Linux Mint Forums

[Ardanbis]

When i saw that bug i used:
sudo passwd -l root
immediatly to lock the root account but now anytime i do "sudo su" it shows this message:

Your account has expired, please contact the system administrator.(ignored)

And after i get that message it logs me in as root.

Is there any way to "ignore" completely this message, i mean i dont want to see it anymore.

[Phosgene]

Good to know this has been fixed, however this doesn't affect me. Goes to show that it's never good to neglect the root account. Always set a reasonably strong password, even if it is written down somewhere (may not be the best security practice, but much better than leaving root open). :) In the case of Ardanbis, it's never a good idea to lock root, if users accidently get deleted, root can always be counted on to help bail you out of any problems that you may run into.

[Ardanbis]

Good to know this has been fixed, however this doesn't affect me. Goes to show that it's never good to neglect the root account. Always set a reasonably strong password, even if it is written down somewhere (may not be the best security practice, but much better than leaving root open). In the case of Ardanbis, it's never a good idea to lock root, if users accidently get deleted, root can always be counted on to help bail you out of any problems that you may run into.

<b>Absolutely False.</b>

If you need the root account for emergency in the Grub Menu, you just have to choose the recovery mode, or if it is not available, edit the Linux Mint option deleting "ro quiet splash" and editing "init=bin/bash" and pres enter.

Keeping root account locked is THE strongest way to protect your computer. (This and a good firewall, specially if it drops ping, thing that ufw doesnt do by default)

You just need to look at the login log of ANY Linux server: There are thousands of dictionary attacks, to the "root" user to find out its password, if the account is locked there is no way you can get in.

EDIT: Instead of "init=bin/bash" you can also use "single". And also u can use the LiveCD to edit the sudoers file, and many more.

[Phosgene]

Locking root isn't going to do anything when you're hit with any kind of exploit, well written shell code will give root privilages rather than a root account, not to mention shellcode written to add a root user. And most firewalls are easily evaded by fragmenting packets, strong ruleset or not. Keep a strong passphrase as a root password and there is no way that anyone will get in. I'd much rather have people trying to brute force my root account than have them keeping a hawks eye on my services waiting for 0days.

[Ardanbis]

Locking root isn't going to do anything when you're hit with any kind of exploit, well written shell code will give root privilages rather than a root account, not to mention shellcode written to add a root user. And most firewalls are easily evaded by fragmenting packets, strong ruleset or not. Keep a strong passphrase as a root password and there is no way that anyone will get in. I'd much rather have people trying to brute force my root account than have them keeping a hawks eye on my services waiting for 0days.

IF an exploit exists or make one so good than how do you use it? You first have to connect to the computer you intend to use it, and how do you know that computer is it off or on? Well you just have to ping it. I guess you caughed the idea. In this case a strong ruleset doesnt really mattter.

EDIT: If you are hit by an exploit either if you have a strong password on your root account wont do anything for you. I was only talknig about brute force not about exploits. Exploits are exploits, thats all. And they get "fixxed" pretty fast as soon as they get out.

[Phosgene]

Any portscanner (Which is going to be the primary tool of someone exploiting services) provides a ping off flag (-PN in nmap), this means that no ping request is sent anyway and cuts right to scanning ports and services. If the computer is not connected or not 'on' then there will be no response right away, otherwise sending null packets will be able to stealth scan and find open ports plus grab banners for services.

By locking root account all you accomplish is protection from brute force attacks but you will also encounter many problems such as the ones you are experiencing. By setting a strong root passphrase (At least 40+ chars) not only will your prevent brute force or even hybrid attacks, it also means that should you have to use the root account in the case of disaster, it is right there to be used.

[Ardanbis]

Any portscanner (Which is going to be the primary tool of someone exploiting services) provides a ping off flag (-PN in nmap), this means that no ping request is sent anyway and cuts right to scanning ports and services. If the computer is not connected or not 'on' then there will be no response right away, otherwise sending null packets will be able to stealth scan and find open ports plus grab banners for services.

Heh yes, you are right port scanning is the usual way. But i think we are talking about activating or not the "root" account and untill now I still dont understand why do I really need to enable it. As i said before even if the sudoers file gets corrupted(in this case i think "root" account can get messed up too) you can fix it with the livecd.

Fine if you preffer to activate your root account then go ahead, it is your choice, not mine.

[Ardanbis]

By locking root account all you accomplish is protection from brute force attacks but you will also encounter many problems such as the ones you are experiencing

What problems? I just want to ignore the root account deactivated message. There is no problem at all. Is just a message.

[Phosgene]

In my opinion, as far as Linux goes, anything that is not perfect is a problem. Windows creates a tendency to accept error messages and problems as the norm. Everything is changeable in Linux right down to Kernel level, there should be no excuse for small inconveniences. This is not a problem of the development, it is something that the user has to change themselves in order to tailor Linux to their own needs.

[Ardanbis]

This is not a problem of the development, it is something that the user has to change themselves in order to tailor Linux to their own needs.

So i have to modify the kernel to avoid that message? I thought there was a easier way. Like when bash starts to insult you if you type an incorrect password. I thought this was something like that.

[Phosgene]

I highly doubt you would have to edit the kernel to remove that message.

[Ardanbis]

Ok i will keep searching then, anyway if there is someone like me out there that gets same message using "sudo su" then instead of using "sudo su" use "sudo bash" you will get "root" priviledges aswell, and that message won't pop out. Well i know its a fake solution but its the only 1 i found untill now.

[MintyCat]

Okay, sorry to be digging up an old thread, but I've just found an old .iso of Mint 5 lying around my computer and I'm now running it on a Virtual Machine. I'm so used to not being able to "su" on Gloria, but I really dislike mintAssistant, so I'm glad the team took that out of Mint 7.

But I was wondering if there's any way to configure at least just the root password, or does it follow Elyssa's method and randomizes a password? If so, how can I access it? Do I have to create a root account?

[Mintylamb]

It is possible to log in as root on the latest kde version of Gloria 7, using the password set for the first user account.