Root Login on Ubuntu | How to Enable, Disable, and Secure Your System

By 佐川 直弘 | Naohiro Sagawa (運営者)

※記事内に広告を含みます。Amazonアソシエイトとして適格販売により収入を得ています。　

1. Overview and Role of the Root Account in Ubuntu

In Ubuntu, the “root account” is a special account with the highest level of system privileges, allowing system administration tasks such as modifying settings and managing the file system. However, by default, direct root login is disabled in Ubuntu, and instead, administrative privileges are granted temporarily using the sudo command.

Why the Root Account is Disabled by Default

Ubuntu disables the root account by default to minimize the risks of accidental operations and security threats. By using the sudo command, users can gain temporary administrative access to perform necessary tasks. This approach reduces the chances of system-wide errors and enhances security.

2. How to Enable the Root Account

In certain administrative scenarios, direct access to the root account may be necessary. You can enable it using the steps below, but keep in mind that this increases security risks and should be done with caution.

Steps to Enable the Root Account

1. Set a Password
   Open the terminal and set a password for the root account using the following command:

   sudo passwd root

• You will be prompted to enter a password for the root account. Once set, root login will be enabled.

1. Allow GUI Login (If Necessary)
   To enable GUI login for the root user, modify the /etc/gdm3/custom.conf file as follows:

   [security]
   AllowRoot=true

• This modification is recommended only if you need to perform administrative tasks in a desktop environment. In general, using the command-line interface (CLI) is preferred.

1. Precautions After Enabling Root
   Once the root account is enabled, the risks of system-wide errors due to accidental operations and unauthorized access increase. It is recommended to use sudo for routine administrative tasks instead.

3. How to Disable Root Login

Disabling the root account helps reduce the risk of unauthorized access to the system. Follow these steps to disable root login.

Steps to Disable the Root Account

1. Lock the Root Account
   Run the following command in the terminal to disable the root account:

   sudo passwd -l root

• This command locks the root account, preventing login as root.

1. Benefits of Disabling Root

• Disabling the root account significantly reduces the risk of unauthorized access and system-wide damage due to accidental operations. In most cases, system administration tasks can be performed using the sudo command, eliminating the need for direct root login.

4. Root Account Security Risks and Countermeasures

While enabling the root account may provide convenience, it also increases security risks. Below, we explain specific risks and recommended countermeasures.

Common Security Risks

• Password Theft: If a weak password is used, the root account can be exploited by attackers.
• Remote Login Attacks: If the root account is enabled, it becomes a common target for remote attacks.

Security Measures

1. Use a Strong Password
   Set a complex password that includes uppercase letters, lowercase letters, numbers, and special characters. Regularly update the password for enhanced security.
2. Restrict SSH Access
   To prevent root login via SSH, modify the /etc/ssh/sshd_config file and add the following setting:

   PermitRootLogin no

• After making this change, restart the SSH service. This setting blocks remote root logins and reduces unauthorized access risks.

1. Monitor System Logs
   Regularly check the auth.log file (usually located at /var/log/auth.log) to track root account usage. If you detect unusual access, change the password immediately to prevent unauthorized access.

5. Using pkexec for GUI Applications

When root privileges are required for GUI applications, using pkexec instead of gksudo ensures a safer and more stable execution. pkexec minimizes the impact on environment variables and file ownership while running applications with root privileges.

Example Usage of pkexec

Use the following command to open a text editor with root privileges:

pkexec gedit /etc/fstab

• This method helps prevent unintended modifications to configuration files within the user’s home directory.

6. Troubleshooting Root Account Issues

If you encounter issues related to the root account, the following steps may help resolve them.

How to Reset the Root Password

• Resetting in Single-User Mode
• If you forget the root password, you can reboot into single-user mode and reset it using the passwd command.

   passwd root

Fixing sudoers File Issues

• Using the visudo Command
  If there is an error in the sudo configuration, use the visudo command to edit the /etc/sudoers file. visudo ensures safe editing by preventing syntax errors.

   sudo visudo

7. Frequently Asked Questions (FAQ)

• Q1: What are the disadvantages of enabling the root account?
  A: Since the root account has full system control, accidental operations can affect the entire system, and security risks increase due to unauthorized access. It is recommended to use sudo for routine administrative tasks and enable the root account only when absolutely necessary.
• Q2: What happens when the root account is disabled?
  A: Direct login as root will no longer be possible, but you can still gain administrative privileges using the sudo command. Disabling the root account enhances security and reduces the risk of unauthorized access.
• Q3: What is the difference between pkexec and sudo?
  A: pkexec is recommended for GUI applications requiring root privileges, as it does not alter file ownership. sudo is primarily used for command-line operations, so for GUI applications, it is best to use pkexec.