How to Create a Secondary Root User with Full Privileges in Linux Systems


2 views

Many system administrators face scenarios where they need to create additional users with full root privileges. The standard approach of adding users to the root group often falls short, as demonstrated when attempting commands like:

sudo cat /etc/shadow
# Returns "Permission denied" even for root group members

Traditional Unix permissions treat root differently - simply being in the root group doesn't grant full superuser access. The root user's power comes from its UID (0), not group membership. This security design prevents accidental privilege escalation through group permissions.

Method 1: UID Assignment

The most straightforward solution is to create a user with UID 0:

useradd -o -u 0 -g 0 -G wheel -d /root/root2 -s /bin/bash root2
passwd root2

Key parameters:
-o allows duplicate UIDs
-u 0 sets UID to 0 (root)
-g 0 sets primary group to root

Method 2: Sudo Configuration

For more controlled access, configure sudoers:

visudo
# Add line:
root2 ALL=(ALL:ALL) NOPASSWD: ALL

Before implementing either solution:

  • Audit all root-equivalent accounts regularly
  • Implement SSH key authentication only
  • Consider using SELinux/AppArmor restrictions
  • Maintain detailed access logs

After creation, verify the new account's privileges:

sudo -u root2 whoami
# Should return "root"
sudo -u root2 cat /etc/shadow
# Should display shadow file contents

For temporary root access, consider:

sudo -i
# Or
sudo su -

For automated tasks, use specific sudo rules instead of full root access.

Many admins mistakenly believe adding a user to the root group grants full superuser privileges. While group membership provides some elevated access, it doesn't equate to true root capabilities. The key distinction lies in how Linux handles permissions:

# This gives partial access but not full root:
useradd -g root testadmin
usermod -aG wheel testadmin

For true root-equivalent access, consider these approaches:

1. Direct UID 0 Assignment (Not Recommended)

The most straightforward but dangerous method:

usermod -u 0 -o secondary_root
usermod -g 0 secondary_root

Warning: This creates security issues equivalent to having multiple root accounts.

2. Sudoers Configuration (Best Practice)

The secure way to delegate root privileges:

# /etc/sudoers or /etc/sudoers.d/secondary_root
secondary_root ALL=(ALL:ALL) NOPASSWD: ALL

3. Capabilities Assignment (Granular Control)

For specific privileged operations without full root:

setcap cap_dac_override=+ep /usr/bin/vim

The original attempt with /etc/shadow fails because:

-r-------- 1 root root /etc/shadow  # Permission bits 400

Even root group members can't read owner-only (400) files. True root access requires either:

  • Effective UID 0 (via su/sudo)
  • Explicit DAC override capabilities

For emergency access while maintaining audit trails:

# Create restricted admin with full sudo
useradd -m -s /bin/bash emergency_admin
passwd emergency_admin
echo "emergency_admin ALL=(ALL) ALL" > /etc/sudoers.d/emergency

# Configure secure logging
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers

When implementing secondary privileged accounts:

  • Always prefer sudo over direct UID 0 assignment
  • Implement two-factor authentication
  • Regularly review sudo logs
  • Consider time-limited access with timeout in sudoers
# Example timeout configuration
Defaults timestamp_timeout=30  # Requires password every 30 minutes