On Wed, February 4, 2015 10:18 am, Keith Keller wrote:> On 2015-02-04, James B. Byrne <byrnejb at harte-lyne.ca> wrote: >> One might question why *nix distributions insist on providing a knownpoint of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge?> > That is more or less what OS X does. User 0 still exists, and it'slabelled as "root", but there is no way (unless the owner goes way out of his way) to actually log in as root. The first account created is given full sudo access, and can choose to grant sudo to subsequently created users. Which I consider almost as "security through obscurity" (I said "almost"!) I'm neutral to sudo (even though I was taught "the smaller number of SUID/SGID files you have, the better). Yet, I'm considering it less safe to have regular user who can log in with GUI interface, and likely to be doing regular user stuff to have almighty abilities. Yes, I know, I know he has to prepend "sudo"... OK, this seems to be kind of question of taste in the majority opinion.> (Users with sudo can still get a root shell, but that's > not the same as logging in as root.) > > I thought Ubuntu did this as well, but I haven't installed Ubuntu forquite a while. Anyone know? Yes, Debian and its clones have full fledged root account, only with empty password hash (thus making it account for which no password will match). You can enable it by grabbing root shell using sudo, then using command passwd to set password. voila. And they are more or less neutral, they do not insist that having disabled root account adds security of the machine (which it doesn't) - as far as I recollect reading their docs. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 2015-02-04, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> On Wed, February 4, 2015 10:18 am, Keith Keller wrote: >> On 2015-02-04, James B. Byrne >> <byrnejb at harte-lyne.ca> wrote:[SNIP]>> (Users with sudo can still get a root shell, but that's >> not the same as logging in as root.) >> >> I thought Ubuntu did this as well, but I haven't installed Ubuntu for >> quite a while. Anyone know? > > Yes, Debian and its clones have full fledged root account, only with empty > password hash (thus making it account for which no password will match). > You can enable it by grabbing root shell using sudo, then using command > passwd to set password. voila. >The behaviour you describe is to be found on Ubuntu, but not Debian. The Debian installer prompts for a root password, whereas the Ubuntu installer does not. The 'sudo' package is optional (in APT terminology) in the case of Debian. -- Liam
On 2015-02-04, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > I'm neutral to sudo (even though I was taught "the smaller number of > SUID/SGID files you have, the better). Yet, I'm considering it less safe > to have regular user who can log in with GUI interface, and likely to be > doing regular user stuff to have almighty abilities. Yes, I know, I know > he has to prepend "sudo"... OK, this seems to be kind of question of taste > in the majority opinion.I think it's basically six of one, half-dozen of the other. Is a user any more or less likely to screw up his box if he has to log in as root or has to use sudo? I really don't know. OTOH, forcing sudo does have one advantage, in that every sudo command is logged. (If you do sudo su you lose that.)> Yes, Debian and its clones have full fledged root account, only with empty > password hash (thus making it account for which no password will match). > You can enable it by grabbing root shell using sudo, then using command > passwd to set password. voila.I believe that on recent OS Xs this method no longer works (it used to). As to the original topic (heh), isn't it a bit counterproductive to complain about changes in Fedora or RHEL on this list? Those distributions are separate entities with their own decision making processes. If you want to complain about Fedora, go to their list (which IIRC the OP pointed people to). If you want to complain about RHEL, buy a RedHat suport contract. It seems to me that the only legitimate complaints one could make about CentOS would be if they went out of their way to make CentOS different from RHEL in a very suboptimal way. Do you really have any justification for complaining if CentOS enforces the same password requirements on install as RHEL? --keith -- kkeller at wombat.san-francisco.ca.us
On Thu, February 5, 2015 12:49 am, Keith Keller wrote:> On 2015-02-04, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: >> >> I'm neutral to sudo (even though I was taught "the smaller number of >> SUID/SGID files you have, the better). Yet, I'm considering it less safe >> to have regular user who can log in with GUI interface, and likely to be >> doing regular user stuff to have almighty abilities. Yes, I know, I know >> he has to prepend "sudo"... OK, this seems to be kind of question of >> taste >> in the majority opinion. > > I think it's basically six of one, half-dozen of the other. Is a user > any more or less likely to screw up his box if he has to log in as root > or has to use sudo? I really don't know. OTOH, forcing sudo does have > one advantage, in that every sudo command is logged. (If you do sudo su > you lose that.) > >> Yes, Debian and its clones have full fledged root account, only with >> empty >> password hash (thus making it account for which no password will match). >> You can enable it by grabbing root shell using sudo, then using command >> passwd to set password. voila. > > I believe that on recent OS Xs this method no longer works (it used to). > > As to the original topic (heh), isn't it a bit counterproductive to > complain about changes in Fedora or RHEL on this list? Those > distributions are separate entities with their own decision making > processes. If you want to complain about Fedora, go to their list > (which IIRC the OP pointed people to). If you want to complain about > RHEL, buy a RedHat suport contract. It seems to me that the only > legitimate complaints one could make about CentOS would be if they went > out of their way to make CentOS different from RHEL in a very suboptimal > way. Do you really have any justification for complaining if CentOS > enforces the same password requirements on install as RHEL? >I second that. Valeri> --keith > > > -- > kkeller at wombat.san-francisco.ca.us > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++