[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
I have never tried ubuntu, but I have read a lot of reviews and comments about it and one of the surprises was that there is apparently no need to have root password. Or am I not understanding something?
There's a big difference between all users having root privileges and not having a dedicated root account. Ubuntu has a root account (although it's "locked" upon installation) and it does support more secure implementations.
It is never a good idea to login to any system as root. Far better to disable all root login access, allow access to ordinary users and selectively allow certain users access to sudo.
This much of the Ubuntu arrangement I agree with, wholeheartedly. I do this myself and I would advise every OS install (not just GNU/Linux but every type of OS) to do the same.
Where I disagree is how Ubuntu proceed from that point, which is along the lines of Mac OSX. The use of sudo - once enabled - only requires the use of the user password. Therefore, if a Ubuntu system is compromised, root access - at least via sudo - would be available via a particular compromised USER password. Just like OSX - anyone who cracks a user password on a single-user OSX box has a direct route to sudo. Once a single-user OSX user password is compromised, an attacker can change the sudo rules and lock you out in a matter of seconds.
I use sudo in a different way. I have a root account, although I never use it directly. Having that account means I also have a root password which differs from my user login password. When I want to use sudo, I have configured sudo to require the root password. It's just an extra layer of security - plus it reminds me to be careful.
The sudo password can be cached too, the shorter the better for security and - as ever - security is the opposite of convenience.
Thankfully, this is free software and any Ubuntu user can tweak their own sudo config to require a different password for sudo operations as well as enable/disable/limit the sudo password cache.
The link to the Ubuntu wiki clearly indicates how this can be done - it also advises how to enable GUI root login which isn't something I would ever advise as it is ALWAYS unnecessary.
"You can make sudo ask for the root password instead of the user password, you can do this by adding the keyword rootpw to the line in /etc/sudoers that starts with Defaults"
With this change, Ubuntu is no different to many desktop/workstation Debian boxes.
-- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpnIA5C4DvMz.pgp
Description: PGP signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html