Disable root after sudo enable?

globetrotterdk · Post by **globetrotterdk** » 23. Mar 2012, 14:18

Is disabling the root account recommended after having implemented sudo?
I have added my user name to /etc/sudoers:

# visudo

I have also added paths to my ~/.bashrc file:

Code: Select all

PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH

Would the next step be:

Code: Select all

sudo getent shadow root|cut -d : -f 2

???

Shador · Post by **Shador** » 23. Mar 2012, 15:12

globetrotterdk wrote:Is disabling the root account recommended after having implemented sudo?

No, not unless you use a weak password for it. It's just an additional "incentive" not to become root anymore. Although that can still be circumvented with:

Code: Select all

sudo /bin/sh

globetrotterdk wrote:
Code: Select all
sudo getent shadow root|cut -d : -f 2

Context? This line just extracts the hashed password from the password database.

globetrotterdk · Post by **globetrotterdk** » 23. Mar 2012, 17:12

Shador wrote:
globetrotterdk wrote:Is disabling the root account recommended after having implemented sudo?
No, not unless you use a weak password for it. It's just an additional "incentive" not to become root anymore. Although that can still be circumvented with:
Code: Select all
sudo /bin/sh

Thanks Shador

Shador wrote:
globetrotterdk wrote:
Code: Select all
sudo getent shadow root|cut -d : -f 2
Context? This line just extracts the hashed password from the password database.

Yes. I saw that posted on an Ubuntu forum as an alternative to deleting the root account. Mileage of course may vary.

Post by **gapan** » 23. Mar 2012, 20:31

First of all, there is no way anyone can disable the root account. You may choose not to use it, but you can't disable it. You may think that *buntu has it disabled but you're mistaken. There is a root user account, it just has a random password assigned to it, so you can't use it.

That said, I see no reason why you would want to do anything like that.

globetrotterdk · Post by **globetrotterdk** » 24. Mar 2012, 07:51

gapan wrote:First of all, there is no way anyone can disable the root account. You may choose not to use it, but you can't disable it. You may think that *buntu has it disabled but you're mistaken. There is a root user account, it just has a random password assigned to it, so you can't use it.

That said, I see no reason why you would want to do anything like that.

Just inquiring about the correct procedure when sudo is being used. The book "Beginning the Linux Command Line" by Sander van Vugt, seems to suggest that a good reason to use sudo is that having a root account is less secure. I am aware that there is a difference of opinion on the issue and I am just trying to figure out what is recommended within the parameters of Salix OS.

Post by **gapan** » 24. Mar 2012, 09:33

If you want more than one users having access to administrative tasks, it is less secure, because every user will need to know the root user password. I don't see how it can be less secure in any other way.

You can set the user password to something terribly complex that you won't be able to remember in the next second, something like "KrofukkK!@6eyzyfeY8@I%&5deTmbd$aafFT9UEtSxoS6i5ykA". That way you will have effectively "disabled" the root user account, since you won't be able to use it (not directly anyway, as stated before there are workarounds of course - this is what *buntu does). But I don't see how that is different than just not giving the root password to every other user and choosing not to use the root user yourself.

Post by **thenktor** » 24. Mar 2012, 11:07

globetrotterdk wrote:Just inquiring about the correct procedure when sudo is being used.

The correct procedure is not to use sudo

Shador · Post by **Shador** » 24. Mar 2012, 12:13

gapan wrote:You can set the user password to something terribly complex that you won't be able to remember in the next second, something like "KrofukkK!@6eyzyfeY8@I%&5deTmbd$aafFT9UEtSxoS6i5ykA". That way you will have effectively "disabled" the root user account, since you won't be able to use it (not directly anyway, as stated before there are workarounds of course - this is what *buntu does). But I don't see how that is different than just not giving the root password to every other user and choosing not to use the root user yourself.

Actually you can lock or disable an account by putting '!' resp. '*' into the password field. Additionally you can replace the default shell with /bin/false. https://administratosphere.wordpress.co ... ow-format/

Post by **gapan** » 25. Mar 2012, 09:24

Shador wrote:Actually you can lock or disable an account by putting '!' resp. '*' into the password field. Additionally you can replace the default shell with /bin/false. https://administratosphere.wordpress.co ... ow-format/

Still, that's pretty much the same thing. You don't disable the account, you set a non-working password. You can still get around that (and also setting the default shell) with: sudo su -s /bin/bash

globetrotterdk · Post by **globetrotterdk** » 25. Mar 2012, 10:24

thenktor wrote:
globetrotterdk wrote:Just inquiring about the correct procedure when sudo is being used.
The correct procedure is not to use sudo

OK, thanks

It was mentioned in the context of using the Skis 3G script, however. For reference, the thread is here.

Disable root after sudo enable?

Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?

Re: Disable root after sudo enable?