Assigning ROOT a password

Tue Apr 29 01:35:09 UTC 2008

Larry Hartman wrote:

> On Monday 28 April 2008 07:14:28 am Derek Broughton wrote:
>> Larry Hartman wrote:
>> >> The reason for not having a root password is to prevent the
>> >> software that is used to crack passwords from being able
>> >> to get to your system.
>> >
>> > huh?  I am dizzified by this statement.
>>
>> If you know a username on the system, you're halfway to cracking an
>> account. Having a user named "root" is just silly.
>>
> 
> Ok, I think this brings me full circle back to another post I made on same
> thread....are you really saying that the root account is disabled, vice

"versus", please.  I try not to criticize language, but three times is
enough :-)

> saying that the root account is enabled but without a password?

I'm not really sure there's a difference.  There _is_ a root account, you
can not login to it, it has no password, and it's marked as disabled.
> 
>> > Seems counterintuitive to all that I have been taught about user
>> > account
>> > security.  I can hear the MS sys admins hollaring now, use a 16-digit,
>> > random, 4 special characters, 4 lower-case, 4 upper-case, and 4 numbers
>> > password!
>> >
>> > If the above is the case, it leads to the next question, why assign any
>> > passwords for other usernames?
>>
>> Sorry Larry, I just can't parse a meaningful question out of that.
>> Who "assigns" passwords?  What does MS have to do with the question of
>> what's a safe password (I was hearing these sorts of suggestions before
>> any
>> of us had a Windows computer)?  And what does the complexity of the
>> password have to do with whether it's root's password or a user's?
>>
> 
> This question is linked to the one I just asked above.  If root account
> exists but has no password, then my thinking suggests that it would not
> matter if a user with sudo priviledges has a password or not, despite how
> complex it is.

I'm afraid I still don't see your point.  A user with full sudo access (by
default only the first account Ubuntu creates) can get to a root shell
("sudo -i"), so the complexity of _that_ user's password certainly matters,
but root's password (or lack of it) is irrelevant to sudo.

> This makes sense in light of my second comment on this same email. 
> Prohibit any root account access, force all access through individual
> users, now you have an audit trail.

That's the idea.

> This works until one considers accessing the system in failsafe mode,
> which
> appears to have root access w/o password.  So in failsafe mode root
> account
> is enabled?  Could someone remotely reboot system and go into failsafe
> from that remote location?

I can't say I've tried it, but I'd hate to think so. "failsafe" to me
suggests no network connectivity.  You can also always get to root from
the "single user" logon - but it means you must have physical access to the
machine.
-- 
derek