Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ubuntu install lets you create a single do-everything password. Is it better practice to revert to the standard of a $ and # password? On a single user/owner home PC, is there a good reason to do so? Or, not to do so?
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by machika
Ubuntu install lets you create a single do-everything password. Is it better practice to revert to the standard of a $ and # password? On a single user/owner home PC, is there a good reason to do so? Or, not to do so?
Ubuntu uses sudo to manage administrator privileges.
You can enable the root user account if you wish, but sudo is different in that it only grants administrator privileges for a short period of time.
The root user account has all privileges and should ONLY be used when you need administrator privileges. If your new to Linux I'd suggest you learn the system before using the root user account.
Best practices would say that a different passwd for each user is prudent - just as a general practice. If your Linux experience is never going to leave the doors of your house and your machine isn't going to be public facing (ports open and forwarded to behind a NAT) then I don't see there being any issue with the same passwd for each user and a relatively simple one at that.
My home-built NAS units which reside on the local network - but are not publicly accessible - have simple pass configurations. Anything that is public facing is generally more complex than that. The SUDO system/method is really good in practice - because as you get deeper into Linux there are going to be times where you will be very happy you weren't root after hitting the enter key... Just develop the habit of using it... It really is unnecessary to be travelling around as root all of the time for every day tasks and can in turn create much greater unanticipated problems down the line.
I very strongly advise that you should not "routinely" use a user account that is capable of issuing the command sudo su to become root. In other words, your ordinary accounts should not be a member of the wheel group.
Then, yes, I would disable direct login access to the root user-id. (Usually, this is already done.)
This is an exercise of the Principle of Least Privilege, which takes advantage of the fact that "digital computers are terrible at knowing when to say 'yes,' but they're terrific at saying 'no!'"
Only one user-id on your system should be capable of walking into a telephone booth and flying out wearing ugly blue tights. Any rogue software that manages to steal your password (or to cajole you into providing it) would find its feet stuck firmly on the ground. And of course, you should never provide that user-name and password in response to any prompt, unless you are damn sure where it came from.
On all of my systems, of whatever type, every user save one is a "limited user," incapable of exercising elevated privileges, and all of their /home directories are private to themselves. (And if you did somehow get a list of users, you couldn't pick out which one it was.)
@sundialsvcs
Your response is at the threshold of my Linux knowledge - probably beyond.. anyway,
Quote:
I very strongly advise that you should not "routinely" use a user account that is capable of issuing the command sudo su to become root.
This is exactly what my install did. I can just, $ sudo su, and become #. That's poor, right?
So, to improve that, I'd have to create a root account (be patient I'm winging it..)
then if I wanted to be root, I'd Ctrl + Alt + F1, go into console, sign in and be root there. Something along those lines, I assume.
Thats the default config for Ubuntu, I mean you'll still need the administration password to run sudo.
On the default Ubuntu you can't login as root, unless you run sudo passwd root and set a password first. after that just run su in any term and provide the root password.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
This is a tough one. While I agree with sundialsvcs in princial I feel that the Ubuntu sudo setup is, perhaps, "good enough" for a single-user home system and thatKs why they did it.
Personally, I log in as root when I want root using "su -" with no sudo, because when I log in as root I'm only carrying out system-administrator tasks.
I also find an awful lot of blog posts and even scripts out there which seem to preface every command with "sudo" for no opther reason than the person posting it doesn't know whether they need to sudo (or can't specify a full path as with he case of ifconfig) and range from just silly to potentially dangerous.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by machika
@sundialsvcs
Your response is at the threshold of my Linux knowledge - probably beyond.. anyway,
This is exactly what my install did. I can just, $ sudo su, and become #. That's poor, right?
So, to improve that, I'd have to create a root account (be patient I'm winging it..)
then if I wanted to be root, I'd Ctrl + Alt + F1, go into console, sign in and be root there. Something along those lines, I assume.
When you put in your password for sudo, sudo gives that user account root user rights, to the command, you are running with sudo in front of it.
I will "politely dissent" here and simply suggest that you should not continue to use the first user-ID which (Ubuntu) sets up: instead, set up another one for everyday use.
And, if you "wear many hats," set up as many as you need – one for each "hat." Every single one of them non-privileged.
For instance, when I have to do small-business accounting (ick ...), I log-in as the accountant-user. All of the files needed by the accounting application are located in this user's home directory – and are accessible to no one else. (On my machine, all /home directories have permissions 0x700.)
Since these accounts have no credible reason to be authorized to fly out of a phone-booth, they can't.
Last edited by sundialsvcs; 01-15-2018 at 05:04 PM.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by sundialsvcs
I will "politely dissent" here and simply suggest that you should not continue to use the first user-ID which (Ubuntu) sets up: instead, set up another one for everyday use...
I'm not sure who your "dissenting" with here sundialsvcs, but to expand upon the point I was trying make in post #2:
On my machine, the only user account that has ANY root privileges is the root user account. I agree with setting up an UN-privileged account for everyday use. I also totally agree with 273. I also follow the "Principle of least privilege" and always do myself.
My point was that, the OP should do as much learning about Linux and best security practices BEFORE worrying about enabling the root user account. I also agree that it would be very wise to setup an account that does not have any permissions from sudo, aka a completely un-privileged user account.
But, you need to remember that your talking to someone that does not seem to have a lot of experience with Linux, un-like yourself. Which is why the OP should be focusing on learning best security practices and about how that can be applied to Linux.
I personally would also say that one un-privileged user account would be more than enough for a stand-alone/home system, that is not a part of any local network and has only an Internet based network connection.
I prefer having separate root and user(s) passwords.
I have never yet seen a convincing security argument for the *buntus' creepy sudo fetish. When I use a *buntu, one of the first things I do is establish a root password.
Not that I have strong feelings about this . . . .
If you want to be proficient with Linux, you need to break it often, and fix it. Single user/owner home pc.... I suggest playing with all features since you are not on a network, split the drive into multiple small partitions or use more than one drive and install more than one copy, do your online banking and sensitive stuff on one secure installation and play on the disposable copies, assuming precious data is stored on a separate "DATA" drive/partition. Storing data in the OS partition is just down right stupid, weak, and will prevent rapid advancement.
If you've been using Mac or Windows and are already accustomed to doing sensitive online activities there, chances are you'll keep doing it there since your already comfortable with that. BREAK YOUR LINUX
I always have root account, sudo requires too much typing, I hate it, don't use it, stopped installing it. All CLI is done as root and have never cried a single tear.
The day Debian denies root access is the day I give Linux the finger and the boot, goodbye Linux.
Last edited by Brains; 01-17-2018 at 12:39 AM.
Reason: Added my "root" thoughts
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.