Disable root password and gain su sudo with no password

From ArchWiki
Revision as of 16:44, 13 February 2009 by Phrakture (talk | contribs)
Jump to: navigation, search

Template:I18n links start Template:I18n entry Template:I18n entry Template:I18n links end


Arch Linux is not fine tuned to work with a disabled root account. You will most likely run into problems if you don't know exactly what you're doing. Additional, the developers feel that disabling the root account entirely is stupid.


If your sudo settings break you won't be able to use the root account on your box. When using a remote or headless machine, this can be something of a pain to fix.


  1. User password strength is equal to root's password, and one must first login to use sudo.
  2. Root password will be disabled -- anyone trying to log in as root will be denied. Anyone wanting to access the machine must first know the correct username.
  3. Once local security is compromised the root password is meaningless -- a LiveCD is a perfect backdoor.


You'll need "sudo" installed. You can grab it from pacman:

# pacman -S sudo


Opening /etc/sudoers

You should always use visudo to edit the sudoers file since visudo performs some checks to ensure that the edited file remains valid. Type visudo at a root prompt and edit. The command i will start edit mode in vi, Esc will end it, :wq will save the file and quit, while :q! will quit without saving.

If you are uncomfortable with vi, you can use nano instead.

# export EDITOR=nano; visudo

Editing /etc/sudoers

Allow user ziggy sudo from local machine only using HOSTNAME in rc.conf:

ziggy   <hostname>=(ALL) ALL

Allow user arch sudo from anywhere (local/net):

arch    ALL=(ALL) ALL

Allow group wheel sudo access requiring no password:


Don't forget to add the desired users to any groups with sudo abilities.

# gpasswd -a username group

Note that it is perfectly valid to mix-and-match these options to create a more custom sudo environment. For more complete information on the capabilities of the sudoers file, visit http://www.gratisoft.us/sudo/man/sudoers.html.

Extra Security

To allow wheel users login via local only, add the following line to /etc/security/access.conf:


Disabling root

Test the user's sudo abilities, then disable the root account by removing its password.

# passwd -l root

A similar command unlocks root.

$ sudo passwd -u root

That's it. You should have a newly-disabled root.

Alternative method of disabling root

Edit your /etc/shadow.

$ sudo vipw -s

Then replacing root's encrypted password with !. The full line will look something like:


It would let us to run package's installer script that need to add/remove new user/group in our system (gpasswd things) when you use pacman. It impossible to achieve if you lock the root by using 'passwd -u root'.

To enable root login again:

$ sudo passwd root

KDE - kdesu

kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately we can tell kdesu to use sudo instead of su.

There are two ways to do so:

  1. Recompile kdebase with '--with-sudo-kdesu-backend' configure switch.
  2. Create a kdesurc file in '/usr/share/config/' with the following: