Trouble Logging In as Root

[Mark Haney]

Derek Broughton wrote:
> Mark Haney wrote:
> 
>> CLIFFORD ILKAY wrote:
>>
>>>> Am I missing something really obvious here? How can setup my computer so
>>>> that I can login as root? I have all my files backed up so if another
>>>> fresh install is required that is certainly as possibility.
>>> Ignore the advice to set a root password.
>> Okay, I came rather late to the party but I would like to say a couple
>> of things here.  First and foremost.  NEVER leave root without a
>> password.  PERIOD. 
> 
> As somebody else pointed out, it isn't strictly without a password.

True, but locked is only good with a hard to guess password with it. 
See my previous post.
> 
>> This is not only probably the biggest security hole 
>> ever, it's just plain wrong.  Root is (in the phrasing of Ric Flair)
>> 'THE MAN'.  It can do everything.  Anyone leaving root exposed runs a
>> big risk.
> 
> Root is not exposed in a default Ubuntu system.

Of course it's exposed, with the primary user having root access it's 
exposed.  Look, the issue here is with the primary user having sudo 
access.  Even that exposes root.  And root access.  Users by themselves 
are typically lazy with passwords, that makes it paramount that root be 
locked down as tightly as possible.

> 
>> I am aware of the fact that Ubuntu gives sudo access to virtually
>> everything for the first user, but let's examine the possibilities here.
>>   Let's say I compromise your system's primary user account. I can sudo
>> into root, then lock everyone else out with a couple changes to sudo
>> using visudo as well as edit the root passwd.  What do you do then?
>> You're busted.  Period.  
> 
> Bull.  Period.  I boot off a liveCD, and fix it.  Let's say I compromise
> your root account, because everybody who's ever had to do anything as root
> has been sharing the password...

No, it's not bull.  Do you always have a liveCD with you?  Always?  Be 
honest.  Again, who is insane enough to share root's password?  I never 
do.  Root is my baby, and I change it regularly.  Paranoia, it's a good 
thing with root.  I also always lock down sudo access for multiple users 
(on a server) to only the binaries they need more than normal user 
account access for.  Even then it better be a damn good reason to have it.

I've been known to lock out even sudo access for the primary user and 
setup an oddball account name and password, just for sudo access.

> 
>> There is no real recovery from that, because 
>> even with a rescue CD you pretty much need to know the root passwd.
> 
> ????  In a word, No.

Okay, I'll give you that one.

> 
>> Personally, I also keep a root shell open pretty much all the time I'm
>> on a system, just in case I do something stupid and lock myself out
>> (like breaking an sshd config or something.)
> 
> LOL, and you're paranoid about security?

I keep a root shell or sudo access open on any remote system I'm 
configuring.  As a backup for if I break something during a new config.

Believe me, I'm probably even more paranoid than anyone else. I am 
responsible for more than $3m worth of supercomputers and servers on a 
daily basis. I do not take root's name in vain.  But, in every case, SSH 
is tunneled through one unexposed system to the internal blocked IPs of 
the server I need to get to.  My point is, I have to use root's power on 
a regular basis.  In each case I have sudo access for every server 
internally only.  If I need access from home (for example) I have to ssh 
tunnel to the internal server then ssh from there and sudo in.  It's a 
PITA, but it's necessary.

Do what you want with sudo and root.  I thought I'd share my experience, 
but hey, some people only learn from having it done to them.




-- 
Frustra laborant quotquot se calculationibus fatigant pro inventione 
quadraturae circuli

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support