set up a root password

[Joel Oliver]

John wrote:
> On Tuesday 05 August 2008 19:16:46 Jerry Gaiser wrote:
>   
>> One of the first things *I* do is give root a password.
>>     
>
> Could someone who uses a root account give an actual example of where it is 
> advantageous in comparision to using sudo?
> Is it just down to keystrokes or is there another reason.
>
> Just out of curiosity, what does sudo stand for? I have always assumed it was 
> from "SuperUser do" but could it be from "Switch User (substitute user) do"
>
> John
>
>   


Well, I for one set up a root account (By choice)

OK, redirection is borked using sudo.

Ok, lets say perhaps you want to backup your menu.lst file in /boot/grub

so:

$ cd /boot/grub
$ sudo cat menu.lst > menu.lst.bak

(I know, you could just use sudo cp menu.lst menu.lst.bak but my example 
doesn't work...)

Or, you want to add another nameserver to your /etc/resolv.conf file

$ cd /etc
$ sudo echo "nameserver 192.168.1.1" >> resolv.conf

Fails as well.... OK so you can just sudo nano resolv.conf and add it 
and then save it, but again for the example....

Now, I know redirection doesn't work, but unfortunately many bash 
scripters who assume you will run their script under root don't and I've 
wasted many hours of trying to live with sudo and no root password 
beating my head off walls and having to sudo -i that you just start 
running sudo -i off the bat.......

And for people who believe having a root password is a huge security 
risk, how about having a user with just as much power...

What I'm trying to say is I feel it is alot more secure to remove admin 
and sudo privileges from the user and set up a root password, then as 
suggested edit the /etc/ssh/sshd_config file and remove root logins and 
change the port to anything other than default.... and install fail2ban 
and set it up to thwart script kiddies.

Hopefully they waste all their time trying to logon as root, because it 
is just as secure as having no root password from the outside.

 From the inside of the network there is more of threat, but I've seen 
cleartext user passwords in scripts to start services at one time... And 
playing in a terminal with malicious scripts that have "sudo -rf /etc/*" 
in them, that you run as a regular user soon after using sudo, will run 
without asking you for the password within the timeout period (Just an 
example, nobody runs bad scripts)

Plus it kinda gets like Windows Vistas UAC where inexperienced users 
'just click through anything' without paying attention.  I think the 
/etc/sudoers file should NOT have %admin ALL=(ALL) ALL in it.  I am a 
huge supporter of sudo actually (For the GUI stuff, synaptic, what have 
you) but the sudoers file should ONLY allow things on a case by case 
basis and not have godlike power... The Ubuntu way reminds me of MacOSX 
and Windows Vista where a regular user has root power by clicking a 
button or just typing a password.  I want my UNIX/linux the way it was 
in the beginning... Regular users and root, with using chmod, chown and 
setting groups as needed, security can be improved massively compared to 
a stock Ubuntu install... I can see WHY they did this, as it's for  
linux newbies as well and they want everything to "Work easily, right 
out of the box."  Many newbies would be turned off if Ubuntu was set 
really secure... And secure means secure from the user as well.
strace -oping.out ping google.com
Well all in all I feel that having a root password and having a single 
superuser and stripping the regular user of sudo privilege works better 
for me... In a larger environment where many admins work on a single 
computer; yes, sudo is a better alternative for logging and more 
granularity of privilege.

And for those that feel the Ubuntu way is much safer or more secure 
because of a lack of root, why don't they enable selinux out of the 
box?  Why is AppArmour not really doing anything by default? No extended 
ACL's, and improper sudo use is also default... Fixing this would surely 
make more of a difference for arguments sake than worrying about a root 
password...

Setting up chroot jails around insecure applications is another 
important step. Like all software, OSS software has bugs.  Any many 
programs are very complex and constantly are found to have privilege 
escalation exploits.   Samba is one.... If you have all linux computers, 
why use it?  NFS works just as well and has (in the past anyway) far 
fewer security problems.  PHP and drupal (Isn't all input improperly 
"sanitized") and distros setting many programs setuid are asking for 
problems.... Sure, you can stay updated and firewalled the best you can, 
but assume that all software can and will be breached!  Not design your 
security around this fact to minimize damage and 'surface area'  Many 
programs don't need all the privileges they run with so use THE BARE 
MINIMUM needed to get the job done and sandbox and firewall the hell out 
of the more accessible ones [Apache (CGI scripts), bind9, Samba, NFS, 
FTP, P2P software, SSH]
 
Don't assume firewalls will stop exploits, they are just another tool 
(Yes important...) see http://jerichoforum.org for more on 
de-perimeterization of firewalls.  Back in the old days, to keep people 
of the internet in your corporation, just simple blocking of port 80 and 
443 would do the trick.... Now anyone can setup a simple proxy at home 
and surf the web... Or vnc, or vpn's... The firewall boundary is 
fading... Set up your network assuming there is NO firewall and protect 
your services and data the best you can, THEN use a hardware firewall 
forwarding only the ports you need through (Not jabbing your server in a 
DMZ), then setup a software firewall (iptables) doing the same; but 
don't put all your eggs into the firewall basket assuming it will stop 
all attacks.... And by-god turn off upnp automatic port-forwards in the 
gateway.

Back on  my hatred of setuid programs..  POSIX file attributes are a 
better way than running as root. The ping command is a good example.  
All you need to do is grant it access to rawsockets (POSIX code 13) and 
you don't need to run ping as root.  Of course there is probably no 
exploit in ping, but why does it need GOD power.... Adding POSIX file 
capabilities in the kernel allows you to run most programs (like ping) 
that need root power as a regular user and NOT using setuid by granting 
them the specific power they need without giving them FULL root.  Ping 
only needs the power to access rawsockets, but Ubuntu gives the ping 
program the power to delete the entire /etc directory without needing 
sudo....  Scary ain't it...


OK, going way off topic... But if you want a root account go for it!  
There's more important security problems to worry about!