You are not logged in.

#1 2014-06-25 02:28:33

Salkay
Member
Registered: 2014-05-22
Posts: 618

[SOLVED] Disable root; possible error in the wiki

The wiki states that to disable root, one could lock it with

# passwd -l root

However, the man page suggests something different.

$ man passwd
...
       -l, --lock
           Lock the password of the named account. This option disables a password by changing it to a value which
matches no possible encrypted value (it adds a '!' at the beginning of the password).

           Note that this does not disable the account. The user may still be able to login using another authentication
token (e.g. an SSH key). To disable the account, administrators should use usermod
           --expiredate 1 (this set the account's expire date to Jan 2, 1970).

Should the wiki suggest this strategy instead?

Also, it seems like a recent update changed the default formatting of /etc/shadow, using "x" instead of "!" to denote no matching password? I haven't seen this documented anywhere.

Last edited by Salkay (2014-08-03 06:54:54)

Offline

#2 2014-06-25 03:15:18

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [SOLVED] Disable root; possible error in the wiki

I have never tried to harden my machine like this.  But I would assume that the idea here is not to render root unusable, but rather simply make it as inaccessible as possible from the command line.  The system will still need to run certain things as root in order for the machine to function properly.

Offline

#3 2014-06-25 03:55:18

Salkay
Member
Registered: 2014-05-22
Posts: 618

Re: [SOLVED] Disable root; possible error in the wiki

WonderWoofy wrote:

The system will still need to run certain things as root in order for the machine to function properly.

Ah yes, this makes sense. The wording of the man page is a little confusing to me. It says after `passwd -l`, users can still log in. Then, it suggests disabling the account instead. Hence, I interpreted "disable" to mean "unable to login", whereas it seems that you are suggesting "disable" means "unable to do anything at all".

I've also tried to search more about using "x" instead of "!" in /etc/shadow, but can't find anything. I presume "x" is a better alternative since the new config files ship with it?

Offline

#4 2014-06-25 18:49:23

anatolik
Developer
Registered: 2012-09-27
Posts: 458

Re: [SOLVED] Disable root; possible error in the wiki

# passwd -l root

effectively disables logging as root using its password - for example

su

will be impossible.

Note that there are other ways to perform operations as root:

- using "sudo $cmd"
- use key authentication for SSH login, it will not ask the root password.

Last edited by anatolik (2014-06-25 18:50:02)


Read it before posting http://www.catb.org/esr/faqs/smart-questions.html
Ruby gems repository done right https://bbs.archlinux.org/viewtopic.php?id=182729
Fast initramfs generator with security in mind https://wiki.archlinux.org/index.php/Booster

Offline

#5 2014-06-27 00:00:57

Salkay
Member
Registered: 2014-05-22
Posts: 618

Re: [SOLVED] Disable root; possible error in the wiki

Thanks for the clarification, anatolik. One thing that set off alarm bells was the man page's reference to SSH. Obviously if an attacker has physical access, then all is lost (assuming there is no encryption), and I am more concerned with network attacks, such as via SSH. I would disable root access to SSH anyway, but good to know that `passwd -l root` also prevents password access to SSH.

Offline

Board footer

Powered by FluxBB