Administrative access rights

Edit online

The operating system provides privileged access rights for system administration.

System privilege is based on user and group IDs. Users with effective user or group IDs of 0 are recognized as privileged.

Processes with effective user IDs of 0 are known as root-user processes and can:

  • Read or write any object
  • Call any system function
  • Perform certain subsystem control operations by executing setuid-root programs.

You can manage the system using two types of privilege: the su command privilege and setuid-root program privilege. The su command allows all programs you invoke to function as root-user processes. The su command is a flexible way to manage the system, but it is not very secure.

Making a program into a setuid-root program means the program is a root-user-owned program with the setuid bit set. A setuid-root program provides administrative functions that ordinary users can perform without compromising security; the privilege is encapsulated in the program rather than granted directly to the user. It can be difficult to encapsulate all necessary administrative functions in setuid-root programs, but it provides more security to system managers.