Skip to Content

Administrator (sudo) rights in Cubbli Linux

Last modified by Jarre Johansson on 2026/04/23 10:29

About

You can have administrator rights in your Cubbli Linux workstation or a laptop. Currently this is implemented by adding your user account to local sudo group on the local machine, so that you can access the root user account with your own password. Alternatively sudo access can be granted to a centrally managed active directory IDM group.

Students

When you have read all the bullet points in Mandatory reading regarding acquirement of sudo-rights and Administrative privileges, Confidentiality agreement, Cooperation agreement in information technology you can run the command i-want-sudo-access in your Cubbli fuxi-laptop. The correct answer to the question Do you still want sudo access right, even after you read the instructions? is Yes I do.

Faculty

When you have read all the bullet points in Mandatory reading regarding acquirement of sudo-rights and Administrative privileges, Confidentiality agreement, Cooperation agreement in information technology you can check the Flamma page for further instructions.

https://flamma.helsinki.fi/s/KZOA9

Mandatory reading regarding the acquirement of sudo-rights

  • Linux offers almost no protection against mistakes made with admin rights. 
    • A typo or a wrong command, or just following bad instructions from a web page can destroy your system, make it unbootable or destroy or corrupt your files.
  • If you break your system with your admin rights, helpdesk probably can't help you.
    • Debugging a broken Linux installation takes lots of time and effort, which would probably better be used elsewhere.  Most likely we will fix your broken Linux machine by reinstalling it from scratch. 
  • This is the most common mistake: do not run programs as root.
    • If you try to run a web browser or any other GUI program as root, it will overwrite files in your home directory with files owned by root and your desktop will stop working. It is also likely that the program will write files in system directories. Non GUI-program can also do this. If a software can't do its job because of missing access rights, fix the access rights of the accessed resource instead. 
  • Use the root account only for administrative purpose.
    • Like installing software from software repositories. If you need root account to run server software, the server software will need a separate user account for running, instead of root. 
  • Do not remove the cubbli packages.
    • Even if apt dependency resolver asks for it. University configuration is implemented by those packages, and it will stop working if they are removed.
    • It is probably safe to remove cubbli-apps, cubbli-dev and cubbli-extra packages if you need space on the root file system.
  • Do not use do-release-upgrade for upgrading to a newer distribution version.
    • It won't work with Cubbli and it will break your system so that it probably needs to be reinstalled. Your files can still be saved though. Instead, ask Helpdesk to do the upgrade. It can be done remotely when the machine is connected to a wired University network and it takes much less time than do-release-upgrade
  • The root partition and root directory is intentionally small.
    • Anything important or large should be saved to the /home/ partition. If you use docker images, databases or virtual machines configure them to save data on /home/ partition.
    • If the root partition gets full, the Linux installation will stop working properly.
    • Only files in the /home/ partition will be copied to a new installation or preserved during reinstall. 
    • If you need Docker, use cubbli-docker package:  $ sudo apt install cubbli-docker
  • Be careful and selective when configuring 3rd party software repositories.
    • If you add a 3rd party repository to a Cubbli host, always add the GPG key too which is used to sign the installed software packages.
    • Also, apt repositories provide no protection against malicious or just buggy packages: they can break your system, the repositories will have root access to your host (and your data!)  and they can stop automatic installation of security updates if there are any problems. 
  • Consider the privacy of others. 
    • If there are other users using the same machine, the root account can access everything that the other user can, including files, kerberos tickets, web browser cookies, keyboard and mice events, network traffic and the screen. There is no way around this, which means that root access can only be given to a machine where there is only one user, or to a group where everybody knows that this is the case. 
  • You don't need root rights to install, compile or develop software.
    • Software can be installed and run from your own home directory, including binary libraries and daemons.
    • Most programming environments for scientific computing provide tools to manage library dependencies without any administrator rights (Python, R, nodejs and probably many others).
    • If an installer or a compiled software tries to install itself by default to a system location (like /opt or /usr/local), just change the default (yes, you might need to read the manual). This has the added benefit that your development will survive operating system and machine upgrades and can be reproduced later when the original machine doesn't exist anymore. And you can have multiple different environments if you have multiple projects. 
  • Use a virtual machine or docker images for development and testing. 
    • KVM virtual machines are easy to setup and they can be easily replaced (or returned from snapshots) if anything goes wrong with them. 
  • If some software or a library is missing from Cubbli or is just too old, ask helpdesk to install or upgrade it.
    • We mostly don't know about missing software or a software dependency unless someone asks for it first.
  • There are plenty of web pages and LLMs with bad advice.
    • If you don't know what the commands you are running actually do, consider not running them.
    • Also don't blindly copy and paste stuff straight to the command line, whether it came from a random forum post or an AI chatbot. Put them through a text editor first for added security.
  • The machine needs to be reinstalled before it is given to the next user.
    • We here at IT department do not always know that the machine has changed ownership, so you should mention it to helpdesk. 

Administrative privileges

Administrative privileges to University of Helsinki workstations have been assigned to the on-site IT support teams of the Centre for Information Technology.

University employees can apply for administrative privileges to a University workstation they use. For valid reasons, applicants may be granted administrative privileges to an individual workstation for a fixed period. The following are considered valid reasons:

  • Long-term continuous work outside Finland or outside University facilities in Finland
  • Use for field measurements which is comparable to the use of special workstations
  • Application development (some restrictions apply)
  • The employee must hold administrative privileges to complete his or her duties, or not holding such privileges causes unreasonable inconvenience to the employee.

The following are not considered valid reasons:

  • Working from home or outside the opening hours of the University Helpdesk
  • Occasional work outside Finland or outside University facilities in Finland
  • Installation of software on the workstation in question
  • “Just in case”, “my colleague has these privileges”, or “I can do it myself”

Applicants for administrative privileges must meet the following conditions:

  • They must agree to follow the University’s rules on information security.
  • They must sign the University’s confidentiality agreement (Appendix 1).
  • They must agree to comply with the University’s cooperation principles (Appendix 2).

Administrative privileges can be granted for a fixed period of up to one year. Extension of these privileges does not require a new application.

Administrative privileges can be granted to an employee who needs them to perform IT maintenance procedures not included in the support services provided by the Centre for Information Technology and if the employee is clearly unable to complete his or her work duties without administrator status.

If these privileges are granted, the responsibility for maintaining the workstation will be shared between the Centre for Information Technology and the employee. Employees with administrative privileges to their workstation are entitled to receive support from the University Helpdesk, but the Centre for Information Technology may ultimately restrict its support responsibilities to the reinstallation of the workstation.

If abused, these privileges can also be revoked. Revocation can occur in the following cases:

  • Activities that breach the University’s rules on information security
  • Direct or indirect harm resulting from carelessness or negligence
  • Failure to maintain appropriate IT skills
  • Use of administrator status for purposes other than those described in the original decision

Administrative privileges to a group of workstations

University employees can also apply for administrative privileges to a group of workstations. This may be justified, for example, in some research groups. Administrative privileges to a group of workstations must be requested using the same procedure as for individual workstations (see above).

As a rule, however, such research groups should use separate laboratory networks.

CONFIDENTIALITY AGREEMENT

Information obtained during employment or under a contract with the University of Helsinki

This agreement shall apply to confidential information obtained while employed by the University of Helsinki (UH, as defined below) or while carrying out work pursuant to a contract with the University of Helsinki or as a service provider. In addition to that which follows from my contract of employment or service as well as from other general instructions and legislation related to the employment or contract, I agree to the following with regard to confidential information:

In this agreement, the following terms have the following meanings:

“Users” refers to UH employees, students or other persons entitled to use UH information systems.

“Confidential information” (CI) refers to the business and trade secrets of the UH, its partners and its contracting parties, Users’ personal, salary and other confidential information, Users’ emails and other confidential messages and related content, identification information, messages (e.g., the information generated from Internet, intranet and extranet usage) and geographic information, other information considered confidential by law, information indicated in the UH security classification as confidential or understood to be confidential, information related to UH security arrangements, and all confidential information equivalent to the above, regardless of:

  • The format of the information (electronic, written, oral)
  • The person who disclosed the information
  • Any other source of the information

“External party” refers to any third party not authorised to obtain or process CI, including employees, contracting parties, representatives, agents and Users of the UH and its partners who are not authorised to process CI pursuant to the duties assigned to or agreed with them or who are not authorised to obtain CI pursuant to their position or role.

“UH” refers to the University of Helsinki, all those working within it, and its units, cooperative consortia, departments, institutes and faculties.

When handling or obtaining CI, I agree to keep all CI strictly confidential and:

  • Not to reveal, communicate or disclose CI to any External Party
  • Not to leave CI where External Parties can view or otherwise access it
  • Not to obtain or process CI more extensively than what is necessary within the law to fulfil the obligations of my employment or service contract
  • Not to use CI in a manner unrelated to my work duties or service contract for the benefit of myself or any External Party, and
  • Not to otherwise misuse CI.

However, the obligation of confidentiality shall not apply to information that:

  • Is publicly available or otherwise public
  • I received from a third party without obligations of confidentiality
  • I had already acquired without obligations of confidentiality prior to receiving it from the University
  • I have independently developed without the use of information obtained from the University or before the University disclosed equivalent information to me
  • Must be published by law or official order

I agree to take particular care to follow all the regulations, instructions and practices regarding information security which the UH has specified within the limits of its authority.

At the end of my employment or service contract, I shall promptly transfer to the UH all documents and data media (including any copies) that apply to Users, the UH or its partners, or that contain CI.

This agreement shall also be valid after the end of my employment or service contract for as long as the CI remains confidential. After the end of their employment, however, UH employees shall be permitted to make a living by using, within the ordinary scope, the general knowledge and experience acquired during their employment at the UH.

I understand and accept that the UH grants me no rights to CI or any part thereof.

I understand my obligations under this confidentiality agreement concerning University instructions, legislation, confidentiality and the prohibition of use, and am aware that breach of this agreement may lead to penalties, claims for damages and other consequences related to employment law or contract law.

This agreement shall be governed by the laws of Finland.

Disputes arising or relating to this agreement shall be settled primarily by negotiation. If negotiations are unsuccessful, the dispute shall be settled at first instance by the District Court of Helsinki, unless otherwise provided for by mandatory laws.

COOPERATION AGREEMENT IN INFORMATION TECHNOLOGY

When maintaining workstations as an administrator, I agree to follow the legislation on information security, the University of Helsinki rules on information security, and its rules on the use and maintenance of information systems.

I shall comply with the University of Helsinki confidentiality agreement and understand the obligations it places upon me.

When maintaining workstations as an administrator, I shall follow the instructions and rules issued by the University of Helsinki Centre for Information Technology on the use and maintenance of information systems, shall employ the same maintenance methods and tools as the Centre’s on-site support staff, and shall cooperate with the Centre’s staff.

I shall maintain the appropriate skills needed for my work duties and the information systems I use, and shall participate in training organised by the University of Helsinki Centre for Information Technology.

I understand that violating the above undertakings may lead to the restriction or cancellation of the rights granted to me.