Doing Away with the Need for Root Account in Linux

After your installation of Linux, it is a better idea to do away with root account. This is part of making your system as secure as possible. Almost all Linux installations comes with a program named sudo that provides root privileges to normal users without knowing the root password. This way you can execute commands that are meant to be executed by root. Please follow the steps below to enable any user to obtain the root privileges:

    • Need to enable any user or group, who want to gain root privileges, in /etc/sudoers. The normal practice is to enable the users belonging to group wheel to run all root privileged commands.
    • /etc/sudoers is edited by visudo. You need to be root to edit this file.
=========== File snippet below =====================
# sudoers file.
# This file MUST be edited with the ‘visudo’ command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# Host alias specification # User alias specification # Cmnd alias specification


# Defaults specification

# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands. Uncomment the following line
%wheel ALL=(ALL) ALL

# Same thing without a password

  • Now add the user you want to have root privilege into group wheel
$usermod -a -G wheel “username here without the quotes”
    Now test whether that particular user can gain root privilege. First login to the system with username you want to test
$wc /etc/sudoers
wc: /etc/sudoers: Permission denied
$sudo wc /etc/sudoers
password: # enter your account password here
28 94 579 /etc/sudoers
    if you can count the words in that file, that means you can any command that requires root privilege.

If you are using SSH to login to your machine remotely, then follow the procedure below to disallow “root” to login

    • Again it is a good practice to create a group whose users will be allowed SSH access.
    • create a group named sshusers.
$sudo groupadd sshusers
$sudo usermod -a -G sshusers “username who needs to ssh access without quotes”
      Now open /etc/ssh/sshd_config to diable
      login and enable the group
$sudo vi /etc/sshd/sshd_config=========== File snippet. Only the required portion is shown=
#LoginGraceTime 2m
PermitRootLogin no
#Add this line into the file AllowGroups sshusers

Test it out just by logging in as root. You should get Access Denied message

Now try to login using a user that belongs to sshusers group. You should be able to login