|
In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; a user account with a different name can be assigned the attribute of superuser. On Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account.〔(【引用サイトリンク】title=getpwuid )〕 In systems which implement a role based security model, any user with the role of superuser (or its synonyms) can carry out all actions of the superuser account. Given that a superuser account has substantially more privileges than ordinary user accounts and can therefore make unrestricted, potentially adverse system-wide changes, the Principle of least privilege recommends that applications use an ordinary account to perform its work so as to improve system security and stability. ==Unix and Unix-like== In Unix-like computer OSes, ''root'' is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user). Alternative names include ''baron'' in BeOS and ''avatar'' on some Unix variants.〔(The Jargon File (version 4.4.7) ), catb.org〕 BSD often provides a ''toor'' ("root" written backward) account in addition to a root account.〔("What is this UID 0 toor account?" ), freebsd.org〕 Regardless of the name, the superuser always has a user ID of 0. The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024. The name ''root'' may have originated because ''root'' is the only user account with permission to modify the root directory of a Unix system. This directory was originally considered to be root's home directory, but the Linux Filesystem Hierarchy Standard now recommends that root's home be at /root. The first process bootstrapped in a Unix-like system, usually called init, runs with root privileges. It spawns all other processes directly or indirectly, which inherit their parents' privileges. Only a process running as root is allowed to change its user ID to that of another user; once it's done so, there is no way back. Doing so is sometimes called ''dropping root privileges'' and is often done as a security measure to limit the damage from possible contamination of the process. Another case is login and other programs that ask users for credentials and in case of successful authentication allow them to run programs with privileges of their accounts. It is often recommended that no-one use ''root'' as their normal user account,〔〔(【引用サイトリンク】title=4.4. Administrative Controls )〕 since simple typographical errors in entering commands can cause major damage to the system. Instead, a normal user account should be used, and then either the su (substitute user) or sudo (substitute user do) command is used. The ''su'' approach requires the user to know the root password, while the ''sudo'' method requires that the user has been set up with the power to run "as root" within the ''/etc/sudoers'' file, typically indirectly by being made a member of the ''wheel'',〔(【引用サイトリンク】title=2.3. Configuring sudo Access )〕 ''admin'', or ''sudo'' group. For a number of reasons, the ''sudo'' approach is now generally preferred – for example it leaves an audit trail of who has used the command and what administrative operations they performed. Some OSes, such as OS X and some Linux distributions (most notably Ubuntu〔(【引用サイトリンク】title=RootSudo )〕), automatically give the initial user created the ability to run as root via ''sudo'' – but configure this to ask them for their password before doing administrative actions. In some cases the actual root account is disabled by default, so it can't be directly used.〔 In mobile platform-oriented OSs such as Apple iOS and Android, superuser access is inaccessible by design, but generally the security system can be exploited in order to obtain it. In a few systems, such as Plan 9, there is no superuser at all.〔("Security in Plan 9" ), Bell Labs〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Superuser」の詳細全文を読む スポンサード リンク
|