Hi,

I try to create a user who has the 100% permissions and roles as the root with following command:

But it seems the user just in the group of root but doesn't have all the rights as the root.

-- Thomas

That's right, it doesn't. "root" is a special account, that can do things no other user can. You can try to make the root2 user's primary group 0, but you will still not be 100% root.

There is no root but root. But you can assume the powers of root by using su or sudo.

Generally speaking, you only want there to be one "root account," and its name should be root. There should be none other.

Now ... ... now for the lecture.

You do not want to be using an "all-powerful user account" for any purpose, for the exact same reason that you should never use such an account in Microsoft Windows.

Digital computers are terrible at knowing when to say "yes," but they are absolutely magnificent at saying, "no," and they never overlook the slightest detail. Therefore, you don't want to put a computer in the position of always saying, "yes, master..." because, say, if you give it the command, "Shoot me in the foot!!" ... heh ... that is precisely what it will do.

Digital computers do not think.

Instead, you want to set things up so that the computer is told: "do not allow me to do anything, except..." And if so, the computer will with equal precision do that. You point the gun at your foot (quite by accident...), and you pull the trigger, and the computer says to you (most politely..) "I'm sorry, sir, but you're dead now, because you just attempted to do something that you did not expressly authorize me in advance to allow you to do." And you look at that harp that has magically appeared in your hand and, lo and behold, you are dead now, but ... your foot is intact.

"Go and do likewise." On Windows, on Linux, on OS/X ... everywhere. Arrange things carefully so that the computer will always say "no!" except in the very specific cases where you want it to say, "yes."

1 members found this post helpful.

One root to rule them all, one root to find them,
one root to bring them all and to the network BIND them.

Sorry, couldn't help myself.

1 members found this post helpful.

Hehe....well done.

Now let us pass through the mines of Redmond...they delved too deeply, and too greedily, and woke a terrible evil.

indeed, also one more thing to add, any program a user runs has the same access privileges as the user that runs it, if such a program (such as a web browser or instant messenger etc...) has an exploit that allows a hacker to take control of the program, would you rather that compromised program have full control of your system or only access to your home directory (which you certainly back up on an at least semi-routine basis, right?)

do the math, would you rather clean up a home directory or the full system

personally from a security standpoint i would have to argue the contention that ubuntu's disabling the root account and give a regular user full sudo privileges is any better then having a root account enabled. especially since with sudo you are only challenged for the user's password and are given a brief period after that where you are authorized to continue using sudo without a password whereas with an enabled root account + su -c 'command' you are asked for the ROOT password (which should be different from the regular user password) and only given privilege for that one command

both scenarios are however more secure then running AS root (which i used to do myself, but have since broken myself of that habit)

the only time running a system with only a root account would be acceptable imho is in a specialized situation such as an embedded Linux appliance which only gets logged into for administrative purposes and has no general purpose applications that can be exploited easily.

Most distros tend to prefer you use sudo and never create a root account.

Thanks. Best laugh I've had in days.