System Administration Guide: Basic Administration

Becoming Superuser (root) or Assuming a Role

Most administration tasks, such as adding users or managing file systems require that you first log in as root (UID=0) or assume a role, if you are using RBAC. The root account, also known as the superuser account, is used to make system changes and can override user file protection in emergency situations.

The superuser account and roles should be used only to perform administrative tasks to prevent indiscriminate changes to the system. The security problem that is associated with the superuser account is that this user has complete access to the system, even when performing minor tasks.

In a non-RBAC environment, you can either log in to the system as superuser or use the su command to change to the superuser account. If RBAC is implemented, you can assume roles through the console or use su and specify a role.

When you use the console to perform administration tasks, you can do one of the following:

A major benefit of RBAC is that roles can be created to give limited access to specific functions only. If you are using RBAC, you can run restricted applications by assuming a role rather than by becoming superuser.

For step-by-step instructions on creating the Primary Administrator role, see How to Create the First Role (Primary Administrator). For an overview of RBAC, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

ProcedureHow to Become Superuser (root) or Assume a Role

Become superuser or assume a role by using one of the following methods. Each method requires that you know either the superuser password or the role password.

  1. Become superuser by selecting one of the following methods:

    • Log in as a user, then do the following:

      1. Start the Solaris Management Console.

      2. Select a Solaris management tool.

      3. Log in as root.

      This method enables to you perform any management task from the console.

      For information on starting the Solaris Management Console, see How to Start the Solaris Management Console in a Name Service Environment.

    • Log in as superuser on the system console.


      hostname console: root
      Password: root-password
      #

      The pound sign (#) is the shell prompt for the superuser account.

      This method provides complete access to all of the system commands and tools.

    • Log in as a user, then change to the superuser account by using the su command at the command line.


      % su
      Password: root-password
      #

      This method provides complete access to all of the system commands and tools.

    • Log in remotely as superuser.

      This method is not enabled by default. You must modify the /etc/default/login file to remotely log in as superuser on the system console. For information on modifying this file, see Chapter 3, Controlling Access to Systems (Tasks), in System Administration Guide: Security Services.

      This method provides complete access to all system commands and tools.

  2. Assume a role.

    Select one of the following methods:

    • Log in as user, then change to a role by using the su command at the command line.


      % su role
      Password: role-password
      $

      This method provides access to all of the commands and tools that the role has access to.

    • Log in as a user, then do the following:

      1. Start the Solaris Management Console.

      2. Select a Solaris management tool.

      3. Assume a role.

      For information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role.

      This method provides access to all of the Solaris management tools that the role has access to.