Make the root password be automatically set when you set your admin password... again
Forum rules
Do not post support questions here. Before you post read: Where to post ideas & feature requests
Do not post support questions here. Before you post read: Where to post ideas & feature requests
Make the root password be automatically set when you set your admin password... again
I have read the below... this is disturbing. What exactly was the benefit of leaving a system so wide open?
"Set the root password
1.3. Starting with Linux Mint 18.2, the root password is unfortunately no longer set by default.
This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his.
He can then do all kinds of nasty things. Like changing your own password....
This is how to fix it, by setting a password for root (preferably identical to your own password):
Launch a terminal window.
(You can launch a terminal window like this: *Click*)
Copy/paste the following line into the terminal:
sudo passwd
Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show when you type it, which is normal.
Note: I advise to make the root password ("UNIX password") identical to your own, in order to prevent problems later on.
That's it! Problem solved.
For good measure: a bad guy with physical access to your computer, also has other means to acquire root authority on your computer. So this fix certainly doesn't make your computer completely safe: physical access always remains a risk.
What this fix does, is blocking one much too easy way to get such unauthorized root access. Which increases security somewhat."
"Set the root password
1.3. Starting with Linux Mint 18.2, the root password is unfortunately no longer set by default.
This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his.
He can then do all kinds of nasty things. Like changing your own password....
This is how to fix it, by setting a password for root (preferably identical to your own password):
Launch a terminal window.
(You can launch a terminal window like this: *Click*)
Copy/paste the following line into the terminal:
sudo passwd
Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show when you type it, which is normal.
Note: I advise to make the root password ("UNIX password") identical to your own, in order to prevent problems later on.
That's it! Problem solved.
For good measure: a bad guy with physical access to your computer, also has other means to acquire root authority on your computer. So this fix certainly doesn't make your computer completely safe: physical access always remains a risk.
What this fix does, is blocking one much too easy way to get such unauthorized root access. Which increases security somewhat."
- Pjotr
- Level 24
- Posts: 20090
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Make the root password be automatically set when you set your admin password... again
It's not "wide open" by default. Physical access is needed, plus some Linux knowledge. Don't exaggerate....flatiron wrote:I have read the below... this is disturbing. What exactly was the benefit of leaving a system so wide open?
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Make the root password be automatically set when you set your admin password... again
Set a BIOS password, use full disk encryption and even then you might have problems with someone who has physical access. Ubuntu has done this for some time and I don't remember many posts about being hacked because there is no root password set
Re: Make the root password be automatically set when you set your admin password... again
It seems like a really ridiculous exclusion though. What if someone had a malicious room mate? I mean... This has got to be the stupidest exclusion I have ever seen.
- Pjotr
- Level 24
- Posts: 20090
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Make the root password be automatically set when you set your admin password... again
You're entitled to your opinion of course, but you're exaggerating tremendously and annoyingly about a small issue.flatiron wrote:It seems like a really ridiculous exclusion though. What if someone had a malicious room mate? I mean... This has got to be the stupidest exclusion I have ever seen.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Make the root password be automatically set when you set your admin password... again
Inside of this thread is a discussion about the topic.
Re: Make the root password be automatically set when you set your admin password... again
Greetings Cosmo,Cosmo. wrote:Inside of this thread is a discussion about the topic.
In that discussion you wrote:
Is this still the best method?Simply entering in a terminalsudo passwd
gives you the possibility to set the root password and the problem is on this system solved.
Considering the sizzle in the latest discussions regarding this the remedy seems quite trivial to implement.
Everything in life was difficult before it became easy.
Re: Make the root password be automatically set when you set your admin password... again
The command works with any Mint version, inclusive 18.3. As it takes only a few seconds to that and does not need any special knowledge it is the most suitable method. (I don't use the word "best" here, as this word can be interpreted in different ways.)
Re: Make the root password be automatically set when you set your admin password... again
Thanks Cosmo. That is what I've been doing while evaluating Mint 18.x
Why this philosophy change was implemented is hard to wrap my head around,
but the ballistic reactions seem overstated.
Why this philosophy change was implemented is hard to wrap my head around,
but the ballistic reactions seem overstated.
Everything in life was difficult before it became easy.
Re: Make the root password be automatically set when you set your admin password... again
To the guys who support this design decision.
Can I ask you a question?
When you leave your house or car unattended, you lock the doors and windows right?
Because although you know you cannot keep out a committed thief, you want to discourage opportunists and keep your belongings as secure as possible.
Now may I ask you why you feel you need to justify this horrible design decision? Is it out of tribal loyalty? Because it makes you look ignorant and partisan. Sorry, that's not an insult it's just a fact. The world of computing is not like supporting the local football team, warts and all. If it's wrong, call it out as wrong.
If the same mechanism was present in Windows you'd be all over it screeching about how inherently insecure Windows is. Hypocritical to the extreme.
Just observing. Don't shoot the messenger. This is a horrible, horrible design decision and needs to be done away with by bringing back the setting of a root password during system setup. Don't break things that aren't broken and reinvent the wheel - that's the Microsoft way.
David
Can I ask you a question?
When you leave your house or car unattended, you lock the doors and windows right?
Because although you know you cannot keep out a committed thief, you want to discourage opportunists and keep your belongings as secure as possible.
Now may I ask you why you feel you need to justify this horrible design decision? Is it out of tribal loyalty? Because it makes you look ignorant and partisan. Sorry, that's not an insult it's just a fact. The world of computing is not like supporting the local football team, warts and all. If it's wrong, call it out as wrong.
If the same mechanism was present in Windows you'd be all over it screeching about how inherently insecure Windows is. Hypocritical to the extreme.
Just observing. Don't shoot the messenger. This is a horrible, horrible design decision and needs to be done away with by bringing back the setting of a root password during system setup. Don't break things that aren't broken and reinvent the wheel - that's the Microsoft way.
David
- Pjotr
- Level 24
- Posts: 20090
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Make the root password be automatically set when you set your admin password... again
Answering ignorant rants is so boring.davidmedin wrote:To the guys who support this design decision.
Can I ask you a question?
--- ignorant rant removed ---
You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.
To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Make the root password be automatically set when you set your admin password... again
Pjotr wrote:Answering ignorant rants is so boring.davidmedin wrote:To the guys who support this design decision.
Can I ask you a question?
--- ignorant rant removed ---
You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.
To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.
I have full disk encryption enabled.
This 'feature' just makes a bad situation even worse. And it reflects awfully on Linux.
Your response is yet another ignorant response that suggests a closed community that isn't open to any criticism or suggestions. That's a reflection on you, not me - but I do feel sorry for you.
This whole experience has been an eye-opener for me personally regarding the nature of many people who use Linux. You are not even half as 'virtuous' as you claim to be. Many of you are actually even more bigoted, arrogant and even ignorant than many Windows users.
It's been entertaining
Re: Make the root password be automatically set when you set your admin password... again
You can set a root password if you wish to. I don't remember seeing anything about anyone getting hacked because this password isn't setdavidmedin wrote:Pjotr wrote:Answering ignorant rants is so boring. :mrgreen:davidmedin wrote:To the guys who support this design decision.
Can I ask you a question?
--- ignorant rant removed ---
You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.
To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.
I have full disk encryption enabled.
This 'feature' just makes a bad situation even worse. And it reflects awfully on Linux.
Your response is yet another ignorant response that suggests a closed community that isn't open to any criticism or suggestions. That's a reflection on you, not me - but I do feel sorry for you.
This whole experience has been an eye-opener for me personally regarding the nature of many people who use Linux. You are not even half as 'virtuous' as you claim to be. Many of you are actually even more bigoted, arrogant and even ignorant than many Windows users.
It's been entertaining :mrgreen:
- Pjotr
- Level 24
- Posts: 20090
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Make the root password be automatically set when you set your admin password... again
As JeremyB says. From time to time, you come across these n00bs with an attitude....
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Make the root password be automatically set when you set your admin password... again
As I understand the concern is thatJeremyB wrote:You can set a root password if you wish to. I don't remember seeing anything about anyone getting hacked because this password isn't set
+ if root does not have a password, i.e. cannot login directly in normal run levels
+ if someone has got physical access to a machine and powers on the machine
+ this person only has to go to runlevel 1 in the Grub menu (recovery mode)
+ and can login to the system as root, because now the root account is unprotected.
As long as root has got a password, in the same scenario root would have to enter his password in order to login in recovery mode (runlevel 1) as well.
So the suggestion / request is reverting the current default behaviour to the previous default behaviour, where during the installation of Linux Mint the installer assigned the same password which you specified for your own account to user root as well.
The discussion on whether the Ubuntu approach creates an additional attack vector in a very specific situation will be at minimum as old as Ubuntu itself, if not older.
Everybody is free to agree with flatiron's suggestion or to disagree. But the discussion has been kind of overheated.
In the end the Mint makers will decide to stick with the current behaviour or to revert to the previous behaviour.
Closing the discussion.
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline