System Administration Guide: Security Services

ProcedureHow to Make root User Into a Role

This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.

By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.

In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9–8.

Before You Begin

You cannot perform this procedure when you are directly logged in as root. You must log in as yourself, then su to root.

  1. As a regular user, log in to the target system.

  2. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

  3. Create a local user who can assume the root role.

    For safety, at least one local user should be assigned the root role.

    $ useradd -c comment -u uid -d homedir username
    -c comment

    Is the comment that describes the user.

    -d homedir

    Is the home directory of the user. This directory should be on the local system.

    -u uid

    Is the user identification number.


    Is the name of the new local user.

    # useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local
  4. Give the user a password.

    # passwd -r files jdoe-local
    New Password:    <Type password>
    Re-enter new Password: <Retype password>
    passwd: password successfully changed for jdoe-local
  5. Make sure that you are not logged in as root.

    # who
    jdoe    console      May 24 13:51    (:0)
    jdoe    pts/5        May 24 13:51    (:0.0)
    jdoe    pts/4        May 24 13:51    (:0.0)
    jdoe    pts/10       May 24 13:51    (:0.0)
  6. Change root user into a role.

    # usermod -K type=role root
  7. Verify that root is a role.

    The root entry in the user_attr file should appear similar to the following:

    # grep root /etc/user_attr
  8. Assign the root role to your local account.

    # usermod -R root jdoe-local

    Caution – Caution –

    If you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode.

  9. Configure the name service to return in case of failure.

    1. Open a new terminal window and assume the root role.

      % whoami
      % su - jdoe-local
      Enter password:   <Type jdoe-local password>
      % roles
      % su - root
      Enter password:   <Type root password>
    2. Edit the nsswitch.conf file.

      For example, the following entries in the nsswitch.conf file would enable the name service to return.

      passwd:  files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return]
      group:  files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return]
  10. (Optional) Assign the root role to selected user accounts in the name service.

    For the procedure, see How to Change the RBAC Properties of a User.

Example 9–8 Preventing the root Role From Being Used to Configure a System

In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.

First, the administrator verifies that root is not an assigned role.

% whoami
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr

Still in the root account, the administrator changes root into a role.

# usermod -K type=role root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr

Example 9–9 Changing the root Role Back Into the root User

In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.

First, the administrator assumes the root role to remove all root role assignments.

% whoami
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr
# usermod -R "" jdoe-local
# usermod -R "" kdoe-local
# grep roles /etc/user_attr

Still in the root role, the administrator changes root into a user.

# rolemod -K type=normal root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr


In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.

No one can become superuser if you change the root user into a role and fail to make one of the following assignments: