Do we support enabling the root account?

Connor Imes rocket2dmn at ubuntu.com
Sat Mar 7 15:31:29 UTC 2009 

Thanks for the feedback guys, a few notes below as my followup.  Please 
let me know what you think.

Gilbert Mendoza wrote:
> I agree with Phil in that education on the matter is most appropriate.
>
> The explanation of the root account is also discussed in section 8.1.1
> of the Ubuntu Server Guide.  By having the root account unlocked, it
> doesn't make your system less secure; many feel it's just not best
> practice.  Especially in a server environment with multiple
> administrators, since there would be less accountability when the root
> account is used because it could have been any one of the admins that
> know the root password.  With sudo, you have effectively tied specific
> user accounts to elevated actions, and no one should know that
> password except the the user in question.
>   
In the case of servers, I believe having a root account servers more of 
a purpose than when using a desktop system.  The ability to configure 
sudo for specific actions is what makes it great, and you don't have to 
hand out the keys to the kingdom to anybody who needs to perform 
administrative action.
> Locking the root account also does not prevent all local and remote
> privilege escalation attacks, and certainly can be enabled with
> minimal risk as long as the administrator is preventing remote
> services from logging in with that particular account.  e.g. Disable
> SSH root access.
>   
This is true, but we are generally talking about desktop systems which 
don't have ssh enabled.  Adding documentation on securing root could 
take a whole other wiki page.  Again, just because it can be done does 
not mean we should support it.
> There's also an argument out there that using sudo by itself isn't
> best practice, since administrators are typically encouraged to use
> two accounts; one for day to day usage, and the other for
> administrative tasks.  By default, Ubuntu gives the first user only
> one account with sudo privileges, so if that password is ever
> compromised, you have essentially rooted the box anyway.  A paranoid
> security guy would be to keep the root account locked for
> accountability purposes and create two users per administrator; one
> non-privileged for typical usage, and another that has sudo
> privileges.
>   
I think that argument is an interesting point of view, and definitely 
has merits.  It sounds like what you're saying would support keeping the 
root account disabled, which is what Ubuntu advocates.  Either way, 
Ubuntu had chosen to use sudo as its best-practices method of 
administration.  If a sudo password is compromised, then yes, the system 
as at risk, but hopefully that account only has the sudo privileges that 
it needs to perform its tasks, not sudo ALL.  The original system 
account would also need to have its privileges curbed when appropriate.
> The theory behind the two accounts is that as you limit the number of
> locations from which you access your administrative account.  This may
> help limit the exposure of administrative password by key loggers at
> remote sites, etc.  Another would be so that it forces admins to use
> that account with a bit more care and prevent mistakes.  All in all,
> it's all about how far you want to take it, and hopefully strike an
> even balance between usability and security.
>
> I just don't think taking an alarmist approach is the most effective
> method.  If anything it may lead a false sense of security.
>   
I don't mean to be alarmist, I'm just worried that providing information 
on how to enable root may lead some users to do it who don't need it.  
The Windows mindset has users already logged in with a privileged 
account, and historically has not asked for confirmation when doing 
administrative tasks (though this does seem to be changing a bit).  We 
should most definitely educate them on why root is not needed, but we 
don't have to show them how.
> Thanks,
>
> --
> Gilbert Mendoza
> PGP: 0x7403B303
> Email: gmendoza at gmail.com
> http://www.savvyadmin.com
> https://launchpad.net/~gmendoza
> https://wiki.ubuntu.com/GilbertMendoza
>
>
>
> On Sat, Mar 7, 2009 at 3:17 AM, Phil Bull <philbull at gmail.com> wrote:
>   
>> I think that we should document this, but provide a strong, justified
>> warning to discourage users from actually enabling the root account.
>> I'd rather that users get the information from us, where they will be
>> properly informed about the security risk, than from a third-party
>> website, where they may not. If they read the warnings and still
>> decide to enable root, anything that goes wrong is their own fault and
>> there's not much we can do about it.
>>     
Hi Phil,
Again, I highly support educating users, but if they have already found 
the RootSudo page in their search, then the explanations about using 
sudo rather than root are there.  Hopefully they would read it.  I would 
be afraid that users would simply jump down the page to where the 
command is listed without reading all the security warnings.  Because 
let's be honest, when most people think they want something, they aren't 
going to read through a wiki page to try and find out why they shouldn't 
do what they want.  I'm as guilty of that as most.
>> Thanks,
>>
>> Phil
>>
>> --
>> Phil Bull
>>
>> --
>> ubuntu-doc mailing list
>> ubuntu-doc at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
>>
>>

More information about the ubuntu-doc mailing list