root user

[Liam Proven]

On 1 January 2012 17:12, Chris Green <cl at isbd.net> wrote:
> On Sun, Jan 01, 2012 at 04:49:08PM +0000, Liam Proven wrote:
>> On 1 January 2012 16:38, Chris Green <cl at isbd.net> wrote:
>> > I have never quite followed this security reason for not enabling root.
>> >
>> > If someone guesses/finds the "sudo to root" user's password then they
>> > can get to do nasty root things just as easily as if the root account
>> > was enabled and they guess the root password.
>> >
>> > To my mind the only major advantage of using sudo rather than having a
>> > root password is simply that it leaves an audit trail of who did what.
>> >
>> > A root password actually adds a little security if remote root login is
>> > not allowed, you have to know two passwords, one for a user login and
>> > one for a root login, to get root access.
>> >
>> > However, having said all that, for *simplicity* then a user with sudo
>> > access does make support etc. much easier and on single user home Linux
>> > systems that is a major advantage.
>>
>> It's not that it's harder to crack a user password than the root
>> password, and it's not that not having a root password keeps you safe
>> - it doesn't; once you know "sudo -s" (and its many variants), you can
>> do just as much damage.
>>
>> It is, rather, for 2 reasons.
>>
>> [1] Locally, if 'root' is disabled, then you can't log in as root.
>> Simple but clear. It removes the temptation to log in as that
>> dangerous account, because you can't. This is far more protection than
>> turning the desktop red and putting a picture of a bomb on it, as SUSE
>> Linux used to do. You can't do it at all, any how.
>>
> That's rather akin to my 'simplicity' point above.  However it really
> makes no difference except that most instructions for doing root things
> on ubuntu say:-
>    sudo <do this>
>    sudu <do that>
>    sudo <do the other>
> and, as you say, afterwards you're not root and don't have to remember
> to log out.  In practice surely anyone doing more than two commands as
> root quickly gets fed up with typing sudo over and over again and just
> does:-
>    sudo -i
>    <do this>
>    <do that>
>    <do the other>
>    CTRL/D

I tend to use -s not -i, but yes, the point stands.

Doesn't matter - it's better than nothing.

>> [2] Remotely, it offers protection from cracking attempts. Everyone
>> who knows Unix knows that the system administrator on Unix is called
>> "root", and if you have root access, you own the box. So that is the
>> account everyone attacks. Well, if root is there but disabled, they
>> can attack it as much as they like - they won't get in. There's
>> nothing to get into.
>
> But in the real world the systems we are talking about are 99% home
> systems and won't have an ssh daemon running to allow remote access, and
> if they have it should most certainly have ssh root access disabled.
> Thus an intruder *does* need to know two passwords.

Why 2?

>>                         But without access to the system, they can't see
>> what other, ordinary, unprivileged usernames /are/ there, so they
>> can't launch dictionary attacks against them.
>>
> As I understand it dictionary attacks are only possible where the
> encrypted passwords are visible and that is no longer true on most
> systems.

No, not at all.

Anything which accepts a password in any form can have iterative
dictionary attacks launched against it.


> Much of what you are saying is really only applicable to multi-user
> systems where there are many users with 'local' (as in local LAN) access
> to the system.  Running something like a dictionary attack across an
> internet connection would be well nigh pointless, the timeouts on failed
> logins are such that it would take longer than any system is going to
> last for.

Not really. Any machine on the Internet is potentially vulnerable, as
well as an intranet.

-- 
Liam Proven • Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk • GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com • Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 • Cell: +44 7939-087884