Re: [ubuntu-uk] Creating 'root' account. (sudo, recovery mode)

[Paul Sladen]

On Tue, 7 Aug 2007, Adam Funk wrote:
> Isn't [..dropping straight to a root shell..] a bit of a security hole?  

No... Something is not "a security issue" if there are multiple other ways
to achieve the same thing (linux init=/bin/sh, LiveCD).

You are free to:

 1. Set the Grub password (to prevent changing the default boot entry)
 2. Set the BIOS password (to prevent altering the default boot device)
 3. Set the Machine in concrete (to prevent resetting the BIOS password)

...though an absolute pain to replace the fan after the computer overheats.

-Paul
-- 
Why do one side of a triangle when you can do all three.   Helsinki, FI


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, recovery mode)

[Adam Funk]

On 2007-08-07, Paul Sladen wrote:

> On a default Ubuntu with the root account locked, selecting "(recovery
> mode)" will drop one straight to a root shell, without requiring a password.
>
> The idea behind this is simple;  the only time time that somebody really
> needs to do some form of recovery, is when the machine is in a very bad
> state.  Handling a really broken machine/forgotten password is a stressful
> experience---the least that can be done is to optimise the recovery
> operation by getting a user what they need, fast and efficiently.

Isn't that a bit of a security hole?  

I realize that having physical access to a machine means that
ultimately you could open it up and clear the BIOS password in order
to boot from a live CD, but that takes a lot more time than just
rebooting and picking "recovery mode" from the GRUB menu to get root
access.

Of course, the GRUB menu can be password-protected, but that goes
against the stress-reducing theory of making it easy to get into
rescue mode.


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, recovery mode)

[Paul Sladen]

On Mon, 6 Aug 2007, Adam Funk wrote:
> I can think of one situation where you really need a root password
> set: booting in rescue mode.

On a default Ubuntu with the root account locked, selecting "(recovery
mode)" will drop one straight to a root shell, without requiring a password.

The idea behind this is simple;  the only time time that somebody really
needs to do some form of recovery, is when the machine is in a very bad
state.  Handling a really broken machine/forgotten password is a stressful
experience---the least that can be done is to optimise the recovery
operation by getting a user what they need, fast and efficiently.

If the user /has/ altered the default setting and set a root password, then
selecting "(recovery mode)" will require that shared root password to be
entered.

The set root password can be disabled again with:

  sudo passwd -l

-Paul
-- 
Why do one side of a triangle when you can do all three.   Helsinki, FI


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, audit trails)

[Adam Funk]

On 2007-08-05, Paul Sladen wrote:

> On Sat, 4 Aug 2007, Andrew Jenkins wrote:
>> For now though I consider playing around as 'root' while being 'under
>> the influence' as bad as driving so I'll leave well alone.
>
> Exact logging is *precisely* why 'sudo' exists.  In the morning you do:
>
>   sudo grep '[s]udo' /var/log/auth.log
>
> and find out what you did the night before.  'su' won't give you a list...

I can think of one situation where you really need a root password
set: booting in rescue mode.  Or is there a way around that if you've
left the root account locked?


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, audit trails)

[Paul Sladen]

On Sun, 5 Aug 2007, Matthew Wild wrote:
> On 8/5/07, Chris Rowson <[EMAIL PROTECTED]> wrote:
> > On Sun, 5 Aug 2007, Paul Sladen wrote:
> > > sudo grep '[s]udo' /var/log/auth.log
> > Well, if you're computer still works eh ;-)
> How do you get around sudo -i or sudo bash?

The best solution is to not use "sudo su/sudo -i/sudo -s/sudo bash"...

Using 'sudo' proactively is social issue---eg. "please, please use sudo for
everyone's continued sanity".  Social issues are _not_ best solved by
technical means; if somebody really wants to exercise their power, they can
use "(recovery mode)", insert a LiveCD, or remove the hard-drive entirely.

You can do the following in '/etc/sudoers':

  %admin ALL=(ALL) ALL, !/bin/su, !/bin/bash

and I do have the above config on machines, but the line is only there as a
reminder to everyone that 'sudo' should be used one-command-at-a-time.

Life is not about getting *around* sudo, life is about using sudo to your
advantage;  even when I do end up at a root prompt, I still do a 'sudo'
before each priviliged command I run and also leave little debugging
comments like "sudo echo 'about to try to delete xyz from the passwd db'".

-Paul
-- 
Why do one side of a triangle when you can do all three.   Helsinki, FI



-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, audit trails)

[Alan Pope]

Hi Matthew,

On Sun, 2007-08-05 at 15:50 +0100, Matthew Wild wrote:
> How do you get around sudo -i or sudo bash? Presumably that would free
> them of the detailed logging?

sudo can be configured to allow not only specific users to run commands
under sudo, but can also limit what those commands are. So you could
(for example) allow access to run tools like update-manager, but not
allow anything else.

By default of course the standard install of Ubuntu allows the first
user to do anything under sudo, no restriction. You can of course build
on that.

Cheers,
Al.


signature.asc
Description: This is a digitally signed message part
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, audit trails)

[Matthew Wild]

How do you get around sudo -i or sudo bash? Presumably that would free them
of the detailed logging?

On 8/5/07, Chris Rowson <[EMAIL PROTECTED]> wrote:
>
> > In the morning you do:
> >
> >   sudo grep '[s]udo' /var/log/auth.log
> >
> > and find out what you did the night before.  'su' won't give you a
> list...
> >
>
> Well, if you're computer still works eh ;-)
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.kubuntu.org/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, audit trails)

[Chris Rowson]

> In the morning you do:
>
>   sudo grep '[s]udo' /var/log/auth.log
>
> and find out what you did the night before.  'su' won't give you a list...
>

Well, if you're computer still works eh ;-)

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account. (sudo, audit trails)

[Paul Sladen]

On Sat, 4 Aug 2007, Andrew Jenkins wrote:
> For now though I consider playing around as 'root' while being 'under
> the influence' as bad as driving so I'll leave well alone.

Exact logging is *precisely* why 'sudo' exists.  In the morning you do:

  sudo grep '[s]udo' /var/log/auth.log

and find out what you did the night before.  'su' won't give you a list...

-Paul
-- 
Why do one side of a triangle when you can do all three.   Helsinki, FI


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[stephen]

On Sat, 2007-08-04 at 21:49 +0100, Nik Butler wrote:
> Mark Harrison wrote:
> > Andrew Jenkins wrote:
> >   
> >> For now though I consider playing around
> >> as 'root' while being 'under the influence' as bad as driving so I'll
> >> leave well alone.
> >>   
> >> 
> >
> > Mathematicians don't drink and derive.
> >
> > Mark
> >
> >   
> youd think thats a real problem but it turns out your not being
> rationale and its all imaginary .
> 
> 
> 

Why does such a natural subject have to become complex?


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Nik Butler]

Mark Harrison wrote:
> Andrew Jenkins wrote:
>   
>> For now though I consider playing around
>> as 'root' while being 'under the influence' as bad as driving so I'll
>> leave well alone.
>>   
>> 
>
> Mathematicians don't drink and derive.
>
> Mark
>
>   
youd think thats a real problem but it turns out your not being
rationale and its all imaginary .



-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Mark Harrison]

Andrew Jenkins wrote:
> For now though I consider playing around
> as 'root' while being 'under the influence' as bad as driving so I'll
> leave well alone.
>   

Mathematicians don't drink and derive.

Mark

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Andrew Jenkins]

Matthew Wild wrote:
> ...or use the GUI... System->Administration->Users and Groups
> Right-click on the user (or make a new one), click the privileges tab, 
> and check or uncheck "Administer the system".
>
> HTH too,
>
> Matthew.
>
> On 8/4/07, *Neil Greenwood* <[EMAIL PROTECTED] 
> > wrote:
>
> On 04/08/07, Tony Arnold <[EMAIL PROTECTED]
> > wrote:
> > (On a technical front, the user name has to be a member of the admin
> > group to be able to use sudo. Also, by editing /etc/sudoers you can
> > control exactly which commands users can execute. For example,
> if you
> > wanted to let your kids shut the machine down, you could arrange
> that
> > without letting them do anything else.).
>
> Just wanted to point out that you shouldn't edit /etc/sudoers
> directly, but should use the visudo command to do it. It syntax-checks
> the file you've edited before replacing the old /etc/sudoers, so sudo
> won't break if you make a mistake.
>
> This is especially useful since you'll need to use sudo to edit the
> /etc/sudoers file (or use visudo).
>
> It's also worth pointing out that, unlike the implication in the name,
> it won't necessarily use vi to edit the file, but will respect your
> EDITOR env. variable setting.
>
> HTH
> Hwyl,
> Neil.
>
> --
> ubuntu-uk@lists.ubuntu.com 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> 
> https://wiki.kubuntu.org/UKTeam/
>
>
Cheers guys.  I've had one too many tins of "pop" to digest all that info
this evening.  I'll have a look through it all tomorrow and probably end
up re-enabling my root account.  For now though I consider playing around
as 'root' while being 'under the influence' as bad as driving so I'll
leave well alone.

Regards,
Andy Jenkins.

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Matthew Wild]

...or use the GUI... System->Administration->Users and Groups
Right-click on the user (or make a new one), click the privileges tab, and
check or uncheck "Administer the system".

HTH too,

Matthew.

On 8/4/07, Neil Greenwood <[EMAIL PROTECTED]> wrote:
>
> On 04/08/07, Tony Arnold <[EMAIL PROTECTED]> wrote:
> > (On a technical front, the user name has to be a member of the admin
> > group to be able to use sudo. Also, by editing /etc/sudoers you can
> > control exactly which commands users can execute. For example, if you
> > wanted to let your kids shut the machine down, you could arrange that
> > without letting them do anything else.).
>
> Just wanted to point out that you shouldn't edit /etc/sudoers
> directly, but should use the visudo command to do it. It syntax-checks
> the file you've edited before replacing the old /etc/sudoers, so sudo
> won't break if you make a mistake.
>
> This is especially useful since you'll need to use sudo to edit the
> /etc/sudoers file (or use visudo).
>
> It's also worth pointing out that, unlike the implication in the name,
> it won't necessarily use vi to edit the file, but will respect your
> EDITOR env. variable setting.
>
> HTH
> Hwyl,
> Neil.
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.kubuntu.org/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Neil Greenwood]

On 04/08/07, Tony Arnold <[EMAIL PROTECTED]> wrote:
> (On a technical front, the user name has to be a member of the admin
> group to be able to use sudo. Also, by editing /etc/sudoers you can
> control exactly which commands users can execute. For example, if you
> wanted to let your kids shut the machine down, you could arrange that
> without letting them do anything else.).

Just wanted to point out that you shouldn't edit /etc/sudoers
directly, but should use the visudo command to do it. It syntax-checks
the file you've edited before replacing the old /etc/sudoers, so sudo
won't break if you make a mistake.

This is especially useful since you'll need to use sudo to edit the
/etc/sudoers file (or use visudo).

It's also worth pointing out that, unlike the implication in the name,
it won't necessarily use vi to edit the file, but will respect your
EDITOR env. variable setting.

HTH
Hwyl,
Neil.

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Rob Beard]

Andrew Jenkins wrote:
> Hi All,
> 
> Newbie Ubuntu-ite here.  So far so good, although I
> have a few questions, but one at a time.
> 
> I've been a Mandrake/Mandriva user since I ditched
> the dreaded MS four or five years ago.  I just
> thought I'd try Ubuntu (7.04) alongside my Mandriva
> 2005 on my laptop.
> 
> I'm used to the Mandriva way (as with most other
> distros) of having a 'root' account and then all the
> other 'user' accounts.  The Ubuntu method of asking
> for your 'user' password to then allow you to go off
> and create system-wide mayhem is really not suitable
> when you have curious kids. Again, typing 'sudo' and
> being asked for your 'user' password doesn't strike
> me as very secure.
> 
> Is it easy to make Ubuntu behave in a similar fashion
> to Mandriva and if so how?
> 
> Regards,
> 
> Andy Jenkins.
> 

I can't remember if there is a reason or not that the root account isn't 
normally used, although I know what you mean about being used to a root 
account.

I've enabled my root account by typing the following on the command line...

su passwd root

I then choose a password.

Hope this helps.

Rob


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Andrew Price]

On 04/08/07 18:56, Andrew Jenkins wrote:
> I've been a Mandrake/Mandriva user since I ditched
> the dreaded MS four or five years ago.  I just
> thought I'd try Ubuntu (7.04) alongside my Mandriva
> 2005 on my laptop.

Hi Andrew, welcome to the Ubuntu community :)

> I'm used to the Mandriva way (as with most other
> distros) of having a 'root' account and then all the
> other 'user' accounts.  The Ubuntu method of asking
> for your 'user' password to then allow you to go off
> and create system-wide mayhem is really not suitable
> when you have curious kids. Again, typing 'sudo' and
> being asked for your 'user' password doesn't strike
> me as very secure.

I'm not sure I understand your problem. sudo is very secure if you use
it properly and it makes it easier to manage privileges among your users
(revoking a root password from a user's brain is more difficult than
removing them from the admin group). All you need to do to stop your
kids causing mayhem is remove their user accounts from the admin group.

Of course, if you're allowing them to use your password and user account
(which you seem to be implying) then that's your security problem, not sudo.

> Is it easy to make Ubuntu behave in a similar fashion
> to Mandriva and if so how?

If you really must enable your root account, you can do 'sudo passwd
root' to give root a password. sudo will still work though so you'll
have to take your user out of the admin group or use visudo to disallow
the admin group from using sudo. Note that graphical programs invoked
using gksudo to get root permissions will no longer work and you'll
probably have to run them from a root terminal instead.

In summary, you can enable the root account but it's a lot less trouble
to use sudo wisely, IMHO.

--
Andy Price


-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Kris Marsh]

On 8/4/07, Andrew Jenkins <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> Newbie Ubuntu-ite here.  So far so good, although I
> have a few questions, but one at a time.
>
> I've been a Mandrake/Mandriva user since I ditched
> the dreaded MS four or five years ago.  I just
> thought I'd try Ubuntu (7.04) alongside my Mandriva
> 2005 on my laptop.
>
> I'm used to the Mandriva way (as with most other
> distros) of having a 'root' account and then all the
> other 'user' accounts.  The Ubuntu method of asking
> for your 'user' password to then allow you to go off
> and create system-wide mayhem is really not suitable
> when you have curious kids. Again, typing 'sudo' and
> being asked for your 'user' password doesn't strike
> me as very secure.
>
> Is it easy to make Ubuntu behave in a similar fashion
> to Mandriva and if so how?
>
> Regards,
>
> Andy Jenkins.
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.kubuntu.org/UKTeam/
>


There are some great reasons for sudo. Instead of me blabbing, feel
free to read https://help.ubuntu.com/community/RootSudo - it shows you
how to re-enable your root login near the bottom.

HTH

Kris

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

Re: [ubuntu-uk] Creating 'root' account.

[Tony Arnold]

Andrew,

Andrew Jenkins wrote:
> Hi All,
> 
> Newbie Ubuntu-ite here.  So far so good, although I
> have a few questions, but one at a time.
> 
> I've been a Mandrake/Mandriva user since I ditched
> the dreaded MS four or five years ago.  I just
> thought I'd try Ubuntu (7.04) alongside my Mandriva
> 2005 on my laptop.
> 
> I'm used to the Mandriva way (as with most other
> distros) of having a 'root' account and then all the
> other 'user' accounts.  The Ubuntu method of asking
> for your 'user' password to then allow you to go off
> and create system-wide mayhem is really not suitable
> when you have curious kids. Again, typing 'sudo' and
> being asked for your 'user' password doesn't strike
> me as very secure.

There have been long arguments about this! Only the first user name you
create in Ubuntu can use sudo in the way you describe. Subsequent user
names do not have this ability, although you can give it to them if you
wish. So you could have your user name and give the kids a different
user name, one each. They then cannot do anything as root.

(On a technical front, the user name has to be a member of the admin
group to be able to use sudo. Also, by editing /etc/sudoers you can
control exactly which commands users can execute. For example, if you
wanted to let your kids shut the machine down, you could arrange that
without letting them do anything else.).

Just my two pen'orth.

Regards,
Tony.
-- 
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: [EMAIL PROTECTED], H: http://www.man.ac.uk/Tony.Arnold

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/

[ubuntu-uk] Creating 'root' account.

[Andrew Jenkins]

Hi All,

Newbie Ubuntu-ite here.  So far so good, although I
have a few questions, but one at a time.

I've been a Mandrake/Mandriva user since I ditched
the dreaded MS four or five years ago.  I just
thought I'd try Ubuntu (7.04) alongside my Mandriva
2005 on my laptop.

I'm used to the Mandriva way (as with most other
distros) of having a 'root' account and then all the
other 'user' accounts.  The Ubuntu method of asking
for your 'user' password to then allow you to go off
and create system-wide mayhem is really not suitable
when you have curious kids. Again, typing 'sudo' and
being asked for your 'user' password doesn't strike
me as very secure.

Is it easy to make Ubuntu behave in a similar fashion
to Mandriva and if so how?

Regards,

Andy Jenkins.

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.kubuntu.org/UKTeam/