Fwd: Do we support enabling the root account?

[Bill Day]

OK, guys, voice of the relatively unsophisticated user, here, if not
the newbie.  Some applications expect/require root access, such as
webmin and SWAT.  Bacula even expects root access over ssh.  The easy
answer, of course, is "Don't use those applications!" ("Doctor, it
hurts when I lift my arm." "Don't lift your arm!")  Is there a more
nuanced answer that still protects the root account?

Bill Day

On Sat, Mar 7, 2009 at 10:31 AM, Connor Imes <rocket2dmn at ubuntu.com> wrote:
> Thanks for the feedback guys, a few notes below as my followup.  Please
> let me know what you think.
>
> Gilbert Mendoza wrote:
>> I agree with Phil in that education on the matter is most appropriate.
>>
>> The explanation of the root account is also discussed in section 8.1.1
>> of the Ubuntu Server Guide.  By having the root account unlocked, it
>> doesn't make your system less secure; many feel it's just not best
>> practice.  Especially in a server environment with multiple
>> administrators, since there would be less accountability when the root
>> account is used because it could have been any one of the admins that
>> know the root password.  With sudo, you have effectively tied specific
>> user accounts to elevated actions, and no one should know that
>> password except the the user in question.
>>
> In the case of servers, I believe having a root account servers more of
> a purpose than when using a desktop system.  The ability to configure
> sudo for specific actions is what makes it great, and you don't have to
> hand out the keys to the kingdom to anybody who needs to perform
> administrative action.
>> Locking the root account also does not prevent all local and remote
>> privilege escalation attacks, and certainly can be enabled with
>> minimal risk as long as the administrator is preventing remote
>> services from logging in with that particular account.  e.g. Disable
>> SSH root access.
>>
> This is true, but we are generally talking about desktop systems which
> don't have ssh enabled.  Adding documentation on securing root could
> take a whole other wiki page.  Again, just because it can be done does
> not mean we should support it.
>> There's also an argument out there that using sudo by itself isn't
>> best practice, since administrators are typically encouraged to use
>> two accounts; one for day to day usage, and the other for
>> administrative tasks.  By default, Ubuntu gives the first user only
>> one account with sudo privileges, so if that password is ever
>> compromised, you have essentially rooted the box anyway.  A paranoid
>> security guy would be to keep the root account locked for
>> accountability purposes and create two users per administrator; one
>> non-privileged for typical usage, and another that has sudo
>> privileges.
>>
> I think that argument is an interesting point of view, and definitely
> has merits.  It sounds like what you're saying would support keeping the
> root account disabled, which is what Ubuntu advocates.  Either way,
> Ubuntu had chosen to use sudo as its best-practices method of
> administration.  If a sudo password is compromised, then yes, the system
> as at risk, but hopefully that account only has the sudo privileges that
> it needs to perform its tasks, not sudo ALL.  The original system
> account would also need to have its privileges curbed when appropriate.
>> The theory behind the two accounts is that as you limit the number of
>> locations from which you access your administrative account.  This may
>> help limit the exposure of administrative password by key loggers at
>> remote sites, etc.  Another would be so that it forces admins to use
>> that account with a bit more care and prevent mistakes.  All in all,
>> it's all about how far you want to take it, and hopefully strike an
>> even balance between usability and security.
>>
>> I just don't think taking an alarmist approach is the most effective
>> method.  If anything it may lead a false sense of security.
>>
> I don't mean to be alarmist, I'm just worried that providing information
> on how to enable root may lead some users to do it who don't need it.
> The Windows mindset has users already logged in with a privileged
> account, and historically has not asked for confirmation when doing
> administrative tasks (though this does seem to be changing a bit).  We
> should most definitely educate them on why root is not needed, but we
> don't have to show them how.
>> Thanks,
>>
>> --
>> Gilbert Mendoza
>> PGP: 0x7403B303
>> Email: gmendoza at gmail.com
>> http://www.savvyadmin.com
>> https://launchpad.net/~gmendoza
>> https://wiki.ubuntu.com/GilbertMendoza
>>
>>
>>
>> On Sat, Mar 7, 2009 at 3:17 AM, Phil Bull <philbull at gmail.com> wrote:
>>
>>> I think that we should document this, but provide a strong, justified
>>> warning to discourage users from actually enabling the root account.
>>> I'd rather that users get the information from us, where they will be
>>> properly informed about the security risk, than from a third-party
>>> website, where they may not. If they read the warnings and still
>>> decide to enable root, anything that goes wrong is their own fault and
>>> there's not much we can do about it.
>>>
> Hi Phil,
> Again, I highly support educating users, but if they have already found
> the RootSudo page in their search, then the explanations about using
> sudo rather than root are there.  Hopefully they would read it.  I would
> be afraid that users would simply jump down the page to where the
> command is listed without reading all the security warnings.  Because
> let's be honest, when most people think they want something, they aren't
> going to read through a wiki page to try and find out why they shouldn't
> do what they want.  I'm as guilty of that as most.
>>> Thanks,
>>>
>>> Phil
>>>
>>> --
>>> Phil Bull
>>>
>>> --
>>> ubuntu-doc mailing list
>>> ubuntu-doc at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
>>>
>>>
>
>
> --
> ubuntu-doc mailing list
> ubuntu-doc at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
>



--
Bill Day
williamson.day at gmail.com
PGP Fingerprint: EE5D DE55 9EF1 E012 7417
A5F1 1D7D 0847 7785 1146



-- 
Bill Day
williamson.day at gmail.com
PGP Fingerprint: EE5D DE55 9EF1 E012 7417
A5F1 1D7D 0847 7785 1146