About root account and sudo

John dingo at coco2.arach.net.au
Tue Sep 21 12:42:03 UTC 2004

Felipe Alfaro Solana wrote:

> Hello,
> I have tried Ubuntu Linux and have found the root account is disabled 
> by default, and that the use of "sudo" is encouraged, instead.
> However, I think that using "sudo" brings in some security 
> implications that make it dangerous. By default, in Ubuntu linux, you 
> can gain superuser privileges by running "sudo" and then entering your 
> own password (the same password you used at login to gain access to 
> your user account). I think this is insecure: the user enters its own 
> password, not the superuser password (which should be a different 
> password). Thus, if the user's password gets compromised, not only its 
> user account gets compromised, but also root access: a hacker can gain 
> access to the user account (as she knows the password), then use 
> "sudo" to gain root privileges.
> So, the first thing I did after installing Ubuntu Linux, was "sudo 
> passwd root", then removing myself entirely from "/etc/sudoers". Now, 
> since my user and root passwords are totally different, if my user 
> account gets compromised, I don't fear the intruder can easily gain 
> root access.
I suggest
1. You pick a better password;-)
2. During install, create an account you plan to use for admin
3. Post install, create accounts for you, your wife, your girlfriend, 
your boyfriend (is there anyone else to insult?), your cat, dog and budgie.
4. Don't tell your wife, your girlfriend, your boyfriend, your cat, dog 
or budgie the admin password.

More information about the ubuntu-users mailing list