FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 11-10-2008, 02:25 PM
"Mark Haney"
 
Default Trouble Logging In as Root

Derek Broughton wrote:
> Mark Haney wrote:
>
>> CLIFFORD ILKAY wrote:
>>
>>>> Am I missing something really obvious here? How can setup my computer so
>>>> that I can login as root? I have all my files backed up so if another
>>>> fresh install is required that is certainly as possibility.
>>> Ignore the advice to set a root password.
>> Okay, I came rather late to the party but I would like to say a couple
>> of things here. First and foremost. NEVER leave root without a
>> password. PERIOD.
>
> As somebody else pointed out, it isn't strictly without a password.

True, but locked is only good with a hard to guess password with it.
See my previous post.
>
>> This is not only probably the biggest security hole
>> ever, it's just plain wrong. Root is (in the phrasing of Ric Flair)
>> 'THE MAN'. It can do everything. Anyone leaving root exposed runs a
>> big risk.
>
> Root is not exposed in a default Ubuntu system.

Of course it's exposed, with the primary user having root access it's
exposed. Look, the issue here is with the primary user having sudo
access. Even that exposes root. And root access. Users by themselves
are typically lazy with passwords, that makes it paramount that root be
locked down as tightly as possible.

>
>> I am aware of the fact that Ubuntu gives sudo access to virtually
>> everything for the first user, but let's examine the possibilities here.
>> Let's say I compromise your system's primary user account. I can sudo
>> into root, then lock everyone else out with a couple changes to sudo
>> using visudo as well as edit the root passwd. What do you do then?
>> You're busted. Period.
>
> Bull. Period. I boot off a liveCD, and fix it. Let's say I compromise
> your root account, because everybody who's ever had to do anything as root
> has been sharing the password...

No, it's not bull. Do you always have a liveCD with you? Always? Be
honest. Again, who is insane enough to share root's password? I never
do. Root is my baby, and I change it regularly. Paranoia, it's a good
thing with root. I also always lock down sudo access for multiple users
(on a server) to only the binaries they need more than normal user
account access for. Even then it better be a damn good reason to have it.

I've been known to lock out even sudo access for the primary user and
setup an oddball account name and password, just for sudo access.

>
>> There is no real recovery from that, because
>> even with a rescue CD you pretty much need to know the root passwd.
>
> ???? In a word, No.

Okay, I'll give you that one.

>
>> Personally, I also keep a root shell open pretty much all the time I'm
>> on a system, just in case I do something stupid and lock myself out
>> (like breaking an sshd config or something.)
>
> LOL, and you're paranoid about security?

I keep a root shell or sudo access open on any remote system I'm
configuring. As a backup for if I break something during a new config.

Believe me, I'm probably even more paranoid than anyone else. I am
responsible for more than $3m worth of supercomputers and servers on a
daily basis. I do not take root's name in vain. But, in every case, SSH
is tunneled through one unexposed system to the internal blocked IPs of
the server I need to get to. My point is, I have to use root's power on
a regular basis. In each case I have sudo access for every server
internally only. If I need access from home (for example) I have to ssh
tunnel to the internal server then ssh from there and sudo in. It's a
PITA, but it's necessary.

Do what you want with sudo and root. I thought I'd share my experience,
but hey, some people only learn from having it done to them.




--
Frustra laborant quotquot se calculationibus fatigant pro inventione
quadraturae circuli

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 02:27 PM
"Mark Haney"
 
Default Trouble Logging In as Root

Avi Greenbury wrote:
> Mark Haney wrote:
>> Sure, yeah, that works but only when you have the LiveCD with you. I
>> personally either a) don't always carry boot disks with me
>
> Mine's duct-taped to the side of the box.
>

You can't go wrong with duct tape. Touche. I was thinking more of
laptop/mobile users. But then, I also do Tech Support for my entire
extended family and I don't always carry one with me, nor do I expect
them to have it on hand if I need it.



--
Frustra laborant quotquot se calculationibus fatigant pro inventione
quadraturae circuli

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 03:31 PM
Nils Kassube
 
Default Trouble Logging In as Root

Mark Haney wrote:
> Nils Kassube wrote:
> > Mark Haney wrote:
> >> 'THE MAN'. It can do everything. Anyone leaving root exposed runs
> >> a big risk.
> >
> > Then it is even better to have no root password set with but keep the
> > root account locked to reduce the exposure, or am I missing
> > something?
>
> Locking the root account is fine, even preferred, but leaving it
> 'unlockable' and with an empty password is stil (IMHO) a bad idea.
> I've never preferred locking it WITHOUT a passwd. Again, my advice, be
> paranoid.
>
> >> I am aware of the fact that Ubuntu gives sudo access to virtually
> >> everything for the first user,
> >
> > But you don't seem to be aware that the root account doesn't have a
> > blank password but we have a locked root account. You simply can't
> > login as root unless you intentionally set a root password.
>
> I am aware, but that still is only part of the problem, with sudo
> access you can unlock root, and still make yourselves even more
> vulnerable without a hard to crack passwd. Sure, if the primary user
> is
> compromised, you're screwed anyway, but the point here is never do just
> one or the other. Do both.

What do you mean with "do both"? If I understand it right what you wrote
above, you want to take away the sudo access to the root account for all
users? Otherwise there is no way to protect the root account because if I
get a root shell I can still replace the /etc/shadow and /etc/passwd
files.

> Of course, this only comes with
> experience, I've had that happen to me once. Long ago. But hey, it's
> your system. Do what you want, I'm just offering my experiences in the
> past. Never assume locking root is enough.

Yes, thanks for the advice. It is always good to see other's opinion about
how the system could be made more secure.

> Sure, yeah, that works but only when you have the LiveCD with you. I
> personally either a) don't always carry boot disks with me or b) am too
> far away from said system to use one.

Usually I don't have a LiveCD with me either. I'm not a system admin
anyway, I just have my home network and I help some friends with their
machines. Of course I have a LiveCD laying around here and if I know a
friend needs help with a compromised machine I would definitely take the
LiveCD With me. So our needs are quite different

> Trust me, when the poop hits the fan, you're
> almost always missing something that would make life easier on hand
> with you.

That's one of the consequences of Murphy's law, isn't it?


Nils

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 05:45 PM
Derek Broughton
 
Default Trouble Logging In as Root

Mark Haney wrote:

> Derek Broughton wrote:
>> Mark Haney wrote:
>>
>>> CLIFFORD ILKAY wrote:
>>>
>>>>> Am I missing something really obvious here? How can setup my computer
>>>>> so that I can login as root? I have all my files backed up so if
>>>>> another fresh install is required that is certainly as possibility.
>>>> Ignore the advice to set a root password.
>>> Okay, I came rather late to the party but I would like to say a couple
>>> of things here. First and foremost. NEVER leave root without a
>>> password. PERIOD.
>>
>> As somebody else pointed out, it isn't strictly without a password.
>
> True, but locked is only good with a hard to guess password with it.

Still wrong. It isn't a hard-to-guess password - it's an impossible-to-use password.

> See my previous post.
>>
>>> This is not only probably the biggest security hole
>>> ever, it's just plain wrong. Root is (in the phrasing of Ric Flair)
>>> 'THE MAN'. It can do everything. Anyone leaving root exposed runs a
>>> big risk.
>>
>> Root is not exposed in a default Ubuntu system.
>
> Of course it's exposed, with the primary user having root access it's
> exposed.

Absolutely no more so than in your concept - and imo less.

> Look, the issue here is with the primary user having sudo
> access. Even that exposes root. And root access. Users by themselves
> are typically lazy with passwords, that makes it paramount that root be
> locked down as tightly as possible.

Right. BY NOT HAVING A WORKING ROOT ACCOUNT
--
derek


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 08:45 PM
"Owen Townend"
 
Default Trouble Logging In as Root

2008/11/11 Derek Broughton <news@pointerstop.ca>:
> Mark Haney wrote:
>
>> Derek Broughton wrote:
>>> Mark Haney wrote:
>>>> CLIFFORD ILKAY wrote:
>>>>>> Am I missing something really obvious here? How can setup my computer
>>>>>> so that I can login as root? I have all my files backed up so if
>>>>>> another fresh install is required that is certainly as possibility.
>>>>> Ignore the advice to set a root password.
>>>> Okay, I came rather late to the party but I would like to say a couple
>>>> of things here. First and foremost. NEVER leave root without a
>>>> password. PERIOD.
>>>
>>> As somebody else pointed out, it isn't strictly without a password.
>>
>> True, but locked is only good with a hard to guess password with it.
>
> Still wrong. It isn't a hard-to-guess password - it's an impossible-to-use password.

This has been clearly explained earlier too. The root account is
locked, it does not have
a blank password, or a strong password. Check /etc/shadow: (example
from a clean VM)
root:!:14178:0:99999:7:::

There is _no_ password that will give a hash beginning with '!'
confirming Derek's point
that it is an *impossible* to use or guess password.

A locked account is no stronger with a valid hash after the locking '!'.

>
>> See my previous post.
>>>
>>>> This is not only probably the biggest security hole
>>>> ever, it's just plain wrong. Root is (in the phrasing of Ric Flair)
>>>> 'THE MAN'. It can do everything. Anyone leaving root exposed runs a
>>>> big risk.
>>>
>>> Root is not exposed in a default Ubuntu system.
>>
>> Of course it's exposed, with the primary user having root access it's
>> exposed.
>
> Absolutely no more so than in your concept - and imo less.
[snip]

Agreed. As a security conscious administrator, the logic that two
hard to guess
passwords (root password and first user) is better than one hard to
guess password
and an *impossible* to guess password is clearly incorrect, even if
the attacker
_knows_ that the root account is locked.

An external attacker also needs to find the username of the admin user account.
While this is only an obscurity layer, it does add another step to the
process.
An internal attacker can simply `grep admin /etc/group` as by default Ubuntu
simply adds users to the admin group to grant full root (via sudo) rights.

cheers,
Owen.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 07:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org