About root or administrative account

Fri Mar 23 23:51:46 UTC 2007

David B Teague wrote:

> 
> First, many thanks to all who answered this inquiry: Kristian, Tony, 
> Eamonn, Wee-Yee Chan,Jarrod, Ramkumar, Derek, and Matthew, with useful 
> commentary. I appreciate the several opinions. Hope I didn't miss anyone.
> 
> I do not yet understand why the Ubuntu way, sudo, with the USER's 
> PASSWORD, is not less safe than having a different root password. I 
> think the ordinary user who does an administrative task should have to 
> use the root password.  Someone pointed out that sudo gives logging, 
> which will give some tracking, useful after the fact, but is in fact, 
> not safer.

Please don't take it the wrong way, but I think your view of overall
security is a bit narrow here. It's not that a user with sudo
privileges is more or less secure than someone using the actual root
account, because in essence they're exactly the same thing with the
minor difference being a sudo user is somewhat less likely to
accidentally invoke some disastrous command. Using sudo isn't by design
something that keeps non-administrators at bay, because an evildoer
with either sudo privileges or the root account password can wreak just
as much havoc.

The main argument for disabling root logins is the fact that an
outsider or unprivileged user needs two things to gain root access in
this scenario... a privileged user's account name, and the
corresponding password. With root logins enabled half of that equation
is solved. ;) It's a virtual certainty that account will exist on
every installation, so all one has to discover is the password.

To clarify, consider an alphabet so small that you can only form 10
words. That leaves you with 10 possible user names, and 10 possible
passwords. With an account name known (root) an attacker only has to
guess a maximum of 10 passwords. Without any known account names, the
attacker has to make a maximum of 100 guesses... 10 possible passwords
for each of the 10 possible user names.

Now consider the fact that with the root account enabled the number of
possible account names is one, but without it the number is more on the
order of all letters, numbers, and some symbols, multiplied by itself
and raised to the power of the longest possible user name. Considerably
more than one, and we haven't yet factored in an equal number of
potential passwords. ;)

> The logging that you get with sudu helps, and that with a single user, 
> there isn't a lot of difference in security between having a root log-in 

On the contrary. There's a huge difference in security because security
isn't just a matter of blindly defending against assumed attacks it's
also the science of recognizing how attacks are launched and attack
methods evolve, and forensically analyzing what went wrong when they
succeed. Every shred of information you can collect about a threat or
attack helps you avoid the dreaded worst case scenario.

Even with purposeful attacks aside, having that "audit trail" available
in the event you do happen to inadvertently invoke some disastrous
command can be the difference between an easy recovery and many hours
of work, or a complete restart from scratch. It's considerably easier
to fix something if you know *exactly* what's wrong. ;)

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
                    http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070323/58e57e5a/attachment.sig>