In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. On Linux, the user group administrator (adm) consists of non-root users who are allowed root privileges via the command sudo, and so is not the same as root in this instance.
The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of unrestricted, potentially adverse, system-wide changes.
(In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role based security model, any user with the role of superuser (or its synonyms) can carry out all actions of the superuser account).
Unix and Unix-like
In Unix-like computer OSes, root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user). Alternative names include baron in BeOS and avatar on some Unix variants. BSD often provides a toor ("root" written backward) account in addition to a root account. Regardless of the name, the superuser always has a user ID of 0. The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024.
The name root may have originated because root is the only user account with permission to modify the root directory of a Unix system. This directory was originally considered to be root's home directory, but the Linux Filesystem Hierarchy Standard now recommends that root's home be at /root. The first process bootstrapped in a Unix-like system, usually called init, runs with root privileges. It spawns all other processes directly or indirectly, which inherit their parents' privileges. Only a process running as root is allowed to change its user ID to that of another user; once it's done so, there is no way back. Doing so is sometimes called dropping root privileges and is often done as a security measure to limit the damage from possible contamination of the process. Another case is login and other programs that ask users for credentials and in case of successful authentication allow them to run programs with privileges of their accounts.
It is often recommended that no-one use root as their normal user account, since simple typographical errors in entering commands can cause major damage to the system. Instead, a normal user account should be used, and then either the su (substitute user) or sudo (substitute user do) command is used. The su approach requires the user to know the root password, while the sudo method requires that the user has been set up with the power to run "as root" within the /etc/sudoers file, typically indirectly by being made a member of the wheel, admin, or sudo group. For a number of reasons, the sudo approach is now generally preferred – for example it leaves an audit trail of who has used the command and what administrative operations they performed.
Some OSes, such as OS X and some Linux distributions (most notably Ubuntu), automatically give the initial user created the ability to run as root via sudo – but configure this to ask them for their password before doing administrative actions. In some cases the actual root account is disabled by default, so it can't be directly used. In mobile platform-oriented OSs such as Apple iOS and Android, superuser access is inaccessible by design, but generally the security system can be exploited in order to obtain it. In a few systems, such as Plan 9, there is no superuser at all.
In Windows NT and later systems derived from it (such as Windows 2000, Windows XP, Windows Server 2003, and Windows Vista/7/8/10), there must be at least one administrator account (Windows XP and earlier) or one able to elevate privileges to superuser (Windows Vista/7/8/10 via User Account Control). In Windows XP and earlier systems, there is a built-in administrator account that remains hidden when a user administrator-equivalent account exists. This built-in administrator account is created with a blank password. This poses security risks, so the built-in administrator account is disabled by default in Windows Vista and later systems due to the introduction of User Account Control (UAC).
A Windows administrator account is not an exact analogue of the Unix root account – some privileges are assigned to the "Local System account". The purpose of the administrator account is to allow making system-wide changes to the computer (with the exception of privileges limited to Local System).
The built-in administrator account and a user administrator account have the same level of privileges. The default user account created in Windows systems is an administrator account. Unlike OS X, Linux, and Windows Vista/7/8/10 administrator accounts, administrator accounts in Windows systems without UAC do not insulate the system from most of the pitfalls of full root access. One of these pitfalls includes decreased resilience to malware infections.
In Windows Vista/7/8/10 administrator accounts, a prompt will appear to authenticate running a process with elevated privileges. Usually, no user credentials are required to authenticate the UAC prompt in administrator accounts but authenticating the UAC prompt requires entering the username and password of an administrator in standard user accounts. In Windows XP (and earlier systems) administrator accounts, authentication is not required to run a process with elevated privileges and this poses another security risk that lead to the development of UAC. Users can set a process to run with elevated privileges from standard accounts by setting the process to "run as administrator" or using the "runas" command and authenticating the prompt with credentials (username and password) of an administrator account. Much of the benefit of authenticating from a standard account is negated if the administrator account's credentials being used has a blank password (as in the built-in administrator account in Windows XP and earlier systems).
In Windows NT, 2000 and higher, the root user is the Local System built-in service account (SYSTEM). This user account runs all system processes. Currently, only third-party methods exist to run programs as the SYSTEM user.
In OpenVMS, "SYSTEM" is the superuser account for the OS.
Older personal systems
On many older OSes on computers intended for personal and home use, anyone using the system had full privileges. Many such systems, such as MS-DOS, did not have the concept of multiple accounts, and although others such as Windows 95 did allow multiple accounts, this was only so that each could have its own preferences profile – all users still had full administrative control over the machine.
- nobody (username)
- Power user
- Principle of least privilege
- Rooting (Android OS)
- Privilege escalation
- Jailbreaking (iOS)
- "getpwuid". opengroup.org. Retrieved 16 September 2015.
- The Jargon File (version 4.4.7), catb.org
- "What is this UID 0 toor account?", freebsd.org
- "What is root? - definition by The Linux Information Project". LINFO. Retrieved 2012-08-07.
- "/root : Home directory for the root user (optional)".
- "RootSudo". ubuntu.com. Retrieved 16 September 2015.
- "4.4. Administrative Controls". redhat.com. Retrieved 16 September 2015.
- "2.3. Configuring sudo Access". redhat.com. Retrieved 16 September 2015.
- "Host Integrity Monitoring Using Osiris and Samhain".
- "Security in Plan 9" , Bell Labs
- "Microsoft Corporation". Microsoft.com. Retrieved 2012-08-07.
- "Enable and Disable the Built-in Administrator Account". microsoft.com. Retrieved 2014-02-26.
- "The LocalSystem Account". microsoft.com. Microsoft. Retrieved 16 September 2015.
- "Supervisor (Bindery) User Created on Every NetWare 4 Server", 01 Feb 1996, novell.com
|Look up superuser in Wiktionary, the free dictionary.|