Editing Root (section)

= Root Account Management =
{{Anchor|Root_Account}}

== Default Setting ==

* '''Root account locked:''' For [[#Rationale|security reasons]], the <code>root</code> account has been configured into the state of "locked" for [[login]] by default in {{project_name_short}}. <ref>
Since version <code>15.0.0.3.6</code> and above.
</ref>
* '''Definition complexity:''' The definition and repercussions of a "locked" Linux user account, however, are complicated for all Linux distributions. For technical details on what this means exactly, advanced users can refer to the wiki chapter [[Dev/Strong_Linux_User_Account_Isolation#Root_Account_Locked|Root Account Locked]] and [[User#Meanings_of_Special_Characters_in_the_Password_Field_of_.2Fetc.2Fshadow_File|Meanings of Special Characters in the Password Field of /etc/shadow File]].
* '''No root usage needed:''' Most users should not need to use the <code>root</code> account.

== Avoid Root Login ==

Should the user log in as <code>root</code>? No. See footnote for rationale. <ref>
{{anchor_link|avoid_root_login_details}}
Why not log in as root? This is due to historical and legacy reasons.

Even during the era of X11, <code>root</code> login was discouraged.

For strong user isolation, logging into the <code>root</code> account should be avoided.

In an ideal world, the extra <code>sysmaint</code> user would be unnecessary, and users could simply rely on the <code>root</code> account. Or better yet, all references to <code>root</code> would be removed and replaced with <code>sysmaint</code>. However, educating and convincing many upstream projects to adopt this approach for the purpose of [[Dev/Strong Linux User Account Isolation]] is unrealistic due to organizational constraints, which are elaborated on in the [[Linux User Experience versus Commercial Operating Systems]] page.
</ref>

{{sdebian
|link=https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#idm1382
|text=Using su
}}

== Enable Root Account ==

If the user wants to enable the <code>root</code> account, run the following commands.

{{IconSet|h2|1}} Platform-specific notice.

* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]]: No special notice.
* [[Qubes|{{q_project_name_short}}]]: Inside <code>{{project name workstation template}}</code> Template.

{{IconSet|h2|2}} Choose <code>sudo</code> availability.

{{Tab
|type=controller
|content=
{{Tab
|title= === sudo available ===
|type=section
|content=
If you can use <code>sudo</code>, follow the instructions below.
}}
{{Tab
|title= === sudo unavailable ===
|content=
If you cannot use <code>sudo</code>:

* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]]: Boot into [[Recovery#Recovery_Mode|recovery mode]].
* [[Qubes|{{q_project_name_short}}]]: Open a [[#qubes_root_console|Qubes Root Console]].
}}
}}

{{IconSet|h2|3}} Set a root password.

Follow the instructions in [[Post_Install_Advice#Change_Password|Change Password]]. Note: These instructions apply to the <code>user</code> account. Replace <code>user</code> with <code>root</code>. <ref>
Unexpire the root account.

{{CodeSelect|code=
sudo chage --expiredate -1 root
}}
</ref>

{{IconSet|h2|4}} Done.

The <code>root</code> account has been unlocked.

== Disable Root Account ==
{{Anchor|unlock}}

'''Applicability:'''

* '''[[Old Stable and Earlier Releases|Earlier versions]]:''' {{project_name_short}} (versions lower than <code>15.0.0.3.6</code>) came with the root account enabled by default.
* '''[[Distribution_Morphing|Distro-morphing]]:''' Users who installed [[Debian|Kicksecure inside Debian]] using the installation method described in the [[Debian#User_Account_Information|User Account Information]] section.

Most users should disable the <code>root</code> account by running the following commands.

{{IconSet|h2|1}} Platform-specific notice.

* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]]: No special notice.
* [[Qubes|{{q_project_name_short}}]]: Inside <code>{{project name workstation template}}</code> Template.

{{IconSet|h2|2}} Lock the <code>root</code> account.

{{CodeSelect|code=
sudo passwd --lock root
}}

<ref>
The <code>root</code> account is no longer expired, as this previously broke the <code>adduser</code> command. See: https://forums.whonix.org/t/restrict-root-access/7658/59

{{CodeSelect|code=
sudo chage --expiredate 0 root
}}

To prevent SSH login, see [[SSH#SSH_Login_Comparison_Table|SSH Login Comparison Table]].
</ref>

{{IconSet|h2|3}} Done.

The <code>root</code> account has been locked.

In the future, [[#General Security Advice|use <code>sudo</code> instead]] when necessary.
Description	What you type	What you get
Italic	''Italic text''	Italic text
Bold	'''Bold text'''	Bold text
Bold & italic	'''''Bold & italic text'''''	*Bold & italic text*
Description	What you type	What you get
Reference	Page text.<ref>[https://www.example.org/ Link text], additional text.</ref>	Page text.^[1]
Named reference	Page text.<ref name="test">[https://www.example.org/ Link text]</ref>	Page text.^[2]
Additional use of the same reference	Page text.<ref name="test" />	Page text.^[2]
Display references	<references />	↑ Link text, additional text. ↑ Link text