Trouble Logging In as Root

Owen Townend owen.townend at gmail.com
Mon Nov 10 21:45:37 UTC 2008 

2008/11/11 Derek Broughton <news at pointerstop.ca>:
> Mark Haney wrote:
>
>> Derek Broughton wrote:
>>> Mark Haney wrote:
>>>> CLIFFORD ILKAY wrote:
>>>>>> Am I missing something really obvious here? How can setup my computer
>>>>>> so that I can login as root? I have all my files backed up so if
>>>>>> another fresh install is required that is certainly as possibility.
>>>>> Ignore the advice to set a root password.
>>>> Okay, I came rather late to the party but I would like to say a couple
>>>> of things here.  First and foremost.  NEVER leave root without a
>>>> password.  PERIOD.
>>>
>>> As somebody else pointed out, it isn't strictly without a password.
>>
>> True, but locked is only good with a hard to guess password with it.
>
> Still wrong.  It isn't a hard-to-guess password - it's an impossible-to-use password.

This has been clearly explained earlier too.  The root account is
locked, it does not have
a blank password, or a strong password.  Check /etc/shadow: (example
from a clean VM)
root:!:14178:0:99999:7:::

There is _no_ password that will give a hash beginning with '!'
confirming Derek's point
 that it is an *impossible* to use or guess password.

A locked account is no stronger with a valid hash after the locking '!'.

>
>> See my previous post.
>>>
>>>> This is not only probably the biggest security hole
>>>> ever, it's just plain wrong.  Root is (in the phrasing of Ric Flair)
>>>> 'THE MAN'.  It can do everything.  Anyone leaving root exposed runs a
>>>> big risk.
>>>
>>> Root is not exposed in a default Ubuntu system.
>>
>> Of course it's exposed, with the primary user having root access it's
>> exposed.
>
> Absolutely no more so than in your concept - and imo less.
[snip]

Agreed.  As a security conscious administrator, the logic that two
hard to guess
passwords (root password and first user) is better than one hard to
guess password
and an *impossible* to guess password is clearly incorrect, even if
the attacker
_knows_ that the root account is locked.

An external attacker also needs to find the username of the admin user account.
While this is only an obscurity layer, it does add another step to the
process.
An internal attacker can simply `grep admin /etc/group` as by default Ubuntu
simply adds users to the admin group to grant full root (via sudo) rights.

cheers,
Owen.

More information about the ubuntu-users mailing list