Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 24/25 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #16  
Old 3rd January 2017, 06:13 PM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 570
linuxfedorafirefox
Re: Disable root account on Fedora, is it safty measure?

Quote:
Originally Posted by computersavvy View Post
Using a separate root account and password with su may (in the opinion of many) have a big advantage over sudo.

If the regular user (who has sudo and full administrative privleges through sudo) has his account hacked then the hacker has already gained full admin access to the machine because he now has the password needed to run sudo.

If, instead, root is denied ALL external access (and the user does not have sudo access for admin) but the privileges must be gained by logging in as a regular user then using su with the root password it now becomes necessary for the hacker to break through 2 levels of (hopefully) secure passwords to gain administrator privileges. He must gain the users access then follow that by hacking the root password as well.

The debate on which is better continues.

Some distributions only install a regular user and grant him full administrative sudo privileges and by default lock the root account. (only one level of password to break to gain access)

Fedora, on the other hand, does not by default give any user sudo privileges. Instead Fedora creates both a standard user with no admin access and a root account for use in administration tasks. The user must log in as a standard user then either su to root or configure sudo themselves in order to administer the machine. (by default two levels of passwords to break for access) In this regard Fedora follows the practice of Redhat with their enterprise server security scheme.
The one weakness in Fedora's scheme I dislike is that by default root can connect to a Fedora system by ssh (once sshd has been started). I change that from default before I start sshd on my machines because I believe the 2 step process is more secure.

I am not familiar with the practices of all the different distributions but suffice it to say that not everyone agrees on which practice is more secure or appropriate.
Some choices are made for convenience, some for security, some in between; YMMV.
Many thanks !

1) I use Fedora workstation & I listened from some one that ssh is disabled by default on workstation edition. Is this true ?

2) I'm asking about disable root account in the aim for creation of new user account (isolated) to run wine on it (playon linux - portable version). Such new account has no sudo by default. On other hand when I installed Fedora I give 1st user (owner) sudo power.

Now let we suppose that I created wine-user account (with no sudo) & already have my 1st user account with sudo power. Which is safer for wine-user account (without sudo power), disable root or enable it ?

3) I understood from you that active root password is more secure for my 1st user (owner) account (which has sudo power), is this correct ? Really confusing !
__________________
Fedora 24 X64 bit Cinnamon edition on Lenovo ThinkPad e550 with Intel core i7 5500 CPU @ 2.40 GH X 2, RAM = 8 GB, HHD = 1 TB, Hybrid VGA (Intel Corporation HD Graphic 5500 + Radeon R7 M265 2GB)
Reply With Quote
  #17  
Old 3rd January 2017, 06:37 PM
computersavvy Offline
Registered User
 
Join Date: Oct 2014
Location: Texas, USA
Posts: 37
linuxchrome
Re: Disable root account on Fedora, is it safty measure?

Here is a simple test that I did that displays the DANGER of using "passwd -d <user>"

First I created a test account (which is locked by default).
Quote:
[root@laptop user]# adduser test1
I then attempted to su to that users account
Quote:
[user@laptop ~]$ su test1
Password:
su: Authentication failure
It prompted for a password, but with a locked account nothing would work.

I then deleted the password
Quote:
[root@laptop user]# passwd -d test1
Removing password for user test1.
passwd: Success
The password was successfully unlocked

I then attempted to su to the test account again
Quote:
[user@laptop ~]$ su test1
[test1@laptop user]$
Note that I was not prompted for a password, and that it successfully switched user to the test account.

Now for the "passwd -l test1" option
Quote:
[root@laptop user]# passwd -l test1
Locking password for user test1.
passwd: Success
The password was locked.

A final test to su to that account
Quote:
[user@laptop ~]$ su test1
Password:
su: Authentication failure
Again it failed.

Note that this test took a couple minutes but it took me a lot longer to write and format this response. I encourage you to try things that you want to know so you can learn on your own pc, THEN ask questions when something does not work as the documentation says it should.
Reply With Quote
  #18  
Old 3rd January 2017, 06:55 PM
lsatenstein Online
Registered User
 
Join Date: Jun 2005
Location: Montreal, Que, Canada
Posts: 4,008
linuxfedorafirefox
Re: Disable root account on Fedora, is it safty measure?

Here is my practice regarding passwords

During Fedora installation, responding to anaconda, I create a very very simple password for both root and admin.

I do it this way since many times, I demo to others how to perform a Fedora installation. However, when that person has left, the scene, I log to the root account, and I change root's own password and the superuser's password to new values.

Because I install two languages, English and French, and two keyboards, the ca and us layouts, I do not use a complex password during installation. I cannot guarantee if Fedora boots with the ca layout active or the us as the active keyboard. Sometimes I test other distributions. For distributions which oblige a sudo password, and no root password, the sudo password is often shared with root.

After my installation of Fedora has completed, I change both root and admin's passwords. I found that I want very much to have a separate root password. The reason has to do with the admin's bash_profile which I modify for my needs. When logging into Linux, as other than root, the .bash_profile gets executed. When I log into Fedora as root, the .bash_profile and other setups are not invoked . It is safer for me to have a separate root password to accompany a system admin sudo password. As well, root is the safety backup for the sudo password and vice versa. Obviously one can from the admin logon issue sudo passwd root

I also want a separate root password installed in case I have to execute a rescue of Fedora. In 10 years of using Fedora daily, this rescue activity has never happened to me.
__________________
Leslie in Montreal

Interesting web sites list
http://forums.fedoraforum.org/showth...40#post1697840
Reply With Quote
  #19  
Old 4th January 2017, 06:27 PM
computersavvy Offline
Registered User
 
Join Date: Oct 2014
Location: Texas, USA
Posts: 37
linuxchrome
Re: Disable root account on Fedora, is it safty measure?

Quote:
Originally Posted by lsatenstein View Post
Here is my practice regarding passwords

During Fedora installation, responding to anaconda, I create a very very simple password for both root and admin.

I do it this way since many times, I demo to others how to perform a Fedora installation. However, when that person has left, the scene, I log to the root account, and I change root's own password and the superuser's password to new values.

Because I install two languages, English and French, and two keyboards, the ca and us layouts, I do not use a complex password during installation. I cannot guarantee if Fedora boots with the ca layout active or the us as the active keyboard. Sometimes I test other distributions. For distributions which oblige a sudo password, and no root password, the sudo password is often shared with root.

After my installation of Fedora has completed, I change both root and admin's passwords. I found that I want very much to have a separate root password. The reason has to do with the admin's bash_profile which I modify for my needs. When logging into Linux, as other than root, the .bash_profile gets executed. When I log into Fedora as root, the .bash_profile and other setups are not invoked . It is safer for me to have a separate root password to accompany a system admin sudo password. As well, root is the safety backup for the sudo password and vice versa. Obviously one can from the admin logon issue sudo passwd root

I also want a separate root password installed in case I have to execute a rescue of Fedora. In 10 years of using Fedora daily, this rescue activity has never happened to me.
I have more than once needed the rescue option on different machines. Usually when a user made a change that prevented the normal boot from completing properly.

I like your approach. Since an install may often require more than one reboot, especially if you are installing extra packages that may not be on the distribution media, the simpler password may be an advantage.
Using one password while performing and/or demonstrating the install and changing it as soon as possible afterwards is an easy approach to site security.

I would like for User808 and anyone else who reads this thread to understand that the linked post http://www.computerhope.com/unix/upasswor.htm does definitly have a misleading statement concerning using the -d option with the password command. It definitely disables the password BY DELETING IT but it does NOT disable logging into the account. What it does, in fact, is allow using that account with NO PASSWORD REQUIRED
Thus the statement on that site concerning the -d option
Code:
-d, --delete	Delete a user's password (make it empty). This is a quick way to disable logins for an account, without disabling the account itself.
can be considered at best uninformed, and possibly deliberately misleading.

Last edited by computersavvy; 4th January 2017 at 06:32 PM.
Reply With Quote
  #20  
Old 4th January 2017, 08:22 PM
lsatenstein Online
Registered User
 
Join Date: Jun 2005
Location: Montreal, Que, Canada
Posts: 4,008
linuxfedorafirefox
Re: Disable root account on Fedora, is it safty measure?

With appropriate sudo privileges, one can sudo su anyuser So password or not, the administrator can take over any user account, including root. It is best that the admin account be hidden. This is easily done as shown below. Change System Account from false to true
On my system, I have sudo privileges for running dnf and for printer management.

Code:
cd /var/lib/AccountsService/users
vi leslie
[User]
Language=en_CA.UTF-8
XSession=gnome
Icon=/var/lib/AccountsService/icons/leslie
SystemAccount=true
Regarding passwords during ananconda installation. By keeping the passwords simple, I can delegate the installation of Fedora to any person, and then return to impose stronger more secure passwords. I certainly don't want a student knowing the root system password. And when I used to delegate the task, I also checked /home to ensure that there were no surprises.
__________________
Leslie in Montreal

Interesting web sites list
http://forums.fedoraforum.org/showth...40#post1697840

Last edited by lsatenstein; 4th January 2017 at 08:25 PM. Reason: touchup
Reply With Quote
  #21  
Old 5th January 2017, 05:41 AM
DBelton Offline
Administrator
 
Join Date: Aug 2009
Posts: 8,435
linuxfedorafirefox
Re: Disable root account on Fedora, is it safty measure?

The -d option of passwd does not disable the account. It deletes the password. If you use it for root, it will allow anyone to use root since root no longer has a password.

The -d option deletes the password, you can still log into the account.

And it's easy to control which users can use su, since su uses PAM. Edit the /etc/pam.d/su file and set up the rules you wish.
Reply With Quote
  #22  
Old 7th January 2017, 11:10 AM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 570
linuxfedorafirefox
Re: Disable root account on Fedora, is it safty measure?

Quote:
Originally Posted by DBelton View Post
The -d option of passwd does not disable the account. It deletes the password. If you use it for root, it will allow anyone to use root since root no longer has a password.

The -d option deletes the password, you can still log into the account.

And it's easy to control which users can use su, since su uses PAM. Edit the /etc/pam.d/su file and set up the rules you wish.
I found in Internet 2 links about this:

1st one:
https://major.io/2013/04/25/limit-ac...he-su-command/


2nd is:
http://www.debianadmin.com/howto-res...-in-linux.html

It seem that you mean the 1st, but can you kindly explain it by given all needed commands. I mean I did not open then edit system files before: how to open this file & how to save changes? I saw that many use vi commands but I need further instructions about this.

By the way, 2nd method seem to prevent administrators (those in wheel group) also, isn't it?

Best
__________________
Fedora 24 X64 bit Cinnamon edition on Lenovo ThinkPad e550 with Intel core i7 5500 CPU @ 2.40 GH X 2, RAM = 8 GB, HHD = 1 TB, Hybrid VGA (Intel Corporation HD Graphic 5500 + Radeon R7 M265 2GB)
Reply With Quote
Reply

Tags
account, disable, fedora, measure, root, safty

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't find thread - root account corrupted due to allowing outside root access lightman47 Using Fedora 0 23rd July 2012 06:04 PM
Thunderbird account wizard, please help me disable it. toys19 Using Fedora 1 25th February 2010 03:32 AM
Install into root account instead of normal user account myisty Using Fedora 1 3rd June 2007 08:27 PM
Which account to use ? Root or a new user account TeachMeLinux Using Fedora 3 7th March 2007 09:55 AM
Blank Screen on every new and old account except for root account deverej Using Fedora 2 1st March 2005 09:11 AM


Current GMT-time: 00:19 (Monday, 26-06-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat