1

This might seem like a crazy step, but.. How to disable(remove) root completely from a system? (I'm currently working on Ubuntu 18.04).

I'm working to modify an OS so that no user would ever be able to mess up with the internal files... the user need to have very limited control over the system. This can be done by giving sudo access to only limited commands to the users and taking off any other way to access sudo or su... This question is just my crazy thought that if the root is completely disabled there can be no way some one can figure out a way to abuse the system.. just trying to know if there is a possibility to work this way.

I understand that is creates obvious issues, but is there a way to work around them? Thanks :)

mchid
  • 43,546
  • 8
  • 97
  • 150
frankenstein
  • 63
  • 3
    The answer is nope. Why would you even consider "removing root" as a possibility and what do you think you could achieve by that? It sounds like you have an XY problem here. Please explain what your actual goal is. – Byte Commander Aug 22 '19 at 11:27
  • We had a similar question yesterday: https://askubuntu.com/questions/1167352/create-a-system-with-no-root – Jos Aug 22 '19 at 11:37
  • 3
    root is disabled by default with Ubuntu, so you need do nothing. It's not removed though, just disabled. – guiverc Aug 22 '19 at 11:47
  • Also take a look at this page about sudo and root in Ubuntu: https://help.ubuntu.com/community/RootSudo – Jeryosh Aug 22 '19 at 11:47
  • Even if it were possible the amount of time would be extraordinary and you would end up with a "Frankenstein" system nobody could or would support. – WinEunuuchs2Unix Aug 22 '19 at 11:54
  • What do mean by 'root'? The root partition where all the nice things are kept, or the nuisance of typing your root password everytime you want to change something(you want to be god of your system all the time), or do you want to prevent you or someone from changing the system by using root password. – crip659 Aug 22 '19 at 12:18
  • There is not. Why do you want to this? There may be another way to achieve the effect you're looking for. – Stephen Boston Aug 22 '19 at 12:30
  • Please explain what you are trying to accomplish by removing root. – mchid Aug 22 '19 at 16:35
  • @mchid I'm working to modify an OS so that no user would ever be able to mess up with the internal files... the user need to have very limited control over the system. This can be done by giving sudo access to only limited commands to the users and taking off any other way to access sudo or su... This question is just my crazy thought that if the root is completely disabled there can be no way some one can figure out a way to abuse the system.. just trying to know if there is a possibility to work this way. – frankenstein Aug 23 '19 at 09:27
  • @guiverc yes, the root is 'locked' by default in ubuntu, but anyone with some basic research can work around it to create a new password to root and activate it.. – frankenstein Aug 23 '19 at 09:27
  • @Byte Commander, I hope that the above comments can give you an clarification – frankenstein Aug 23 '19 at 09:28
  • 1
    they need sudo access to achieve it (enabling root), or access to the physical machine (where on it is moot, as they can boot a live and bypass OS security anyway unless you've built in higher security than just disabling root). Don't give them sudo access, otherwise you're wasting your time if they already have physical access to hardware – guiverc Aug 23 '19 at 09:29
  • @frankenstein This is not exactly the same but you might find this question interesting: https://unix.stackexchange.com/questions/390135/can-i-create-a-super-super-user-so-that-i-can-actually-have-a-user-that-can-de – mchid Aug 24 '19 at 00:29
  • @frankenstein One thing: you can prevent users from accessing "single user mode" in grub by setting the grub font color and the grub background colors to the same value so that the grub prompt cannot be seen. Additionally, you can usually lock down the BIOS and the boot menu so that the system cannot be accessed through a USB or CD. – mchid Aug 24 '19 at 00:46

1 Answers1

0

If there is no root password set, login as root is disabled. This is typically the default configuration of Ubuntu when you install it and set up a user password.

That said, it sounds like you are asking this from a security perspective so I'll mention a couple of things. Firstly, if a user has physical access to the machine they can get root access via a number of means such as replacing the boot drive, booting from something else. Full disk encryption can make it impossible for this person with physical access to see your data but not to wipe it.

Secondly, disabling the mechanism to log in as root doesn't really provide notable security over having a non-guessable passphrase, and just not giving that passphrase to others.

Thirdly, you mention giving sudo access to users. Done incorrectly this can inadvertently open up the ability for users to do much more than you intend for them to. If you have a locked down system it's not typical to let users do anything that requires superuser access.

thomasrutter
  • 36,774