser - that is, any process with a UID of 0 runs without security checks and is allowed to do almost anything. Normal security checks and constraints are ignored for the superuser, although most systems do audit and log some of the superuser's actions.
Some of the things that the superuser can do include:
The superuser is the main security weakness in the UNIX operating system. Because the superuser can do anything, after a person gains superuser privileges - for example, by learning the root password and logging in as root - that person can do virtually anything to the system. This explains why most attackers who break into UNIX systems try to become superusers.
Most UNIX security holes that have been discovered are of the kind that allow regular users to obtain superuser privileges. Thus, most UNIX security holes result in a catastrophic bypass of the operating system's security mechanisms. After a flaw is discovered and exploited, the entire computer is compromised.
There are a number of techniques for minimizing the impact of such system compromises, including:
There are many other defenses, too, and we'll continue to present them throughout this book.
Other operating systems - including Multics - obviate the superuser flaw by compartmentalizing the many system privileges which UNIX bestows on the root user. Indeed, attempts to design a "secure" UNIX (one that meets U.S. Government definitions of highly trusted systems) have adopted this same strategy of dividing superuser privileges into many different categories.
Unfortunately, attempts at compartmentalization often fail. For example, Digital's VAX/VMS operating system divides system privileges into many different classifications. But many of these privileges can be used by a persistent person to establish the others: an attacker who achieves "physical I/O access" can modify the operating system's database to grant himself any other privilege that he desires. Thus, instead of a single catastrophic failure in security, we have a cascading series of smaller failures leading to the same end result. For compartmentalization to be successful, it must be carefully thought out.
To minimize the danger of superuser penetration, many UNIX systems use other special user accounts to execute system functions that require special privileges - for example, to access certain files or directories - but that do not require superuser privileges. These special users are associated with particular system functions, rather than individual users.
One very common special user is the uucp user, which is used by the UUCP system for transferring files and electronic mail between UNIX computers connected by telephone. When one computer dials another computer, it must first log in: instead of logging in as root , the remote computer logs in as uucp . Electronic mail that's awaiting transmission to the remote machine is stored in directories that are readable only by the uucp user so that other users on the computer can't access each other's personal mail. (See Chapter 15 .)
Other common special users include daemon , which is often used for network utilities, bin and sys , which are used for system files, and lp , which is used for the line printer system.
From the point of view of system security, /etc/passwd is one of the UNIX operating system's most important files. (Another very important file is /dev/kmem , which, if left unprotected, can be used to read or write any address in the kernel's memory.) If you can alter the contents of /etc/passwd , you can change the password of any user or make yourself the superuser by changing your UID to 0.
The /etc/group file is also very important. If you can change the /etc/group file, you can add yourself to any group that you wish. Often, by adding yourself to the correct group, you can eventually gain access to the /etc/passwd file, and thus achieve all superuser privileges.