LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-16-2007, 05:22 AM   #1
simopal6
Member
 
Registered: Jun 2006
Location: Italy
Distribution: Slackware 13.1
Posts: 230

Rep: Reputation: 30
Is it safe to remove root (and other users') password?


Hello!
The only one who uses my computer (with Slackware) is me, so i have removed my user's password, so that it doesn't prompt for one when linux starts. I've also removed root's password, so that it doesn't prompt for one when i type 'su'. Then, I've disabled samba and ssh startup daemons.
With this configuration, is my computer safe? Or removing root's password is always a bad idea?
Thanks!
 
Old 05-16-2007, 05:41 AM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Always.

You can avoid a password at boot by configuring to boot into a particular user. You keep your user password for sudo access ... which reduces your need to enter passwords for repeated admin tasks but without leaving a root window open.
 
Old 05-16-2007, 06:13 AM   #3
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,908

Rep: Reputation: 356Reputation: 356Reputation: 356Reputation: 356
Quote:
With this configuration, is my computer safe?
You are safe only if you run the computer in complete isolation from the rest of the world: no internet connection, no email, no removable media that has ever been used on another machine, etc.

As soon as you expose the machine to any of those connections to the outside world, you have left your computer open to anyone and any malware that can enter 'root' at a prompt and have root access to your computer.

Last edited by bigrigdriver; 05-17-2007 at 09:17 PM.
 
Old 05-16-2007, 06:18 AM   #4
masonm
Senior Member
 
Registered: Mar 2003
Location: Following the white rabbit
Distribution: Slackware64 -current
Posts: 2,300

Rep: Reputation: 90
No, it isn't safe. You have effectively defeated the primary security of your system. You may as well be running Windows.
 
Old 05-16-2007, 08:00 AM   #5
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,675

Rep: Reputation: Disabled
Nuts-n-Bolts method from Linuxgazette. I use this method when building computers for other people. (I personally don't mind typing in my user password and startx.)
Properly configured sudo allows passwordless root access.
sudo -i equals to root login, sudo -s gives a shell with root rights. You can create a terminal launcher in your desktop with one of these commands. Passwordless sudo is a security risk, though.
 
Old 05-16-2007, 08:59 AM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by Emerson
Nuts-n-Bolts method from Linuxgazette. I use this method when building computers for other people. (I personally don't mind typing in my user password and startx.)
Properly configured sudo allows passwordless root access.
sudo -i equals to root login, sudo -s gives a shell with root rights. You can create a terminal launcher in your desktop with one of these commands. Passwordless sudo is a security risk, though.
Doesn't Ubuntu have this same setup (I don't know off-hand, as I haven't used it)? I believe OS X is doing the same. Dunno if I quite believe in the "protect the user from themselves" mentality, though, but if it keeps people from abusing root, then it can't be all THAT bad.
 
Old 05-16-2007, 09:19 AM   #7
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,675

Rep: Reputation: Disabled
This is really not that much about protecting users from themselves. It's about keeping the PC secure, avoiding it turned to a spam fountain or a base to perform DoS attacks from, etc.
Despite what I wrote in my previous post, root access without a strong password is insane. One should get into habit typing it in every time root access is needed and take it as inevitable.
 
Old 05-16-2007, 10:37 AM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by Emerson
This is really not that much about protecting users from themselves. It's about keeping the PC secure, avoiding it turned to a spam fountain or a base to perform DoS attacks from, etc.
Despite what I wrote in my previous post, root access without a strong password is insane. One should get into habit typing it in every time root access is needed and take it as inevitable.
Oh, that comment wasn't directed to you. I was highlighting that it appears to be what the Ubuntu and OS X developers are hinting at. As a long time user of *nix, I know what root is for and why one should be careful when using this account. I also have an inkling of why the privilege structure is the way it is and I'm supporting your thoughts...I was just wondering why certain OSs and distros opt to use sudo and lock or remove the root account.
 
Old 05-17-2007, 02:31 AM   #9
simopal6
Member
 
Registered: Jun 2006
Location: Italy
Distribution: Slackware 13.1
Posts: 230

Original Poster
Rep: Reputation: 30
Ok. I get your point. I'm not an expert linux user, and i thought that by not allowing access to the shell from outside I could avoid everyone from trying to access to my computer a root.

Out of curiosity, how is it possible to control a machine as root without directly accessing to a shell (forgive my "n00biness")?

Thanks!
 
Old 05-17-2007, 08:35 AM   #10
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,675

Rep: Reputation: Disabled
10% of web servers try to inject malware into your computer;
over 25% of desktop computers are "owned" by criminals.
These are the facts from world press, the real situation may be even worse.

Right now it is Microsoft who is handing criminals their tools, by selling an immature product called Microsoft Windows.
You are relatively safe with your Linux box, but imagine following scenario:
A piece of malicious software exploits a flaw in your web browser. It runs as your user, without elevated rights and can't do much harm as a result. Naturally, it tries to get root access ... it tries everything, also sudo -i and your user is allowed to do it without password ...
 
Old 05-17-2007, 09:11 AM   #11
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Password-less root login?

Kin I have yer IP address, please???
 
Old 05-19-2007, 02:43 PM   #12
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Quote:
Originally Posted by simopal6
Ok. I get your point. I'm not an expert linux user, and i thought that by not allowing access to the shell from outside I could avoid everyone from trying to access to my computer a root.

Out of curiosity, how is it possible to control a machine as root without directly accessing to a shell (forgive my "n00biness")?

Thanks!
Pretty simple, but two methods are (1) exploit security flaws in some publicly available service on the machine or (2) trick or exploit a valid user of the machine into run code of your choice. For example, some network client programs (browsers, mail and IRC clients, etc.) have holes in them that allow a malicious server to cause them to run arbitrary code on the victim's machine. In your setup, since root is totally unprotected, such code can easily elevate its privileges.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to remove Root password BangorScott Mandriva 27 07-20-2012 04:32 AM
Root denied permission to remove users' files suse_buse Linux - Security 2 10-25-2006 08:26 AM
SUSE installer terminated (successfully?) before creating users or root password rose_bud4201 SUSE / openSUSE 2 03-13-2006 03:44 PM
users can access root withouh being asked for a password amer_58 Linux - Newbie 4 08-20-2005 11:56 PM
Allright, changed root password and questions about adding users RIOMX Linux - Newbie 2 10-30-2003 03:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration