Assigning ROOT a password

Tue Apr 29 23:55:27 UTC 2008

On Monday 28 April 2008 06:35:09 pm Derek Broughton wrote:
> Larry Hartman wrote:
> > On Monday 28 April 2008 07:14:28 am Derek Broughton wrote:
> >> Larry Hartman wrote:
> >> >> The reason for not having a root password is to prevent the
> >> >> software that is used to crack passwords from being able
> >> >> to get to your system.
> >> >
> >> > huh?  I am dizzified by this statement.
> >>
> >> If you know a username on the system, you're halfway to cracking an
> >> account. Having a user named "root" is just silly.
> >
> > Ok, I think this brings me full circle back to another post I made on
> > same thread....are you really saying that the root account is disabled,
> > vice
>
> "versus", please.  I try not to criticize language, but three times is
> enough :-)

supercalifragialisticexpialadocious! (I probably spelled it wrong)

I thought versus when I wrote, but I was getting a wee bit tired and for the 
life of me couldnt remember how to spell it.....so I went with my good'ol 
standby versus "versus".

>
> > saying that the root account is enabled but without a password?
>
> I'm not really sure there's a difference.  There _is_ a root account, you
> can not login to it, it has no password, and it's marked as disabled.
>

I did some investigation and saw this.  So the account is disabled....hence 
doesn't matter about password or not.

> >> > Seems counterintuitive to all that I have been taught about user
> >> > account
> >> > security.  I can hear the MS sys admins hollaring now, use a 16-digit,
> >> > random, 4 special characters, 4 lower-case, 4 upper-case, and 4
> >> > numbers password!
> >> >
> >> > If the above is the case, it leads to the next question, why assign
> >> > any passwords for other usernames?
> >>
> >> Sorry Larry, I just can't parse a meaningful question out of that.
> >> Who "assigns" passwords?  What does MS have to do with the question of
> >> what's a safe password (I was hearing these sorts of suggestions before
> >> any
> >> of us had a Windows computer)?  And what does the complexity of the
> >> password have to do with whether it's root's password or a user's?
> >
> > This question is linked to the one I just asked above.  If root account
> > exists but has no password, then my thinking suggests that it would not
> > matter if a user with sudo priviledges has a password or not, despite how
> > complex it is.
>
> I'm afraid I still don't see your point.  A user with full sudo access (by
> default only the first account Ubuntu creates) can get to a root shell
> ("sudo -i"), so the complexity of _that_ user's password certainly matters,
> but root's password (or lack of it) is irrelevant to sudo.
>

My point only had meaning under the assumption of an enabled root account.  
Why lock the back door if the front door has a gaping hole?  But this point 
died when I realized and was simultaneously told that the root account is 
disabled.

> > This makes sense in light of my second comment on this same email.
> > Prohibit any root account access, force all access through individual
> > users, now you have an audit trail.
>
> That's the idea.
>
> > This works until one considers accessing the system in failsafe mode,
> > which
> > appears to have root access w/o password.  So in failsafe mode root
> > account
> > is enabled?  Could someone remotely reboot system and go into failsafe
> > from that remote location?
>
> I can't say I've tried it, but I'd hate to think so. "failsafe" to me
> suggests no network connectivity.  You can also always get to root from
> the "single user" logon - but it means you must have physical access to the
> machine.
> --

A little more awake now, yeah that makes sense, even if a person could 
remotely restart your machine, the kernel has not booted enough to start the 
networking devices in order for a remote selection of failsafe to take place.

Now that I have been running Kubuntu for almost two years, I find it a good 
thing to start thinking through the mechanics of system security.

I appreciate your help.

Larry