On Being root....
Chris Peterman
kyral at ubuntu.com
Sun Mar 5 17:41:41 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just a random thought on the subject...
The Sudo model is better for Desktops, because it's easier to remember
one long cryptic password than TWO long cryptic passwords.
For Servers however...the Duel Account (Normal and Root User) Model is
better, assuming you disallow Remote Root logins. Why? Because if the
cracker busts the long cryptic user password, he still has to bust the
(perhaps) longer, more cryptic Root Password to do more damage.
Also Servers are (I would think) targetted more than Desktops :P
On Sun, 5 Mar 2006 12:11:40 -0500
"Joe(theWordy)Philbrook" <jtwdyp at ttlc.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> It would appear that on Mar 5, Rob Blomquist did say:
>
> > I am trying to get around having to play with Ubuntu's interest in
> > keeping me from becoming root in console and so on. I have no idea
> > why, but maybe it is to block people from running all the time as
> > root, which I know is a pretty stupid thing. I have not been at a
> > root graphical desktop in years.
>
> I'm not exactly an expert on why they choose the sudo model... I know
> why I didn't...
>
> I will say however that if you allow remote logins, anyone inclined to
> hack in to your system probably has a better chance of cracking the
> password of a known account name like root, than that of some generic
> user whose username isn't known...
>
> > But right now I am in something of a pickle, as while I can su into
> > root, and open KDE's Root Console, I now cannot run Adept, Kuser,
> > kdesu, or anything graphical as root. Its really starting to bug
> > me, as I am not a real pro at apt-get, dpkg or any of that, and its
> > a real pain right now to configure my machine the way I want
> > without the graphical side. Mostly, as between rpms and deb based
> > installers, all the packages seem to be named differently, and I
> > don't know what to ask for.
>
> I did note that someone told you how to get an interactive root shell
> via sudo. But you were having problems with things like kdesu etc...
> And it sounded to me like you sounded comfortable with using root
> 'carefully'...
>
> I can tell you that I was having a similar problem getting kdesu to
> run using root's password like it would on fedora... seams like the
> kubuntu version used the sudo authentication model which means that:
>
> A) you use YOUR OWN password instead of roots when you do
> something like: "kdesu -u root -c konsole" (Which should
> get root's kde settings for things like konsole schema {colors}).
>
> B) YOU must be setup as a sudoer... (if your sudoers file has
> these two lines:
> # Members of the admin group may gain root privileges
> %admin ALL=(ALL) ALL
> then it seams that all you need is to be in the admin
> group)
>
>
> But I was using a NON-sudoer account so there wasn't any password that
> kubuntu's kdesu would accept from me...
>
> However _IF_ I used a konsole shell prompt (and NOT the "run prompt")
> I could use su in the console to authorize kdesu without it asking me
> for my password...
>
> thus:
>
> su root -c "kdesu -u root -c konsole"
>
> (Note the quotes around the complete kdesu command and it's arguments)
>
> Would cause su to use the original konsole to prompt me for root's
> password. Then, it seams that, somehow su authenticates kdesu so that
> it doesn't ask for a password...
>
> Works. though the original konsole sits there waiting for the kdesu
> spawned konsole to exit. and
>
> su root -c "kdesu -u root -c konsole" &
>
> only resulted in a "stopped" process.
>
>
> Incidentally:
>
> su root -c kuser
>
> from a konsole shell prompt seams to launch Kuser just fine with the
> root password.
>
> I've never used Adept but I imagine it might be a similar
> authentication problem involved...
>
> Of course if I was using a sudoer account, then (using that accounts
> password) I could get similar results from:
>
> sudo -H kuser
>
> &
>
> sudo -H konsole
>
> Hope this helps...
>
> > I am wondering if anyone has spent enough time, or has found a
> > website that lets us in on unblocking the root console, and all the
> > GUI utilities that we would like to use.
>
> I'm afraid I haven't a clue about such a web site... if you find one
> please let me know...
>
> #############################################################
> ##_if_you'd_prefer_an_clearsigned_".asc"_text_file_of_this_##
> ##message_as_an_mime_encoded_attachment,just_ask_me_while__##
> ##it's_STILL_IN_my_outbox_folder_._._._=+=+=+=+=+=+=+=+;-)_##
> #gpg sig for: Joe (theWordy) Philbrook DSA key ID 0x6C2163DE#
> # You can find my public gpg key at http://pgpkeys.mit.edu/ #
> #############################################################
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFECxqORZ/61mwhY94RAhDjAJ9XcIOqs3J1Zz2UmOaKjGwb91EKxwCfZe6n
> WbhU5QvoBpPwrQRomORH/to=
> =47uH
> -----END PGP SIGNATURE-----
Just a random thought on the subject...
The Sudo model is better for Desktops, because it's easier to remember
one long cryptic password than TWO long cryptic passwords.
For Servers however...the Duel Account (Normal and Root User) Model is
better, assuming you disallow Remote Root logins. Why? Because if the
cracker busts the long cryptic user password, he still has to bust the
(perhaps) longer, more cryptic Root Password to do more damage.
Also Servers are (I would think) targetted more than Desktops :P
- --
~ Chris "Kyral" Peterman
Computer Science Undergraduate
Clarkson University
Associate Member of the Free Software Foundation
Ubuntu Member
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
iD8DBQFECyLZX41hkg8aZjkRAr4MAKCmLqgdMPeFj6W5DSONQlFwgYw3WQCfTGqq
93w0Yp/IgY3a8lembey9N8c=
=qBxz
-----END PGP SIGNATURE-----
More information about the ubuntu-users
mailing list