openSolaris 2008 - Becoming Superuser (root) or Assuming a Role - System Administration Guide: Basic Administration

Becoming Superuser (`root`) or Assuming a Role

Most administration tasks, such as adding users, file systems, or printers, require that you first log in as root (UID=0) or assume a role if you are using RBAC. The root account, also known as the superuser account, is used to make system changes and can override user file protection in emergency situations.

The superuser account and roles should be used only to perform administrative tasks to prevent indiscriminate changes to the system. The security problem associated with the superuser account is that a user has complete access to the system even when performing minor tasks.

In a non-RBAC environment, you can either log in to the system as superuser or use the su command to change to the superuser account. If RBAC is implemented, you can assume roles through the console or use su and specify a role.

When you use the console to perform administration tasks, you can do one of the following:

A major benefit of RBAC is that roles can be created to give limited access to specific functions only. If you are using RBAC, you can run restricted applications by assuming a role rather than by becoming superuser.

For step-by-step instructions on creating the Primary Administrator role, see How to Create the First Role (Primary Administrator). For an overview on using RBAC, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

How to Become Superuser (root) or Assume a Role

Become superuser or assume a role by using one of the following methods. Each method requires that you know either the superuser password or the role password.

Become superuser. Select one of the following methods to become superuser:
- Log in as a user, start the Solaris Management Console, select a Solaris management tool, and then log in as root.
  This method enables to you perform any management task from the console.
  For information on starting the Solaris Management Console, see How to Start the Solaris Management Console in a Name Service Environment.
- Log in as superuser on the system console.
```
hostname console: root
Password: root-password
#
```
  The pound sign (#) is the Bourne shell prompt for the superuser account.
  This method provides complete access to all system commands and tools.
- Log in as a user, and then change to the superuser account by using the su command at the command line.
```
% su
Password: root-password
#
```
  This method provides complete access to all system commands and tools.
- Log in remotely as superuser.
  This method is not enabled by default. You must modify the /etc/default/login file to remotely log in as superuser on the system console. For information on modifying this file, see Chapter 3, Controlling Access to Systems (Tasks), in System Administration Guide: Security Services.
  This method provides complete access to all system commands and tools.
Assume a role. Select one of the following methods to assume a role:
- Log in as user, and then change to a role by using the su command at the command line.
```
% su role
Password: role-password
$
```
  This method provides access to all the commands and tools that the role has access to.
- Log in as a user, start the Solaris Management Console, select a Solaris management tool, and then assume a role.
  For information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role.
  This method provides access to the Solaris management tools that the role has access to.