A way to mess up recovery mode logins! Comments please?

Colin Watson cjwatson at ubuntu.com
Mon Jan 16 19:02:32 UTC 2006 

On Mon, Jan 16, 2006 at 01:45:13PM -0500, Phillip Susi wrote:
> Colin Watson wrote:
> >There's nothing wrong with wanting to set a root password.
> 
> There is no reason to set a root password.

Lots of people want to do this for reasons of site policy, mistrust of
complicated authentication frameworks, desire to ensure that people
cannot log in remotely as root, or a variety of other reasons. We
omitted the root password question from the Ubuntu installer and
defaulted to sudo because it was one more question whose answer people
would need to remember and we thought this could be eliminated, not
because we thought logging in as root should be forbidden.

In addition, if you set BIOS and bootloader passwords to stop people
using the init=/bin/sh trick, then you most certainly do want to set a
root password too, otherwise your protection can be bypassed any time a
filesystem error causes the system to fail fsck. (It is indeed possible
for somebody with physical access to defeat even these checks by pulling
out the hard disk, but in many environments using the above protections
this will be caught on closed-circuit TV cameras.)

> >The root password is locked to start with, and yet recovery mode works
> >there.
> 
> Maybe my system is a bit different because I didn't install in the usual 
> way due to using unsupported sata fakeraid, but I have NO root password, 
> so if I switch to a text terminal, I can login as root just fine.

All versions of the Ubuntu installer since before Warty have used code
similar to the following in the default install path:

  echo 'root:*' | chpasswd -e

> >"No root password" is the same as "locked root account", except for the
> >precise details of the locking.
> 
> No, there is a HUGE difference.  In the former case anyone can login as 
> root ( on a secure terminal ), in the latter, nobody can.

(OK, I misinterpreted what you meant by "no root password". I didn't
think anyone would do that. It isn't the Ubuntu default.)

sulogin in Ubuntu was always intended to provide automatic login in the
event of a locked root password. The reason for this is that it is only
invoked in single-user mode, so there is no decrease in security in the
common case when BIOS and bootloader passwords are unset (since anyone
can boot with init=/bin/sh anyway), and it would be very bad for a
failed fsck to render the system inaccessible. We anticipated that those
in more secured environments where this was inappropriate would set
BIOS, bootloader, and root passwords anyway.

It's funny how an installer user interface design decision has turned
into an article of religious faith a year and a half down the line. :-)

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the ubuntu-users mailing list