Help to get started

Reinhold Rumberger rrumberger at web.de
Fri Nov 12 17:21:20 UTC 2010 

On Friday 12 November 2010, Nils Kassube wrote:
> Reinhold Rumberger wrote:
> > On Tuesday 02 November 2010, Nils Kassube wrote:
> > > shawn wilson wrote:
> > > > However, if ctrl+alt+f1 works and you can login there, do:
> > > > sudo passwd    # set root password
> > > 
> > > Why? Usually there is no real benefit if you set a root
> > > password.
> > 
> > There is. I once pulled a little stunt where a friend of mine
> > went to the toilet and I quickly rebooted his machine into
> > rescue mode and used that to set a root password and create a
> > backdoor account.
> 
> Who needs enemies with friends like you ...

He needed that - he'd fallen for the Ubuntu "no root pwd is more 
secure than having one" bullshit. :-P

<snip>

> IMHO, if your "protection" merely makes it slightly more difficult
> to attack the machine, it is only security theatre but no real
> security.

As I said, for proper security you need a boot password and to make 
sure there's no way of booting off external media.

The real problem is that in our university environment, laptops 
rarely get stolen (somebody you trust can usually keep an eye on your 
machine when you e.g. have to go to the toilet) an there are some 
safeguards in place preventing unauthorised access from the network - 
together with a little firewall that only leaves physical access as 
an attack vector.
Having no root password means you only need a couple of seconds of 
actual access to the machine to give yourself root access, especially 
if ssh is already installed.
With the simple measure of setting a root password, you draw this 
attack out a little. And as time is a big factor here, it *helps*, 
especially if it means the difference between your friend noticing 
the attacker or not.

Obviously it doesn't help a whole lot on it's own, but as a part of 
the little bundle I described above, it'll do a lot in most 
situations.

> If you want to protect your machine from your geek
> "friends" or other determined attackers, an encrypted file system
> might help.

Nah, too much trouble and the only thing it really does is protect 
your data when the machine is stolen. Also, getting your average user 
to encrypt their hard drive (including the root partition) is a bit 
tough. Telling them how to set their root password, change the boot 
order in the BIOS and set BIOS and GRUB passwords is a lot easier and 
will each contribute a little to the overall security. And they 
combine well to protect against the physical attack vector.

That said, it kind of depends what the attacker is "determined" to do 
- get your data or get an account on the system for various purposes. 
Protecting data is as simple as using gpg. The rest is a lot harder 
to guard against.

> > > If you need a root shell, you can use e.g.
> > > 
> > > sudo su
> > > 
> > > instead.
> > 
> > I prefer "sudo su -" as that will set a proper root environment
> > and not leave stuff like $HOME pointing to your home directory,
> > mucking up permissions on settings files.
> 
> Sorry, I don't see your point - "sudo su" sets $HOME to /root
> which is the proper value for a root shell.

I confused it with simple sudo usage. For more detail on the 
advantage of adding the dash, see man su. The short version is that 
it is closer to dropping to a tty and logging in from there.

  --Reinhold

More information about the kubuntu-users mailing list