root user
Smoot Carl-Mitchell
smoot at tic.com
Sun Jan 1 16:45:10 UTC 2012
On Sun, 2012-01-01 at 11:05 -0500, AV3 wrote:
> On Jan/1/2012 6:5435 AM, Earthson wrote:
> > root is disabled, and it does not have a passwd. if you really want to
> > use "root", just set a passwd for it.
> >
> > command:
> >
>
>
> You can do this, but it is not a good idea. The major security advantage
> of Unix OS's over Windows is afforded by their disabled root accounts
> inaccessible to outside intruders. Keep it that way, unless you have a
> truly compelling reason to risk your root account's security for.
Very few attacks on Unix/Linux systems try and guess the root password.
Most attacks take advantage of known flaws in processes running with
root privileges. With a strong password it is nearly impossible to guess
the root password. So from a security standpoint having a password on
the root account is not opening up a lot of risk. Since using "su -" on
a host with a root password or "sudo -i" on a host with a locked root
account are functionally equivalent, why have a password on root which
you need to remember?
On the other hand logging in as root (or sudo -i to root) and doing all
your work as root is risky, since every program you run is at an
elevated privilege. If you download a program or execute an email
attachment as root, then all security bets are off. This BTW was the
major attack vector for viruses and worms into Windows systems before
they introduced a degree of privilege separation. sudo is a nice tool
which makes you aware of the programs you want to run with root
privileges. In my view it keeps you from doing really dumb things.
--
Smoot Carl-Mitchell
System/Network Architect
voice: +1 480 922-7313
cell: +1 602 421-9005
smoot at tic.com
More information about the ubuntu-users
mailing list