Is it better to set root password or not?

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
Cap
Level 2
Level 2
Posts: 95
Joined: Sat Dec 21, 2019 8:56 pm

Is it better to set root password or not?

Post by Cap »

Is it better to set root password or not?
User avatar
karlchen
Level 21
Level 21
Posts: 13323
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Is it better to set root password or not?

Post by karlchen »

Hello, cap.

This is one of the questions, which does not have a simple right or wrong answer. The dispute has got a very long history by now.
Please, see the Ubuntu Community article on "RootSudo": RootSudo.
Whichever way you decide to go,
+ stick with the current Ubuntu and Linux Mint approach of locking the root account and using "sudo" only when needing root permissions
+ unlock the root account by assigning root a password,
this decision alone is unlikely to make you more secure or less secure.

Best regards,
Karl
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)
rene
Level 16
Level 16
Posts: 6689
Joined: Sun Mar 27, 2016 6:58 pm

Re: Is it better to set root password or not?

Post by rene »

... but for what it's worth, with "better" in the sense of "more convenient" I feel it better to set one. Specifically it unlocks the capability to log in as root on a virtual console (Ctrl-Alt-F1/F6) for example to fix something in your user setup that causes said user to no longer have root access. In the "security" sense it doesn't matter all that much.
ajgreeny
Level 5
Level 5
Posts: 636
Joined: Mon Nov 19, 2007 3:27 pm

Re: Is it better to set root password or not?

Post by ajgreeny »

rene wrote:
Sun Feb 16, 2020 12:50 pm
... but for what it's worth, with "better" in the sense of "more convenient" I feel it better to set one. Specifically it unlocks the capability to log in as root on a virtual console (Ctrl-Alt-F1/F6) for example to fix something in your user setup that causes said user to no longer have root access. In the "security" sense it doesn't matter all that much.
Doesn't Mint have Recovery mode (from the grub menu) to allow access into the user's filesystem just like Ubuntu?
In 15 years of use of Ubuntu and Mint I have never once needed to log in as root.
rene
Level 16
Level 16
Posts: 6689
Joined: Sun Mar 27, 2016 6:58 pm

Re: Is it better to set root password or not?

Post by rene »

ajgreeny wrote:
Sun Feb 16, 2020 1:12 pm
Doesn't Mint have Recovery mode (from the grub menu) to allow access into the user's filesystem just like Ubuntu?
Yes. But if you eff around enough rebooting just to log in as root becomes tedious quite fast I can assure you. Which is of course indeed offset if you never want to in the first place, but which I still semi-regularly do.

I by the way see that the linked Ubuntu article doesn't specifically mention it, but said "recovery mode" is oft seen as the best argument for setting a root password: without one "anyone" can boot into that mode and be root. Given that access to recovery mode implies other and nearly as easy methods to gain root as well it's not in fact a very good argument, but, well, you decide...
ajgreeny
Level 5
Level 5
Posts: 636
Joined: Mon Nov 19, 2007 3:27 pm

Re: Is it better to set root password or not?

Post by ajgreeny »

rene wrote:
Sun Feb 16, 2020 1:20 pm
ajgreeny wrote:
Sun Feb 16, 2020 1:12 pm
Doesn't Mint have Recovery mode (from the grub menu) to allow access into the user's filesystem just like Ubuntu?
Yes. But if you eff around enough rebooting just to log in as root becomes tedious quite fast I can assure you. Which is of course indeed offset if you never want to in the first place, but which I still semi-regularly do.

I by the way see that the linked Ubuntu article doesn't specifically mention it, but said "recovery mode" is oft seen as the best argument for setting a root password: without one "anyone" can boot into that mode and be root. Given that access to recovery mode implies other and nearly as easy methods to gain root as well it's not in fact a very good argument, but, well, you decide...
But let's be clear about this; physical access to the machine immediately means that files on it are available, unless, of course, encryption is used.

As you say, only you can decide what's correct for you.
rene
Level 16
Level 16
Posts: 6689
Joined: Sun Mar 27, 2016 6:58 pm

Re: Is it better to set root password or not?

Post by rene »

ajgreeny wrote:
Sun Feb 16, 2020 2:45 pm
But let's be clear about this; physical access to the machine immediately means that files on it are available, unless, of course, encryption is used.
Yes. Ergo why I also don't particularly care about the "recovery mode" difference even though some argue that having a root password set is useful in that sense. Virtual console logins without reboots is all that I need as argument...
Cap
Level 2
Level 2
Posts: 95
Joined: Sat Dec 21, 2019 8:56 pm

Re: Is it better to set root password or not?

Post by Cap »

I am not clear what the Linux Mint approach is. During installation it does not set a root password but after System Report warns to set a root password?

Is a weak password for root worse than no password?
User avatar
smurphos
Level 17
Level 17
Posts: 7332
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Is it better to set root password or not?

Post by smurphos »

Cap wrote:
Mon Feb 17, 2020 2:57 pm
I am not clear what the Linux Mint approach is.
Neither is Linux Mint :wink:

The recommendation to consider setting a root password was new in Mint 19.3. Following initial user feedback shortly after release (basically of the what on earth does this mean variety. and also the confusion caused by the fact that Mint Report had no way of knowing if the user had actually set a root password or not) the Mint team decided to revert to the status quo and via an update to Mint report removed the recommendation entirely.

So basically if the first thing you do after a fresh install is apply all updates and reboot you'll never see the recommendation.

Historically prior to Mint 18.2, the root password was set to the same as the initial user password during install. This was not a transparent process to users so they could end up in a situation where they subsequently changed the user password, and forget the original not realising that it was still in place as roots password.

From a security point of view, if there is any possibility of remote access (browser bug, ssh server with root login enabled etc) setting the root password could potentially could make it easier for a remote attacker to take full control. They don't need to guess / brute force a user name and password, they can just try and brute force the password as they know the user name is root.

For a local attacker setting the root password makes it slightly harder for an attacker to get root access via GRUB/recovery. But it's still pretty trivial to work around a root password if the attacker can get to GRUB. Basically if local security is a priority then full disk encryption is the best way.

Ultimately the only real advantage of setting it is the scenario outlined by rene of making recovery from issues like accidentally removing the main administrators sudo rights slightly easier to recover from, albeit I'd suggest if your the kind of user that would do that you are also probably the kind of user that would set and forget the root password..... :roll:
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
rene
Level 16
Level 16
Posts: 6689
Joined: Sun Mar 27, 2016 6:58 pm

Re: Is it better to set root password or not?

Post by rene »

smurphos wrote:
Mon Feb 17, 2020 3:44 pm
[ ... ] albeit I'd suggest if your the kind of user that would do that you are also probably the kind of user that would set and forget the root password..... :roll:
Disagree; typoing /etc/sudoers even the best of us do at times ;-)
mintmdrescher
Level 1
Level 1
Posts: 31
Joined: Thu Jun 11, 2015 9:33 am

Re: Is it better to set root password or not?

Post by mintmdrescher »

Cap wrote:
Mon Feb 17, 2020 2:57 pm
Is a weak password for root worse than no password?
Setting a weak password is definitively worse then setting none. Because a normal PAM setup requires a password to be present to log in.
There is a 'nullok' option for the PAM password module, but hopefully, no one ever uses this.
Post Reply

Return to “Newbie Questions”