Make the root password be automatically set when you set your admin password... again

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
  • Only post ideas here that are specifically about the Linux Mint distribution or its websites.
  • So that developers and users from any distribution can discuss ideas in one place, post ideas about improving software to the collaboration website for that software instead.
flatiron
Level 3
Level 3
Posts: 196
Joined: Fri Nov 24, 2017 2:27 am

Make the root password be automatically set when you set your admin password... again

Postby flatiron » Sun Dec 17, 2017 6:49 pm

I have read the below... this is disturbing. What exactly was the benefit of leaving a system so wide open?

"Set the root password
1.3. Starting with Linux Mint 18.2, the root password is unfortunately no longer set by default.

This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his.

He can then do all kinds of nasty things. Like changing your own password....

This is how to fix it, by setting a password for root (preferably identical to your own password):

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following line into the terminal:

sudo passwd

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show when you type it, which is normal.

Note: I advise to make the root password ("UNIX password") identical to your own, in order to prevent problems later on.

That's it! Problem solved.

For good measure: a bad guy with physical access to your computer, also has other means to acquire root authority on your computer. So this fix certainly doesn't make your computer completely safe: physical access always remains a risk.

What this fix does, is blocking one much too easy way to get such unauthorized root access. Which increases security somewhat."

User avatar
Pjotr
Level 19
Level 19
Posts: 9289
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Postby Pjotr » Sun Dec 17, 2017 7:20 pm

flatiron wrote:I have read the below... this is disturbing. What exactly was the benefit of leaving a system so wide open?

It's not "wide open" by default. Physical access is needed, plus some Linux knowledge. Don't exaggerate.... :)
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

JeremyB
Level 17
Level 17
Posts: 7711
Joined: Fri Feb 21, 2014 8:17 am

Re: Make the root password be automatically set when you set your admin password... again

Postby JeremyB » Sun Dec 17, 2017 7:27 pm

Set a BIOS password, use full disk encryption and even then you might have problems with someone who has physical access. Ubuntu has done this for some time and I don't remember many posts about being hacked because there is no root password set

flatiron
Level 3
Level 3
Posts: 196
Joined: Fri Nov 24, 2017 2:27 am

Re: Make the root password be automatically set when you set your admin password... again

Postby flatiron » Mon Dec 18, 2017 3:26 am

It seems like a really ridiculous exclusion though. What if someone had a malicious room mate? I mean... This has got to be the stupidest exclusion I have ever seen.

User avatar
Pjotr
Level 19
Level 19
Posts: 9289
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Postby Pjotr » Mon Dec 18, 2017 5:23 am

flatiron wrote:It seems like a really ridiculous exclusion though. What if someone had a malicious room mate? I mean... This has got to be the stupidest exclusion I have ever seen.

You're entitled to your opinion of course, but you're exaggerating tremendously and annoyingly about a small issue.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 22
Level 22
Posts: 16056
Joined: Sat Dec 06, 2014 7:34 am

Re: Make the root password be automatically set when you set your admin password... again

Postby Cosmo. » Mon Dec 18, 2017 7:06 am

Inside of this thread is a discussion about the topic.

User avatar
all41
Level 11
Level 11
Posts: 3756
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Make the root password be automatically set when you set your admin password... again

Postby all41 » Mon Dec 18, 2017 11:29 am

Cosmo. wrote:Inside of this thread is a discussion about the topic.

Greetings Cosmo,
In that discussion you wrote:
Simply entering in a terminal sudo passwd gives you the possibility to set the root password and the problem is on this system solved.


Is this still the best method?
Considering the sizzle in the latest discussions regarding this the remedy seems quite trivial to implement.
Proud to be a supporter and monthly contributor to Mint.

Cosmo.
Level 22
Level 22
Posts: 16056
Joined: Sat Dec 06, 2014 7:34 am

Re: Make the root password be automatically set when you set your admin password... again

Postby Cosmo. » Mon Dec 18, 2017 4:32 pm

The command works with any Mint version, inclusive 18.3. As it takes only a few seconds to that and does not need any special knowledge it is the most suitable method. (I don't use the word "best" here, as this word can be interpreted in different ways.)

User avatar
all41
Level 11
Level 11
Posts: 3756
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Make the root password be automatically set when you set your admin password... again

Postby all41 » Mon Dec 18, 2017 6:30 pm

Thanks Cosmo. That is what I've been doing while evaluating Mint 18.x

Why this philosophy change was implemented is hard to wrap my head around,
but the ballistic reactions seem overstated.
Proud to be a supporter and monthly contributor to Mint.

davidmedin
Level 2
Level 2
Posts: 52
Joined: Tue Nov 28, 2017 2:56 am

Re: Make the root password be automatically set when you set your admin password... again

Postby davidmedin » Sun Jan 14, 2018 2:35 pm

To the guys who support this design decision.

Can I ask you a question?

When you leave your house or car unattended, you lock the doors and windows right?

Because although you know you cannot keep out a committed thief, you want to discourage opportunists and keep your belongings as secure as possible.

Now may I ask you why you feel you need to justify this horrible design decision? Is it out of tribal loyalty? Because it makes you look ignorant and partisan. Sorry, that's not an insult it's just a fact. The world of computing is not like supporting the local football team, warts and all. If it's wrong, call it out as wrong.

If the same mechanism was present in Windows you'd be all over it screeching about how inherently insecure Windows is. Hypocritical to the extreme.

Just observing. Don't shoot the messenger. This is a horrible, horrible design decision and needs to be done away with by bringing back the setting of a root password during system setup. Don't break things that aren't broken and reinvent the wheel - that's the Microsoft way.

David

User avatar
Pjotr
Level 19
Level 19
Posts: 9289
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Postby Pjotr » Sun Jan 14, 2018 3:27 pm

davidmedin wrote:To the guys who support this design decision.

Can I ask you a question?
--- ignorant rant removed ---

Answering ignorant rants is so boring. :mrgreen:

You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.

To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

davidmedin
Level 2
Level 2
Posts: 52
Joined: Tue Nov 28, 2017 2:56 am

Re: Make the root password be automatically set when you set your admin password... again

Postby davidmedin » Sun Jan 14, 2018 5:57 pm

Pjotr wrote:
davidmedin wrote:To the guys who support this design decision.

Can I ask you a question?
--- ignorant rant removed ---

Answering ignorant rants is so boring. :mrgreen:

You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.

To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.



I have full disk encryption enabled.

This 'feature' just makes a bad situation even worse. And it reflects awfully on Linux.

Your response is yet another ignorant response that suggests a closed community that isn't open to any criticism or suggestions. That's a reflection on you, not me - but I do feel sorry for you.

This whole experience has been an eye-opener for me personally regarding the nature of many people who use Linux. You are not even half as 'virtuous' as you claim to be. Many of you are actually even more bigoted, arrogant and even ignorant than many Windows users.

It's been entertaining :mrgreen:

JeremyB
Level 17
Level 17
Posts: 7711
Joined: Fri Feb 21, 2014 8:17 am

Re: Make the root password be automatically set when you set your admin password... again

Postby JeremyB » Sun Jan 14, 2018 6:21 pm

davidmedin wrote:
Pjotr wrote:
davidmedin wrote:To the guys who support this design decision.

Can I ask you a question?
--- ignorant rant removed ---

Answering ignorant rants is so boring. :mrgreen:

You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.

To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.



I have full disk encryption enabled.

This 'feature' just makes a bad situation even worse. And it reflects awfully on Linux.

Your response is yet another ignorant response that suggests a closed community that isn't open to any criticism or suggestions. That's a reflection on you, not me - but I do feel sorry for you.

This whole experience has been an eye-opener for me personally regarding the nature of many people who use Linux. You are not even half as 'virtuous' as you claim to be. Many of you are actually even more bigoted, arrogant and even ignorant than many Windows users.

It's been entertaining :mrgreen:

You can set a root password if you wish to. I don't remember seeing anything about anyone getting hacked because this password isn't set

User avatar
Pjotr
Level 19
Level 19
Posts: 9289
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Postby Pjotr » Sun Jan 14, 2018 6:57 pm

As JeremyB says. From time to time, you come across these n00bs with an attitude.... :wink:
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
karlchen
Level 18
Level 18
Posts: 8167
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Make the root password be automatically set when you set your admin password... again

Postby karlchen » Sun Jan 14, 2018 7:01 pm

JeremyB wrote:You can set a root password if you wish to. I don't remember seeing anything about anyone getting hacked because this password isn't set
As I understand the concern is that
+ if root does not have a password, i.e. cannot login directly in normal run levels
+ if someone has got physical access to a machine and powers on the machine
+ this person only has to go to runlevel 1 in the Grub menu (recovery mode)
+ and can login to the system as root, because now the root account is unprotected.

As long as root has got a password, in the same scenario root would have to enter his password in order to login in recovery mode (runlevel 1) as well.

So the suggestion / request is reverting the current default behaviour to the previous default behaviour, where during the installation of Linux Mint the installer assigned the same password which you specified for your own account to user root as well.

The discussion on whether the Ubuntu approach creates an additional attack vector in a very specific situation will be at minimum as old as Ubuntu itself, if not older.
Everybody is free to agree with flatiron's suggestion or to disagree. But the discussion has been kind of overheated.

In the end the Mint makers will decide to stick with the current behaviour or to revert to the previous behaviour.

Closing the discussion.
Image
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.


Return to “Suggestions & New Ideas”