Sudo / Disabling Root

evil · 2010-06-03 04:21:13

I just read the sudo page in the wiki (http://wiki.archlinux.org/index.php/Sudo) and read about disabling the root account at the bottom. There is a warning that arch linux may not be suitable for this. I am curious if any one has done this and had any issues or if it went smoothly.

cesura · 2010-06-03 04:44:11

That's an interesting thing to try.

sand_man · 2010-06-03 08:04:57

Why disable it?
If you are worried about other people accessing it, just give it some ridiculously difficult password and restrict the use of sudo.

sHyLoCk · 2010-06-03 08:08:26

No issues. Even if you get any issues, use Live CD to fix.

Last edited by sHyLoCk (2010-06-03 08:08:45)

JGC · 2010-06-03 08:25:05

Whenever you get dumped in a recovery shell in single user mode to fix filesystem issues, there's no way to login with a disabled root account.

Mr.Elendig · 2010-06-03 10:36:21

If you think that disabeling the root account is going to increase security, then you are wrong. (asuming the root password is somewhat sane).

It's usually much easier to get access to a normal user account, and if that account have full root access trough sudo....

SanskritFritz · 2010-06-03 11:04:06

Yeah, many people say that even using sudo is a big security flaw, as any script can call sudo and if it happens within 15 minutes of your previous sudo call, you might be screwed. Stick to root with a very good password, it's not that hard.

gablink · 2010-06-03 13:43:33

SanskritFritz wrote:

Yeah, many people say that even using sudo is a big security flaw, as any script can call sudo and if it happens within 15 minutes of your previous sudo call, you might be screwed. Stick to root with a very good password, it's not that hard.

Yes but you can change the password timeout

SanskritFritz · 2010-06-03 19:26:54

Sigh...

geniuz · 2010-06-03 19:39:36

Sudo definitally has its charm, using the root account only imho is tedious when you have to login everytime just to mount a device or shutdown/reboot your machine. I just make sure my user password is safe and only allow certain (much used) programs to be run with sudo in the first place. Can't remember the last time I've used my root account, but I would'nt recommend completely disabling it either for overall system stability.

Last edited by geniuz (2010-06-03 19:40:25)

ber_t · 2010-06-03 19:43:51

gablink wrote:

SanskritFritz wrote:
Yeah, many people say that even using sudo is a big security flaw, as any script can call sudo and if it happens within 15 minutes of your previous sudo call, you might be screwed. Stick to root with a very good password, it's not that hard.
Yes but you can change the password timeout

It's also a good idea to use "Defaults tty_tickets". This way sudo prompts for your password separately in every shell.

some-guy94 · 2010-06-03 20:26:02

gablink wrote:

SanskritFritz wrote:
Yeah, many people say that even using sudo is a big security flaw, as any script can call sudo and if it happens within 15 minutes of your previous sudo call, you might be screwed. Stick to root with a very good password, it's not that hard.
Yes but you can change the password timeout

And just duplicate su.

demian · 2010-06-03 20:43:08

i think you need to take a look at the sudoers file, some-guy94. sudo gives you much more flexibility than su.
you can make sudo permissions time out immediately, make it use root accounts password but for instance still maintain comfort by using NOPASSWD for commands you see fit.
For me, sudo eases things a lot and i wouldn't want to miss it.

I wouldn't want to miss the root account either though. So, instead of disabling it, I would just give it a very good password.

evil · 2010-06-05 00:45:36

Thanks for all the input. I think i'll just give it some insanely difficult password. I was just hoping to increase security.

JackH79 · 2010-06-05 01:26:00

And then one day, you'll be sitting there, becasue something's gone wrong, and think to yourself:
"What the heck was that insanely difficult root password again?"

evil · 2010-06-05 05:53:13

what is insanely difficult for one, may be easy for another.

i.e. "As I Walk Through The Valley Of The Shadow Of Death" -> AIWTTVOTSOD -> 41w77v0750d ... see how it works (btw, I dont use that phrase, just an example). It would be easy for me to remember, but for someone to magically come up with that phrase as a key to the actual password is improbable.

rransom · 2010-06-05 07:40:47

As a first try:

pacman -S pwgen
pwgen -s

I recommend taking at least 12 characters of its output.

demian · 2010-06-05 09:47:41

You can also abuse urandom:

echo $(< /dev/urandom tr -cd "[:graph:]" | head -c12)

Last edited by demian (2010-06-05 09:48:26)

rransom · 2010-06-05 11:29:23

demian wrote:

You can also abuse urandom:
echo $(< /dev/urandom tr -cd "[:graph:]" | head -c12)

That's what my password generator does, but with a page of C# code instead of a shell one-liner. I would leave out the 'echo $( )' wrapping though (what if the RNG dumps out 'IFS=:;rm:-r:*'?). If you want a trailing newline, put the pipeline in parens and follow it with '; echo' (stripping the single quotes).

Also, I think a 10-character password is enough if it is chosen at random from a 95-char alphabet.

demian · 2010-06-05 12:40:55

rransom wrote:

I would leave out the 'echo $( )' wrapping though (what if the RNG dumps out 'IFS=:;rm:-r:*'?).

That's a funny thought. I wonder what the odds are?
How many chars are there including capital, special and all those chars urandom gives, not counting those stripped by [:graph:]?

Last edited by demian (2010-06-05 12:43:14)

rransom · 2010-06-06 17:32:48

/dev/urandom spews bytes, not characters. If tr is using ASCII (LANG=C), [:graph:] passes 94 possible bytes (values 33 through 126). ('95-char alphabet' in my last post was a thinko.) If tr is using another character set (such as UTF-8 or Latin-1), [:graph:] can pass additional bytes and byte sequences.

The probability of getting a truly dangerous string like 'x;IFS=:;rm:*' (the one I suggested before is more than 12 characters, and it won't quite break anything because it doesn't have a semicolon before 'IFS') is low -- I suggested 10 characters so that there would be over 2^64 possible strings. The probability of getting a semicolon (and very confusing behaviour) is much higher (in a 10-character string, 2^(-3.3)).

Arch Linux

#1 2010-06-03 04:21:13

Sudo / Disabling Root

#2 2010-06-03 04:44:11

Re: Sudo / Disabling Root

#3 2010-06-03 08:04:57

Re: Sudo / Disabling Root

#4 2010-06-03 08:08:26

Re: Sudo / Disabling Root

#5 2010-06-03 08:25:05

Re: Sudo / Disabling Root

#6 2010-06-03 10:36:21

Re: Sudo / Disabling Root

#7 2010-06-03 11:04:06

Re: Sudo / Disabling Root

#8 2010-06-03 13:43:33

Re: Sudo / Disabling Root

#9 2010-06-03 19:26:54

Re: Sudo / Disabling Root

#10 2010-06-03 19:39:36

Re: Sudo / Disabling Root

#11 2010-06-03 19:43:51

Re: Sudo / Disabling Root

#12 2010-06-03 20:26:02

Re: Sudo / Disabling Root

#13 2010-06-03 20:43:08

Re: Sudo / Disabling Root

#14 2010-06-05 00:45:36

Re: Sudo / Disabling Root

#15 2010-06-05 01:26:00

Re: Sudo / Disabling Root

#16 2010-06-05 05:53:13

Re: Sudo / Disabling Root

#17 2010-06-05 07:40:47

Re: Sudo / Disabling Root

#18 2010-06-05 09:47:41

Re: Sudo / Disabling Root

#19 2010-06-05 11:29:23

Re: Sudo / Disabling Root

#20 2010-06-05 12:40:55

Re: Sudo / Disabling Root

#21 2010-06-06 17:32:48

Re: Sudo / Disabling Root

Board footer