LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-06-2013, 05:50 AM   #1
Altiris
Member
 
Registered: Mar 2013
Posts: 555

Rep: Reputation: Disabled
How does the root user work?


I understand it has privileges to everything and should only be used when really needed and then logged out. However I have a couple of questions,

1. Is the root user password hashed/encrypted?
2. If the root account is disabled (like on linux mint) could a "virus" enable it?
3. If a "virus" could enable the root account, couldn't it then also set up the root password since it was never set before?
 
Old 05-06-2013, 07:13 AM   #2
nigelc
Member
 
Registered: Oct 2004
Location: Sydney, Australia
Distribution: Mageia 4
Posts: 344
Blog Entries: 4

Rep: Reputation: 63
1 = yes
2 =yes maybe
3 = yes
 
Old 05-06-2013, 07:18 AM   #3
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,528

Rep: Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056
Yes, the root password (and all user account passwords) is/are encrypted.

If you look at /etc/passwd, it will look, in part, something like this:
Code:
root:x:0:0::/root:/bin/ksh
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
Those are system account, starting with root (there are more, including user accounts).

/etc/passwd is made of of fields separated by colons; the last field contains the shell program started at log in. On my systems, I define that as KornShell rather than BASH, so it's /bin/ksh instead of /bin/bash.

The other "optional user command interpreter" (that's the last one) are specified /bin/false so no one can log in to any of those user accounts (they're not really user accounts, they're for system administration). You should not fool around with any of them for any reason, by the way.

Now, the second field, "optional encrypted password," contains an "x" indicating that the actual encrypted password is stored in /etc/shadow. That looks something like this (note: you must be root to see the shadow file):
Code:
root:$1$a7IEQ/cm$N33kwrt.F6iuXHEKq5/NS/:15106:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
There is one line in /etc/shadow corresponding to each line in /etc/passwd. If the second field in /etc/shadow is an asterisk, there is no password (and no log in is possible).

Anybody can read /etc/passwd (you can look at); nobody, except root, can read /etc/shadow. The permissions on those two files should never be fiddled around with for any reason.

Now, about "viruses."

Essentially, you want to use strong passwords:
Quote:
Compromises in password security normally result from careless password selection
or handling. For this reason, you should not select a password which appears in a
dictionary or which must be written down. The password should also not be a proper
name, your license number, birth date, or street address. Any of these may be used
as guesses to violate system security.

You can find advices on how to choose a strong password on
http://en.wikipedia.org/wiki/Password_strength
The above from the passwd page.

For example, "good" passwords include upper- and lower case letters, numeric characters, punctuation characters and are at least eight characters in length (longer is even better) -- read the Wikipedia article.

Viruses? Not really applicable (this ain't Windows). You protect yourself with good passwords.

You should take some time and read the manual pages for passwd and shadow and, perhaps, the "See Also" references at the bottom of each of those manual pages for a better understanding of how all this works:
Code:
man passwd
man 5 shadow
Hope this helps some.

Last edited by tronayne; 05-06-2013 at 07:20 AM.
 
Old 05-06-2013, 07:38 AM   #4
SLW210
Member
 
Registered: Apr 2013
Location: South Central Florida
Posts: 43

Rep: Reputation: 10
From the Wikipedia link posted above..

Quote:
Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include wiretapping, phishing, keystroke logging, social engineering, dumpster diving, side-channel attacks, and software vulnerabilities.
 
Old 05-06-2013, 02:05 PM   #5
Altiris
Member
 
Registered: Mar 2013
Posts: 555

Original Poster
Rep: Reputation: Disabled
Alright but so shouldn't all distributions when installing allow someone to set a root password and then after installation disable the account? It's better to have some type of password in there than none at all since it may be possible for a virus to enable the root user account. I see this as a major flaw in Linux right now.
 
Old 05-06-2013, 02:15 PM   #6
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017
Quote:
Originally Posted by Altiris View Post
I see this as a major flaw in Linux right now.
Very few distros operate on the sudo-only principle with the root account disabled. Most Linux distros still make you (or at least allow you to) set up a root password during installation. If you dislike the sudo-only no-root-account way of doing things (you're not alone in this camp), then don't run those distros.
 
Old 05-06-2013, 02:16 PM   #7
Altiris
Member
 
Registered: Mar 2013
Posts: 555

Original Poster
Rep: Reputation: Disabled
I've only tried ubuntu based, debain, and then CentOS. I think CentOS is the most secure, anyways my question is answered thanks
 
Old 05-06-2013, 02:31 PM   #8
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,528

Rep: Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056Reputation: 1056
You might want to try Slackware if you want control, stability and reliability.

Oh, you will have a root account and you will be prompted to set a password for it during installation.

Hope this helps some.
 
Old 05-06-2013, 02:57 PM   #9
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,254

Rep: Reputation: 314Reputation: 314Reputation: 314Reputation: 314
Disabling root login doesn't mean that root privilages are inaccesible. This root account is still needed for other purposes than login to system, like for maintance by user. To enable root account virus or other user need to known administrator password (or somehow other method of authorization to use this account), it is irrelevant which password it would be (root or other account). Passwordless root account has other purpose, like allowing specified users to execute privilaged commands, or commands as another user, without giving them password for root, therefore full access to system.

Also you can't say "all distributions" - not all of them are multiuser (on some of them only root account exist). Also not everyone want disabled root account, it all depends on actual use of system. And for example, on Ubuntu you can choose during installation (precisely a sudo package) if you want to have disabled root account or not.
 
Old 05-06-2013, 03:24 PM   #10
mreff555
Member
 
Registered: Sep 2011
Location: Philly
Distribution: Gentoo
Posts: 473

Rep: Reputation: Disabled
Quote:
Originally Posted by Altiris View Post
Alright but so shouldn't all distributions when installing allow someone to set a root password and then after installation disable the account? It's better to have some type of password in there than none at all since it may be possible for a virus to enable the root user account. I see this as a major flaw in Linux right now.
If I log in to a brand new system such as debian, as a user with all access in the sudoers I have the ability to set the root password. Even if it has already been set. In my opinion the security flaw is SUDO itself. On a desktop system I prefer to have it for simplicity. I would think that secure servers would be better off without sudo.
 
Old 05-06-2013, 03:50 PM   #11
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,131
Blog Entries: 2

Rep: Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833
Quote:
Originally Posted by mreff555 View Post
I would think that secure servers would be better off without sudo.
Secure servers are better off with sudo. But only if it is configured properly, in the way it was intentionally thought, for letting specific users or groups run some specific tasks with root privileges without giving them a general root-access to the machine. Of course, if you are the only person that administers a server sudo usually is unnecessary (and not existent on my servers).
On my desktop/laptops I keep it for convenience, for running some specific commands without the need for a password.
 
Old 05-06-2013, 06:36 PM   #12
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017
Quote:
Originally Posted by mreff555 View Post
I would think that secure servers would be better off without sudo.
As Tobi said, secure servers are better off with a properly configured sudo. It enables users to do the operations they need without having to dig out the huge root password every time, which makes things both faster and more secure (fewer people have access to the root password, the root password doesn't need to be accessed as often, etc.). As it's set up on many systems though, with the first user created on the system having full sudo power, it is certainly less secure than without sudo though.

In my opinion, in order of most secure to least secure, it goes:
1) true root user plus properly configured sudo
2) true root user with no sudo (RHEL/CentOS default)
3) no root user and the first user account has full sudo power (Ubuntu default)
 
Old 05-06-2013, 06:37 PM   #13
mreff555
Member
 
Registered: Sep 2011
Location: Philly
Distribution: Gentoo
Posts: 473

Rep: Reputation: Disabled
Quote:
Originally Posted by TobiSGD View Post
Secure servers are better off with sudo. But only if it is configured properly, in the way it was intentionally thought, for letting specific users or groups run some specific tasks with root privileges without giving them a general root-access to the machine. Of course, if you are the only person that administers a server sudo usually is unnecessary (and not existent on my servers).
On my desktop/laptops I keep it for convenience, for running some specific commands without the need for a password.
While I agree that it would be more secure if utilized properly, which many people do not do. Most of that security can be done simply by fully utilizing groups. Yes, I know it doesn't require a user to enter his password again but that probably isn't really necessary if his only access elevation is to run one or two programs.

Where I think the system becomes insecure, is that if there is more than one user able to set the root passwd, then there is now two root accounts. Twice the opportunities to compromise the system.
 
Old 05-07-2013, 02:50 AM   #14
nigelc
Member
 
Registered: Oct 2004
Location: Sydney, Australia
Distribution: Mageia 4
Posts: 344
Blog Entries: 4

Rep: Reputation: 63
Have sudon't if you don't like sudo.

Ubunbtu is getting more like windows.
 
Old 05-07-2013, 03:32 AM   #15
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,131
Blog Entries: 2

Rep: Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833Reputation: 4833
Quote:
Originally Posted by mreff555 View Post
Most of that security can be done simply by fully utilizing groups. Yes, I know it doesn't require a user to enter his password again but that probably isn't really necessary if his only access elevation is to run one or two programs.
Would work also. But is lacking a feature of sudo that most people simply forget: with a proper configured sudo you can have logging which user used sudo for invoking which command, which can make things much easier for the admin.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
why does sound work as user but not as root randell6564 Mandriva 15 01-15-2006 11:21 PM
Scanner to work as USER and not forced as ROOT Root (Suse 9.1) 1kyle Linux - Hardware 0 07-10-2004 08:51 AM
Why does X11 work for ROOT user only? webvandals Linux - Software 2 03-12-2004 11:47 PM
IntelliMouse thumb buttons work as root, broken as non-root user, wheel works always digital vortex Linux - Hardware 7 03-02-2004 04:14 PM
got ALSA to work in root, need help getting it to work in my user profile ic3 Slackware 2 11-28-2003 10:32 PM


All times are GMT -5. The time now is 07:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration