Trouble Logging In as Root

[Nils Kassube]

Mark Haney wrote:
> Nils Kassube wrote:
> > Mark Haney wrote:
> >> 'THE MAN'.  It can do everything.  Anyone leaving root exposed runs
> >> a big risk.
> >
> > Then it is even better to have no root password set with but keep the
> > root account locked to reduce the exposure, or am I missing
> > something?
>
> Locking the root account is fine, even preferred, but leaving it
> 'unlockable' and with an empty password is stil (IMHO) a bad idea. 
> I've never preferred locking it WITHOUT a passwd.  Again, my advice, be
> paranoid.
>
> >> I am aware of the fact that Ubuntu gives sudo access to virtually
> >> everything for the first user,
> >
> > But you don't seem to be aware that the root account doesn't have a
> > blank password but we have a locked root account. You simply can't
> > login as root unless you intentionally set a root password.
>
> I am aware, but that still is only part of the problem, with sudo
> access you can unlock root, and still make yourselves even more
> vulnerable without a hard to crack passwd.  Sure, if the primary user
> is
> compromised, you're screwed anyway, but the point here is never do just
> one or the other.  Do both.  

What do you mean with "do both"? If I understand it right what you wrote 
above, you want to take away the sudo access to the root account for all 
users? Otherwise there is no way to protect the root account because if I 
get a root shell I can still replace the /etc/shadow and /etc/passwd 
files.

> Of course, this only comes with 
> experience, I've had that happen to me once.  Long ago.  But hey, it's
> your system. Do what you want, I'm just offering my experiences in the
> past.  Never assume locking root is enough.

Yes, thanks for the advice. It is always good to see other's opinion about 
how the system could be made more secure.

> Sure, yeah, that works but only when you have the LiveCD with you.  I
> personally either a) don't always carry boot disks with me or b) am too
> far away from said system to use one.

Usually I don't have a LiveCD with me either. I'm not a system admin 
anyway, I just have my home network and I help some friends with their 
machines. Of course I have a LiveCD laying around here and if I know a 
friend needs help with a compromised machine I would definitely take the 
LiveCD With me. So our needs are quite different :)

> Trust me, when the poop hits the fan, you're 
> almost always missing something that would make life easier on hand
> with you.

That's one of the consequences of Murphy's law, isn't it?


Nils