lproven at gmail.com
Sun Jan 1 16:49:08 UTC 2012
On 1 January 2012 16:38, Chris Green <cl at isbd.net> wrote:
> On Sun, Jan 01, 2012 at 11:05:49AM -0500, AV3 wrote:
>> On Jan/1/2012 6:5435 AM, Earthson wrote:
>> >root is disabled, and it does not have a passwd. if you really want to
>> >use "root", just set a passwd for it.
>> You can do this, but it is not a good idea. The major security
>> advantage of Unix OS's over Windows is afforded by their disabled
>> root accounts inaccessible to outside intruders. Keep it that way,
>> unless you have a truly compelling reason to risk your root
>> account's security for.
> I have never quite followed this security reason for not enabling root.
> If someone guesses/finds the "sudo to root" user's password then they
> can get to do nasty root things just as easily as if the root account
> was enabled and they guess the root password.
> To my mind the only major advantage of using sudo rather than having a
> root password is simply that it leaves an audit trail of who did what.
> A root password actually adds a little security if remote root login is
> not allowed, you have to know two passwords, one for a user login and
> one for a root login, to get root access.
> However, having said all that, for *simplicity* then a user with sudo
> access does make support etc. much easier and on single user home Linux
> systems that is a major advantage.
It's not that it's harder to crack a user password than the root
password, and it's not that not having a root password keeps you safe
- it doesn't; once you know "sudo -s" (and its many variants), you can
do just as much damage.
It is, rather, for 2 reasons.
 Locally, if 'root' is disabled, then you can't log in as root.
Simple but clear. It removes the temptation to log in as that
dangerous account, because you can't. This is far more protection than
turning the desktop red and putting a picture of a bomb on it, as SUSE
Linux used to do. You can't do it at all, any how.
 Remotely, it offers protection from cracking attempts. Everyone
who knows Unix knows that the system administrator on Unix is called
"root", and if you have root access, you own the box. So that is the
account everyone attacks. Well, if root is there but disabled, they
can attack it as much as they like - they won't get in. There's
nothing to get into. But without access to the system, they can't see
what other, ordinary, unprivileged usernames /are/ there, so they
can't launch dictionary attacks against them.
Liam Proven • Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk • GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com • Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 • Cell: +44 7939-087884
More information about the ubuntu-users