Is it safe to remove root (and other users') password?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is it safe to remove root (and other users') password?
Hello!
The only one who uses my computer (with Slackware) is me, so i have removed my user's password, so that it doesn't prompt for one when linux starts. I've also removed root's password, so that it doesn't prompt for one when i type 'su'. Then, I've disabled samba and ssh startup daemons.
With this configuration, is my computer safe? Or removing root's password is always a bad idea?
Thanks!
You can avoid a password at boot by configuring to boot into a particular user. You keep your user password for sudo access ... which reduces your need to enter passwords for repeated admin tasks but without leaving a root window open.
You are safe only if you run the computer in complete isolation from the rest of the world: no internet connection, no email, no removable media that has ever been used on another machine, etc.
As soon as you expose the machine to any of those connections to the outside world, you have left your computer open to anyone and any malware that can enter 'root' at a prompt and have root access to your computer.
Last edited by bigrigdriver; 05-17-2007 at 09:17 PM.
Nuts-n-Bolts method from Linuxgazette. I use this method when building computers for other people. (I personally don't mind typing in my user password and startx.)
Properly configured sudo allows passwordless root access. sudo -i equals to root login, sudo -s gives a shell with root rights. You can create a terminal launcher in your desktop with one of these commands. Passwordless sudo is a security risk, though.
Nuts-n-Bolts method from Linuxgazette. I use this method when building computers for other people. (I personally don't mind typing in my user password and startx.)
Properly configured sudo allows passwordless root access. sudo -i equals to root login, sudo -s gives a shell with root rights. You can create a terminal launcher in your desktop with one of these commands. Passwordless sudo is a security risk, though.
Doesn't Ubuntu have this same setup (I don't know off-hand, as I haven't used it)? I believe OS X is doing the same. Dunno if I quite believe in the "protect the user from themselves" mentality, though, but if it keeps people from abusing root, then it can't be all THAT bad.
This is really not that much about protecting users from themselves. It's about keeping the PC secure, avoiding it turned to a spam fountain or a base to perform DoS attacks from, etc.
Despite what I wrote in my previous post, root access without a strong password is insane. One should get into habit typing it in every time root access is needed and take it as inevitable.
This is really not that much about protecting users from themselves. It's about keeping the PC secure, avoiding it turned to a spam fountain or a base to perform DoS attacks from, etc.
Despite what I wrote in my previous post, root access without a strong password is insane. One should get into habit typing it in every time root access is needed and take it as inevitable.
Oh, that comment wasn't directed to you. I was highlighting that it appears to be what the Ubuntu and OS X developers are hinting at. As a long time user of *nix, I know what root is for and why one should be careful when using this account. I also have an inkling of why the privilege structure is the way it is and I'm supporting your thoughts...I was just wondering why certain OSs and distros opt to use sudo and lock or remove the root account.
Ok. I get your point. I'm not an expert linux user, and i thought that by not allowing access to the shell from outside I could avoid everyone from trying to access to my computer a root.
Out of curiosity, how is it possible to control a machine as root without directly accessing to a shell (forgive my "n00biness")?
10% of web servers try to inject malware into your computer;
over 25% of desktop computers are "owned" by criminals.
These are the facts from world press, the real situation may be even worse.
Right now it is Microsoft who is handing criminals their tools, by selling an immature product called Microsoft Windows.
You are relatively safe with your Linux box, but imagine following scenario:
A piece of malicious software exploits a flaw in your web browser. It runs as your user, without elevated rights and can't do much harm as a result. Naturally, it tries to get root access ... it tries everything, also sudo -i and your user is allowed to do it without password ...
Ok. I get your point. I'm not an expert linux user, and i thought that by not allowing access to the shell from outside I could avoid everyone from trying to access to my computer a root.
Out of curiosity, how is it possible to control a machine as root without directly accessing to a shell (forgive my "n00biness")?
Thanks!
Pretty simple, but two methods are (1) exploit security flaws in some publicly available service on the machine or (2) trick or exploit a valid user of the machine into run code of your choice. For example, some network client programs (browsers, mail and IRC clients, etc.) have holes in them that allow a malicious server to cause them to run arbitrary code on the victim's machine. In your setup, since root is totally unprotected, such code can easily elevate its privileges.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.