Re: [root user] How to disable root account?
On Fri, 25 Nov 2005, Maxim Vexler wrote: On 11/25/05, Robert Brockway [EMAIL PROTECTED] wrote: Anyone wanting to lock the root account (not a good idea IMHO) should have a root enabled session (sudo, su or whatever) put to the side and not touched during the procedure. This session would be used only to reverse the procedure if it was found that establishing superuser privs was no longer possible in new sessions. In the worst case, couldn't someone just boot from a livecd, run [passwd root], then [cat /etc/shadow | grep root] on the livecd and finally simply copying that entry into the locked out system shadow file ? Sure but this involves bringing the system down. If you don't allow the three fingered salute on the console to reboot or halt the system then it involves bringing the system down badly. If we are talking of a production system this is a _very bad thing_ even after hours. Rob -- Robert Brockway B.Sc. Phone: +1-416-669-3073 Senior Technical Consultant Email: [EMAIL PROTECTED] OpenTrend Solutions Ltd.Web:www.opentrend.net We are open 24x365 for technical support. Call us in a crisis. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
Am 2005-11-30 16:04:22, schrieb Dick Davies: On 30/11/05, Michelle Konzack [EMAIL PROTECTED] wrote: grep -vE ^root: /etc/passwd /etc/passwd.tmp mv /etc/passwd.tmp /etc/passwd grep -vE ^root: /etc/shadow /etc/shadow.tmp mv /etc/shadow.tmp /etc/shadow grep -vE ^0: /etc/group /etc/group.tmp mv /etc/group.tmp /etc/group grep -vE ^0: /etc/gshadow /etc/gshadow.tmp mv /etc/gshadow.tmp /etc/gshadow That's a joke, isnt' it? :-) Yes, but it deactivate root very successful! Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Fri, 2 Dec 2005 13:34:37 + Dick Davies [EMAIL PROTECTED] wrote: Then you can add them to the wheel group and give them a root shell that way. Meanwhile you can update the root password without any problem. What would be the point of updating the root password in this case? In our case there are a couple of dozens of sysadmins that want to have root access on their local box and six or eight sysadmins that do the operation of these workstations (and some 200 servers in their spare time). The latter six or eight people have the root password to do remote stuff. As mentioned before, they could work with sudo and service accounts for login too. But we do not do it that way. Six or eight people with the root password makes a good reason to update it regularly. Ubuntu follows this road a bit further by setting a random root password nobody actually knows. That's untrue, and would be a very bad idea. Seems i am following a myth here. I must have read it during last winter in the ubuntu forum. http://ubuntuforums.org/printthread.php?t=31053 I sure saw it last week on zdnet: http://reviews.zdnet.co.uk/software/os/0,39024175,39237493,00.htm Thank you for your clarification. Christian -- Christian Folini - [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On 01/12/05, Christian Folini [EMAIL PROTECTED] wrote: The sudo/wheel approach is also a handy one when you want to update the root password regularly, but you do not want to tell it to everyone. Say you work in an heterogenous enterprise with lots of admins having their unix workstation. They need root permissions on their desktop machine, but you do not want to distribute the root password (lacking the encrypted channel to reach everyone for example). Then you can add them to the wheel group and give them a root shell that way. Meanwhile you can update the root password without any problem. What would be the point of updating the root password in this case? Ubuntu follows this road a bit further by setting a random root password nobody actually knows. That's untrue, and would be a very bad idea. having to explain to my boss why i do not know the root password of our linux workstations did not seem that attractive. Why, is he really stupid? -- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/
Re: [root user] How to disable root account?
Dick Davies wrote: On 01/12/05, Christian Folini [EMAIL PROTECTED] wrote: [snip] having to explain to my boss why i do not know the root password of our linux workstations did not seem that attractive. Why, is he really stupid? Do you read Dilbert? Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Wed, Nov 30, 2005 at 11:23:17PM -0500, gnrfan wrote: Ubuntu uses sudo. I also use it in my Debian box. Basically most unices have a wheel group. You can add your account to that group and then run the visudo to leave /etc/sudoers with a line like this one: %wheel ALL=(ALL) NOPASSWD: ALL Or this (if you want your account's (not root) password to be asked for every time you want to run commands like root: %wheelALL=(ALL) ALL I don't know what your objective is in disabling root, but, if it's to make your system more secure against attackers, be aware that this (or any sudo-based approach, really) will make matters worse, not better. If you have 5 user accounts in wheel (or who otherwise have unlimited access to superuser powers via sudo), then that's five accounts which can be cracked and used to take over your machine rather than just one. (Some improvement is possible in that an attacker won't know the name of the account(s) he needs to crack, but, if he has any way of retrieving your system's valid user names (say, from email addresses), then this is an extremely flimsy defense.) sudo is great for tracking who does what as root and for preventing yourself from accidentally doing something with greater powers than intended, but it can very easily be counterproductive if your intent is to increase resistance to unauthorized access. -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Thu, 1 Dec 2005 09:24:28 -0600 Dave Sherohman wrote: sudo is great for tracking who does what as root and for preventing yourself from accidentally doing something with greater powers than intended, but it can very easily be counterproductive if your intent is to increase resistance to unauthorized access. The sudo/wheel approach is also a handy one when you want to update the root password regularly, but you do not want to tell it to everyone. Say you work in an heterogenous enterprise with lots of admins having their unix workstation. They need root permissions on their desktop machine, but you do not want to distribute the root password (lacking the encrypted channel to reach everyone for example). Then you can add them to the wheel group and give them a root shell that way. Meanwhile you can update the root password without any problem. Ubuntu follows this road a bit further by setting a random root password nobody actually knows. This seems consequent to me. But having to explain to my boss why i do not know the root password of our linux workstations did not seem that attractive. regs, Christian Folini -- Christian Folini - mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On 12/1/05, Christian Folini [EMAIL PROTECTED] wrote: On Thu, 1 Dec 2005 09:24:28 -0600 Dave Sherohman wrote: sudo is great for tracking who does what as root and for preventing yourself from accidentally doing something with greater powers than intended, but it can very easily be counterproductive if your intent is to increase resistance to unauthorized access. The sudo/wheel approach is also a handy one when you want to update the root password regularly, but you do not want to tell it to everyone. Say you work in an heterogenous enterprise with lots of admins having their unix workstation. They need root permissions on their desktop machine, but you do not want to distribute the root password (lacking the encrypted channel to reach everyone for example). Then you can add them to the wheel group and give them a root shell that way. Meanwhile you can update the root password without any problem. Ubuntu follows this road a bit further by setting a random root password nobody actually knows. This seems consequent to me. But having to explain to my boss why i do not know the root password of our linux workstations did not seem that attractive. sudo passwd lets you set the root password of course. :-) greets, Wim
Re: [root user] How to disable root account?
Christian Folini said... On Thu, 1 Dec 2005 09:24:28 -0600 Dave Sherohman wrote: sudo is great for tracking who does what as root and for preventing yourself from accidentally doing something with greater powers than intended, but it can very easily be counterproductive if your intent is to increase resistance to unauthorized access. The sudo/wheel approach is also a handy one when you want to update the root password regularly, but you do not want to tell it to everyone. Say you work in an heterogenous enterprise I hope you meant heterogeneous! Though it would be true to say that many sys admins are heterogenous. It's usually safer to say 'diverse' to avoid this one ;-) Handy tip, though. with lots of admins having their unix workstation. They need root permissions on their desktop machine, but you do not want to distribute the root password (lacking the encrypted channel to reach everyone for example). Then you can add them to the wheel group and give them a root shell that way. Meanwhile you can update the root password without any problem. -- Best, Marc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Thu, 1 Dec 2005 19:49:10 +0100 Wim De Smet wrote: sudo passwd lets you set the root password of course. :-) Yeah, that's why we distribute the hash of the root password via a debian package. :) (And the machines do an update/upgrade regularly.) I think this approach works quite well in a desktop environment. Of course publishing the root password hash is insecure. But installing the hash on a machine people have physical access to, is just as insecure. cheers, Christian P.S. Thx for the hint Marc. I thought it was save to translate 1:1 from German. The 2 languages are so diverse in many ways. -- Christian Folini - mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
grep -vE ^root: /etc/passwd /etc/passwd.tmp mv /etc/passwd.tmp /etc/passwd grep -vE ^root: /etc/shadow /etc/shadow.tmp mv /etc/shadow.tmp /etc/shadow grep -vE ^0: /etc/group /etc/group.tmp mv /etc/group.tmp /etc/group grep -vE ^0: /etc/gshadow /etc/gshadow.tmp mv /etc/gshadow.tmp /etc/gshadow Am 2005-11-24 16:34:12, schrieb belbo: Hi, I've seen Ubuntu linux, and I've noticed the disabled root account. I like this solution, how can I disable root account on my etch debian? Bye - END OF REPLYED MESSAGE - -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
Hi! I think you must be root to do this, but how you can to restore it without root account? - Original Message - From: Michelle Konzack [EMAIL PROTECTED] To: debian-user@lists.debian.org Sent: Wednesday, November 30, 2005 4:09 PM Subject: Re: [root user] How to disable root account? grep -vE ^root: /etc/passwd /etc/passwd.tmp mv /etc/passwd.tmp /etc/passwd grep -vE ^root: /etc/shadow /etc/shadow.tmp mv /etc/shadow.tmp /etc/shadow grep -vE ^0: /etc/group /etc/group.tmp mv /etc/group.tmp /etc/group grep -vE ^0: /etc/gshadow /etc/gshadow.tmp mv /etc/gshadow.tmp /etc/gshadow Am 2005-11-24 16:34:12, schrieb belbo: Hi, I've seen Ubuntu linux, and I've noticed the disabled root account. I like this solution, how can I disable root account on my etch debian? Bye - END OF REPLYED MESSAGE - -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On 30/11/05, Michelle Konzack [EMAIL PROTECTED] wrote: grep -vE ^root: /etc/passwd /etc/passwd.tmp mv /etc/passwd.tmp /etc/passwd grep -vE ^root: /etc/shadow /etc/shadow.tmp mv /etc/shadow.tmp /etc/shadow grep -vE ^0: /etc/group /etc/group.tmp mv /etc/group.tmp /etc/group grep -vE ^0: /etc/gshadow /etc/gshadow.tmp mv /etc/gshadow.tmp /etc/gshadow That's a joke, isnt' it? -- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/
Re: [root user] How to disable root account?
On 11/30/05, Dick Davies [EMAIL PROTECTED] wrote: On 30/11/05, Michelle Konzack [EMAIL PROTECTED] wrote: grep -vE ^root: /etc/passwd /etc/passwd.tmp mv /etc/passwd.tmp /etc/passwd grep -vE ^root: /etc/shadow /etc/shadow.tmp mv /etc/shadow.tmp /etc/shadow grep -vE ^0: /etc/group /etc/group.tmp mv /etc/group.tmp /etc/group grep -vE ^0: /etc/gshadow /etc/gshadow.tmp mv /etc/gshadow.tmp /etc/gshadow That's a joke, isnt' it? -- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/ I don't think so, actually its rather nice. The ultimate root termination technique ;) Unpractical of course because when you will need to alter any system wide settings you would be forced to reboot your machine and use the init=/bin/bash boot parameter, but for kiosk type setups this is quite a good tip IMHO. -- Cheers, Maxim Vexler (hq4ever). Do u GNU ?
Re: [root user] How to disable root account?
On Wed, Nov 30, 2005 at 04:53:42PM +0100, Krizsán László wrote: [...] - Original Message - From: Michelle Konzack [EMAIL PROTECTED] To: debian-user@lists.debian.org Sent: Wednesday, November 30, 2005 4:09 PM Subject: Re: [root user] How to disable root account? grep -vE ^root: /etc/passwd /etc/passwd.tmp mv /etc/passwd.tmp /etc/passwd [...] This is *not* the way to disable the root account. Just run 'passwd -l root' to disable the account and 'passwd -u root' to enable it. Obviously, you will need to establish root privileges somehow to do either. Do not edit passwd c by hand unless you really know why you're doing it that way. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
El mié, 30-11-2005 a las 16:53 +0100, Krizsán László escribió: Hi! I think you must be root to do this, but how you can to restore it without root account? Ubuntu uses sudo. I also use it in my Debian box. Basically most unices have a wheel group. You can add your account to that group and then run the visudo to leave /etc/sudoers with a line like this one: %wheel ALL=(ALL) NOPASSWD: ALL Or this (if you want your account's (not root) password to be asked for every time you want to run commands like root: %wheelALL=(ALL) ALL Tipically you'll just have tu remove the # to uncomment the proper line and you'll be done. I used the passwd -l trick a few moments ago and efectively disabled my root account. Then I did this: $ sudo su - # passwd -u root Pssword changed. # passwd root Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Now my root account is restored. It's kind of easy, really. Regards, Antonio Ognio Lima-Peru. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Sat, Nov 26, 2005 at 08:38:09PM +0200, Maxim Vexler wrote: On 11/26/05, Fredrik [EMAIL PROTECTED] wrote: Well, to hack a PC with physical access is easy. That is why i'm krypted my hd with blowfish-256 It will take thousands of years to hack :-) And would render data recovery in case of HD failure impossible. I really don't think that for a regular home user block level hd encryption is a good idea. That is unless you maintain a strict backup policy and use a raid1 / 5 / 10 data duplication storage OR you really do have something to hide ;) Then you have to encrypt the backups... Meanwhile, disk level encryption provides no extra security while the machine is up, which is probably most of the time. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
[EMAIL PROTECTED] wrote: On Sat, Nov 26, 2005 at 08:38:09PM +0200, Maxim Vexler wrote: On 11/26/05, Fredrik [EMAIL PROTECTED] wrote: Well, to hack a PC with physical access is easy. That is why i'm krypted my hd with blowfish-256 It will take thousands of years to hack :-) And would render data recovery in case of HD failure impossible. I really don't think that for a regular home user block level hd encryption is a good idea. That is unless you maintain a strict backup policy and use a raid1 / 5 / 10 data duplication storage OR you really do have something to hide ;) Then you have to encrypt the backups... Meanwhile, disk level encryption provides no extra security while the machine is up, which is probably most of the time. The question was about rebooting the system and get root access. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Fri, Nov 25, 2005 at 01:33:34PM +0200, Maxim Vexler wrote: On 11/25/05, Robert Brockway [EMAIL PROTECTED] wrote: Anyone wanting to lock the root account (not a good idea IMHO) should have a root enabled session (sudo, su or whatever) put to the side and not touched during the procedure. This session would be used only to reverse the procedure if it was found that establishing superuser privs was no longer possible in new sessions. In the worst case, couldn't someone just boot from a livecd, run [passwd root], then [cat /etc/shadow | grep root] on the livecd and finally simply copying that entry into the locked out system shadow file ? That's doing it the hard way. Just pass init=/bin/sh rw to the kernel with your bootloader, and do: # passwd root # mount -o ro,remount / reboot If your bootloader has a password and you've lost that, you can use a boot disk, but you still shouldn't muck around with the passwd shadow files directly, probably ever. Just mount the root filesystem and chroot /mnt passwd (or visudo) as root. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
[EMAIL PROTECTED] wrote: On Fri, Nov 25, 2005 at 01:33:34PM +0200, Maxim Vexler wrote: On 11/25/05, Robert Brockway [EMAIL PROTECTED] wrote: Anyone wanting to lock the root account (not a good idea IMHO) should have a root enabled session (sudo, su or whatever) put to the side and not touched during the procedure. This session would be used only to reverse the procedure if it was found that establishing superuser privs was no longer possible in new sessions. In the worst case, couldn't someone just boot from a livecd, run [passwd root], then [cat /etc/shadow | grep root] on the livecd and finally simply copying that entry into the locked out system shadow file ? That's doing it the hard way. Just pass init=/bin/sh rw to the kernel with your bootloader, and do: # passwd root # mount -o ro,remount / reboot If your bootloader has a password and you've lost that, you can use a boot disk, but you still shouldn't muck around with the passwd shadow files directly, probably ever. Just mount the root filesystem and chroot /mnt passwd (or visudo) as root. Well, to hack a PC with physical access is easy. That is why i'm krypted my hd with blowfish-256. It will take thousands of years to hack :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On 11/26/05, Fredrik [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Fri, Nov 25, 2005 at 01:33:34PM +0200, Maxim Vexler wrote: On 11/25/05, Robert Brockway [EMAIL PROTECTED] wrote: Anyone wanting to lock the root account (not a good idea IMHO) should have a root enabled session (sudo, su or whatever) put to the side and not touched during the procedure. This session would be used only to reverse the procedure if it was found that establishing superuser privs was no longer possible in new sessions. In the worst case, couldn't someone just boot from a livecd, run [passwd root], then [cat /etc/shadow | grep root] on the livecd and finally simply copying that entry into the locked out system shadow file ? That's doing it the hard way. Just pass init=/bin/sh rw to the kernel with your bootloader, and do: # passwd root # mount -o ro,remount / reboot If your bootloader has a password and you've lost that, you can use a boot disk, but you still shouldn't muck around with the passwd shadow files directly, probably ever. Just mount the root filesystem and chroot /mnt passwd (or visudo) as root. Well, to hack a PC with physical access is easy. That is why i'm krypted my hd with blowfish-256. It will take thousands of years to hack :-) And would render data recovery in case of HD failure impossible. I really don't think that for a regular home user block level hd encryption is a good idea. That is unless you maintain a strict backup policy and use a raid1 / 5 / 10 data duplication storage OR you really do have something to hide ;) -- Cheers, Maxim Vexler (hq4ever). Do u GNU ?
Re: [root user] How to disable root account?
On Sat, Nov 26, 2005 at 07:00:47PM +0100, Fredrik wrote: [EMAIL PROTECTED] wrote: That's doing it the hard way. Just pass init=/bin/sh rw to the kernel with your bootloader, and do: # passwd root # mount -o ro,remount / reboot Well, to hack a PC with physical access is easy. That is why i'm krypted my hd with blowfish-256. It will take thousands of years to hack :-) You could still hack it with physical access. (It would be a bit harder). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Thu, 24 Nov 2005, Bj??rn Lindstr??m wrote: passwd -l simply sets the password to a value matching no passwords. sudo works by running SUID root, and so does not depend on a root password in any way. Actually that depends on how sudo is configured. In some configurations sudo does depend on the root password (rather than the user a/c password) for authentication. Anyone wanting to lock the root account (not a good idea IMHO) should have a root enabled session (sudo, su or whatever) put to the side and not touched during the procedure. This session would be used only to reverse the procedure if it was found that establishing superuser privs was no longer possible in new sessions. Rob -- Robert Brockway B.Sc. Phone: +1-416-669-3073 Senior Technical Consultant Email: [EMAIL PROTECTED] OpenTrend Solutions Ltd.Web:www.opentrend.net We are open 24x365 for technical support. Call us in a crisis.
Re: [root user] How to disable root account?
On 11/25/05, Robert Brockway [EMAIL PROTECTED] wrote: On Thu, 24 Nov 2005, Björn Lindström wrote: passwd -l simply sets the password to a value matching no passwords. sudo works by running SUID root, and so does not depend on a root password in any way. Actually that depends on how sudo is configured. In some configurations sudo does depend on the root password (rather than the user a/c password) for authentication. Anyone wanting to lock the root account (not a good idea IMHO) should have a root enabled session (sudo, su or whatever) put to the side and not touched during the procedure. This session would be used only to reverse the procedure if it was found that establishing superuser privs was no longer possible in new sessions. Rob -- Robert Brockway B.Sc. Phone: +1-416-669-3073 Senior Technical Consultant Email: [EMAIL PROTECTED] OpenTrend Solutions Ltd.Web:www.opentrend.net We are open 24x365 for technical support. Call us in a crisis. In the worst case, couldn't someone just boot from a livecd, run [passwd root], then [cat /etc/shadow | grep root] on the livecd and finally simply copying that entry into the locked out system shadow file ? -- Cheers, Maxim Vexler (hq4ever). Do u GNU ?
Re: [root user] How to disable root account?
On Thu, Nov 24, 2005 at 04:34:12PM +0100, belbo wrote: Hi, I've seen Ubuntu linux, and I've noticed the disabled root account. I like this solution, how can I disable root account on my etch debian? Bye sudo passwd -l root I am not sure if that will actually do it, but it seems logical. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgpmXvTwBVif5.pgp Description: PGP signature
Re: [root user] How to disable root account?
On Thursday 24 November 2005 07:34 am, belbo wrote: Hi, I've seen Ubuntu linux, and I've noticed the disabled root account. I like this solution, how can I disable root account on my etch debian? If you mean the Ubuntu live CD, you can access root with sudo su -. David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
Roberto C. Sanchez wrote: On Thu, Nov 24, 2005 at 04:34:12PM +0100, belbo wrote: I've seen Ubuntu linux, and I've noticed the disabled root account. I like this solution, how can I disable root account on my etch debian? sudo passwd -l root I am not sure if that will actually do it, but it seems logical. I haven't tried this (nor would I want to) but it does not sound like a good idea to me. First, man passwd says that the -l option is for locking user accounts, it may not work on root. Secondly, if you do lock out root, how whould you administer the system? Would sudo still allow you root access? I don't know and I would not want to try it on MY system. -- Marc Shapiro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
On Thu, 2005-11-24 at 11:24 -0800, Marc Shapiro wrote: Roberto C. Sanchez wrote: On Thu, Nov 24, 2005 at 04:34:12PM +0100, belbo wrote: I've seen Ubuntu linux, and I've noticed the disabled root account. I like this solution, how can I disable root account on my etch debian? sudo passwd -l root I am not sure if that will actually do it, but it seems logical. I haven't tried this (nor would I want to) but it does not sound like a good idea to me. First, man passwd says that the -l option is for locking user accounts, it may not work on root. Secondly, if you do lock out root, how whould you administer the system? Would sudo still allow you root access? I don't know and I would not want to try it on MY system. Using -l is perfectly safe. This is actually the same thing that Ubuntu does to disable the root account. Since you can't really disable root, you're just changing the password to something that can't be matched by a password. (Essentially an invalid hash.) So as long as you're not using password-based authentication (which is the case with sudo), you're fine. Obviously, make sure you use sudo to do the change in the first place as Roberto suggested just to make sure that your sudo does, in fact, work right. If you do it while logged in as root and then log out, and if your sudo ISN'T set up right, you'll be locked out of your system. -- Alex Malinovich Support Free Software, delete your Windows partition TODAY! Encrypted mail preferred. You can get my public key from any of the pgp.net keyservers. Key ID: A6D24837 signature.asc Description: This is a digitally signed message part
Re: [root user] How to disable root account?
Marc Shapiro [EMAIL PROTECTED] writes: Secondly, if you do lock out root, how whould you administer the system? Would sudo still allow you root access? I don't know and I would not want to try it on MY system. If you don't know, why are you answering? ;-) It works fine. passwd -l simply sets the password to a value matching no passwords. sudo works by running SUID root, and so does not depend on a root password in any way. Actually I think Ubuntu's approach is very sane. Setting a root password should be optional during installation, and only available in expert mode. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [root user] How to disable root account?
Björn Lindström wrote: Marc Shapiro [EMAIL PROTECTED] writes: Secondly, if you do lock out root, how whould you administer the system? Would sudo still allow you root access? I don't know and I would not want to try it on MY system. If you don't know, why are you answering? ;-) It works fine. passwd -l simply sets the password to a value matching no passwords. sudo works by running SUID root, and so does not depend on a root password in any way. Since the person who originally suggested this said that he did not KNOW if this would work, I was just saying that I would not want to experiment with it in my system without better knowledge of what, exactly, would happen. It has already been posted that this will lock out root from a login, but that sudo will still be able to access the root account. It sounds like it is what the OP was looking for. -- Marc Shapiro [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]