Make the root password be automatically set when you set your admin password... again

Suggestions and feedback for Linux Mint and the forums
Forum rules
Do not post support questions here. Before you post read: Where to post ideas & feature requests
Locked
flatiron
Level 3
Level 3
Posts: 197
Joined: Fri Nov 24, 2017 2:27 am

Make the root password be automatically set when you set your admin password... again

Post by flatiron »

I have read the below... this is disturbing. What exactly was the benefit of leaving a system so wide open?

"Set the root password
1.3. Starting with Linux Mint 18.2, the root password is unfortunately no longer set by default.

This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his.

He can then do all kinds of nasty things. Like changing your own password....

This is how to fix it, by setting a password for root (preferably identical to your own password):

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following line into the terminal:

sudo passwd

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show when you type it, which is normal.

Note: I advise to make the root password ("UNIX password") identical to your own, in order to prevent problems later on.

That's it! Problem solved.

For good measure: a bad guy with physical access to your computer, also has other means to acquire root authority on your computer. So this fix certainly doesn't make your computer completely safe: physical access always remains a risk.

What this fix does, is blocking one much too easy way to get such unauthorized root access. Which increases security somewhat."
User avatar
Pjotr
Level 23
Level 23
Posts: 19890
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Post by Pjotr »

flatiron wrote:I have read the below... this is disturbing. What exactly was the benefit of leaving a system so wide open?
It's not "wide open" by default. Physical access is needed, plus some Linux knowledge. Don't exaggerate.... :)
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
JeremyB
Level 21
Level 21
Posts: 13773
Joined: Fri Feb 21, 2014 8:17 am

Re: Make the root password be automatically set when you set your admin password... again

Post by JeremyB »

Set a BIOS password, use full disk encryption and even then you might have problems with someone who has physical access. Ubuntu has done this for some time and I don't remember many posts about being hacked because there is no root password set
flatiron
Level 3
Level 3
Posts: 197
Joined: Fri Nov 24, 2017 2:27 am

Re: Make the root password be automatically set when you set your admin password... again

Post by flatiron »

It seems like a really ridiculous exclusion though. What if someone had a malicious room mate? I mean... This has got to be the stupidest exclusion I have ever seen.
User avatar
Pjotr
Level 23
Level 23
Posts: 19890
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Post by Pjotr »

flatiron wrote:It seems like a really ridiculous exclusion though. What if someone had a malicious room mate? I mean... This has got to be the stupidest exclusion I have ever seen.
You're entitled to your opinion of course, but you're exaggerating tremendously and annoyingly about a small issue.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: Make the root password be automatically set when you set your admin password... again

Post by Cosmo. »

Inside of this thread is a discussion about the topic.
User avatar
all41
Level 19
Level 19
Posts: 9499
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Make the root password be automatically set when you set your admin password... again

Post by all41 »

Cosmo. wrote:Inside of this thread is a discussion about the topic.
Greetings Cosmo,
In that discussion you wrote:
Simply entering in a terminal sudo passwd gives you the possibility to set the root password and the problem is on this system solved.
Is this still the best method?
Considering the sizzle in the latest discussions regarding this the remedy seems quite trivial to implement.
Everything in life was difficult before it became easy.
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: Make the root password be automatically set when you set your admin password... again

Post by Cosmo. »

The command works with any Mint version, inclusive 18.3. As it takes only a few seconds to that and does not need any special knowledge it is the most suitable method. (I don't use the word "best" here, as this word can be interpreted in different ways.)
User avatar
all41
Level 19
Level 19
Posts: 9499
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Make the root password be automatically set when you set your admin password... again

Post by all41 »

Thanks Cosmo. That is what I've been doing while evaluating Mint 18.x

Why this philosophy change was implemented is hard to wrap my head around,
but the ballistic reactions seem overstated.
Everything in life was difficult before it became easy.
davidmedin

Re: Make the root password be automatically set when you set your admin password... again

Post by davidmedin »

To the guys who support this design decision.

Can I ask you a question?

When you leave your house or car unattended, you lock the doors and windows right?

Because although you know you cannot keep out a committed thief, you want to discourage opportunists and keep your belongings as secure as possible.

Now may I ask you why you feel you need to justify this horrible design decision? Is it out of tribal loyalty? Because it makes you look ignorant and partisan. Sorry, that's not an insult it's just a fact. The world of computing is not like supporting the local football team, warts and all. If it's wrong, call it out as wrong.

If the same mechanism was present in Windows you'd be all over it screeching about how inherently insecure Windows is. Hypocritical to the extreme.

Just observing. Don't shoot the messenger. This is a horrible, horrible design decision and needs to be done away with by bringing back the setting of a root password during system setup. Don't break things that aren't broken and reinvent the wheel - that's the Microsoft way.

David
User avatar
Pjotr
Level 23
Level 23
Posts: 19890
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Post by Pjotr »

davidmedin wrote:To the guys who support this design decision.

Can I ask you a question?
--- ignorant rant removed ---
Answering ignorant rants is so boring. :mrgreen:

You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.

To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
davidmedin

Re: Make the root password be automatically set when you set your admin password... again

Post by davidmedin »

Pjotr wrote:
davidmedin wrote:To the guys who support this design decision.

Can I ask you a question?
--- ignorant rant removed ---
Answering ignorant rants is so boring. :mrgreen:

You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.

To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.

I have full disk encryption enabled.

This 'feature' just makes a bad situation even worse. And it reflects awfully on Linux.

Your response is yet another ignorant response that suggests a closed community that isn't open to any criticism or suggestions. That's a reflection on you, not me - but I do feel sorry for you.

This whole experience has been an eye-opener for me personally regarding the nature of many people who use Linux. You are not even half as 'virtuous' as you claim to be. Many of you are actually even more bigoted, arrogant and even ignorant than many Windows users.

It's been entertaining :mrgreen:
JeremyB
Level 21
Level 21
Posts: 13773
Joined: Fri Feb 21, 2014 8:17 am

Re: Make the root password be automatically set when you set your admin password... again

Post by JeremyB »

davidmedin wrote:
Pjotr wrote:
davidmedin wrote:To the guys who support this design decision.

Can I ask you a question?
--- ignorant rant removed ---
Answering ignorant rants is so boring. :mrgreen:

You're exaggerating about a small issue. Physical access is needed, plus some Linux knowledge. That drastically limits the practical risk.

To protect yourself from bad people who fulfill those two requirements, you need a lot more than a bloody root password. You need full disk encryption.

I have full disk encryption enabled.

This 'feature' just makes a bad situation even worse. And it reflects awfully on Linux.

Your response is yet another ignorant response that suggests a closed community that isn't open to any criticism or suggestions. That's a reflection on you, not me - but I do feel sorry for you.

This whole experience has been an eye-opener for me personally regarding the nature of many people who use Linux. You are not even half as 'virtuous' as you claim to be. Many of you are actually even more bigoted, arrogant and even ignorant than many Windows users.

It's been entertaining :mrgreen:
You can set a root password if you wish to. I don't remember seeing anything about anyone getting hacked because this password isn't set
User avatar
Pjotr
Level 23
Level 23
Posts: 19890
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Make the root password be automatically set when you set your admin password... again

Post by Pjotr »

As JeremyB says. From time to time, you come across these n00bs with an attitude.... :wink:
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
karlchen
Level 23
Level 23
Posts: 18183
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Make the root password be automatically set when you set your admin password... again

Post by karlchen »

JeremyB wrote:You can set a root password if you wish to. I don't remember seeing anything about anyone getting hacked because this password isn't set
As I understand the concern is that
+ if root does not have a password, i.e. cannot login directly in normal run levels
+ if someone has got physical access to a machine and powers on the machine
+ this person only has to go to runlevel 1 in the Grub menu (recovery mode)
+ and can login to the system as root, because now the root account is unprotected.

As long as root has got a password, in the same scenario root would have to enter his password in order to login in recovery mode (runlevel 1) as well.

So the suggestion / request is reverting the current default behaviour to the previous default behaviour, where during the installation of Linux Mint the installer assigned the same password which you specified for your own account to user root as well.

The discussion on whether the Ubuntu approach creates an additional attack vector in a very specific situation will be at minimum as old as Ubuntu itself, if not older.
Everybody is free to agree with flatiron's suggestion or to disagree. But the discussion has been kind of overheated.

In the end the Mint makers will decide to stick with the current behaviour or to revert to the previous behaviour.

Closing the discussion.
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
Locked

Return to “Suggestions & Feedback”