What stops someone from setting root password?

Question

From what I can tell there is no password for root given by default, and it's considered a bad idea to set one.

But then what stops me or any other user from doing sudo passwd root or something like this, and giving the root account a password?

Sudo only requires our own passwords, so in theory there's nothing stopping anyone from doing this?

what you could do is remove a user from the sudo group. But then they wont be able to use sudo at all. Or in Fedora/CentOS it would be the wheel group. — xR34P3Rx, Oct 02 '17 at 16:20
in the sudoers file you can set what commands the user is not allowed to run — ravery, Oct 02 '17 at 16:25
Nothing stops you from doing it, and there may be legitimate reasons for doing so. I for instance have a few dedicated network test boxes at work, with no important setup. Not logging in as root doesn't make sense as all commands do require root, and they're used in a very isolated manner. — vidarlo, Oct 02 '17 at 16:26
Nothing stops you apart from common sense. I am surprised you had to ask. — mikewhatever, Oct 02 '17 at 16:27
Related (on [unix.se]): Blocking specific command from sudo users — Eliah Kagan, Nov 21 '17 at 11:32

score 4 · Accepted Answer · edited Oct 05 '17 at 09:39

4

This is sort of a broad topic.

At the end of the day, nothing prevents you or another user from setting a root password.

This can happen via several mechanisms including sudo, various exploits (when you read a security alert that allows a user to run "arbitrary code" they can run any command they want), escalation of privileges or other cracking methods, and physical access either booting to rescue mode or with a live usb/cd or other techniques.

Solving or preventing this is a potentially long discussion.

Limit who has sudo access.
If you set a root password, Ubuntu will ask for the root password when booting to recovery mode.
"BIOS" or UEFI password - take care, it can be reset.
Limit phyical access.
Use full disk encryption, although /boot is unencrypted.

edited Oct 05 '17 at 09:39

Eliah Kagan

117,780

answered Oct 02 '17 at 16:35

Panther

102,067

So in terms of security, not setting a root password is mostly for preventing people outside the network from gaining root access / setting the password? – AJJ Oct 02 '17 at 16:56
It is one of many parts of the security puzzle yes. See the additional links I posted in the comments. – Panther Oct 02 '17 at 17:00

score 3 · Answer 2 · answered Oct 05 '17 at 10:43

Regular users cannot successfully run sudo passwd root or whatever other commands they choose with sudo. Only administrators can do this. Membership in the sudo group confers the ability to perform any action at all as root with sudo as well as with Polkit, which is a separate mechanism that doesn't involve sudo. Don't give this power to people who you don't trust to have it.

This is to say that not having been given the power to run commands as root is what stops people from performing administrative tasks without authorization, including from setting a root password. People you have given the power to administer the system can set a root password. If you trust those people, tell them not to set a root password (and don't set one yourself) if you don't want one set. If you don't trust them, then the problem is not that they might set a root password, but that they already have the power to do whatever they want to your system!

To be clear, trust is not binary. You can trust people with some powers and not others, and this is even reflected in the security model, where users can use the system but do not have all possible capabilities. But people who can run any command as root with sudo do have all possible capabilities when they choose to. This is why, when novice users ask about setting a password for the root account so they can log in as root, we urge them to consider not doing so. Doing so does not confer any power to the user that the user did not already have. It's not that we want to keep them from obtaining power. They already have that power.

There are risks associated with setting a password for the root user and thus enabling root logins, and benefits of avoiding it. I recommend you avoid this unless you have a clear reason to do so. (Note, however, that there are circumstances where it is reasonable to do so, as well as well-designed operating systems--like OpenBSD and Fedora--where root logins are enabled by default.) But enabling it is not destructive in itself. In contrast, you and any other users you allow to administer the system can already undertake extremely destructive actions by running commmands with sudo, whether or not the root account has a password set.

You are a member of the sudo group. You can delete all the files on the system. You can write raw data to the hard disk, overwriting what is there irrecoverably. You can access other users' files, even if they have set restrictive permissions. You can install new firmware to your physical devices. You can dump users' passwords from the shadow database and attempt to crack them, or just reset them. You can install malware that infringes users' privacy or destroys data, including keyloggers and ransomware. You can do some really weird stuff with your network interfaces. You can make the system misinform users about the security of their communications. You can cover your tracks. You can hand all these powers, and others I haven't listed, over to people who will use them for evil. When it comes to misusing sudo or Polkit, those are the kinds of things you should be concerned about.

It is true that you shouldn't let untrusted people into your house unsupervised, but the reason why is not that they could then unlock the door from the inside and get in.*

Since two people thought my answer was good, but two others thought it was bad/wrong, and neither of the others said anything that would help me improve it, I've deleted it. I thought mine was easier to understand and, being less than 1/4 the length, more likely to be read, but I've deleted it, since just as many people thought it bad, as thought it good. — Zeiss Ikon, Oct 05 '17 at 11:13
@ZeissIkon Perhaps it can be improved and undeleted, even without needing to expand it or complicate it--or at least not by very much? (Having answers many people will read and understand is important, but I think such answers, if wrong, are also more harmful. If people are exposed to falsehoods and come to "understand" them, that seems worse than no understanding. For example, numerous files and running processes are root-owned, so if a user thinks root doesn't exist, that will not just be a stumbling block to real understanding, it would also be instantly bewildering during practical use.) — Eliah Kagan, Oct 05 '17 at 16:43

Zeiss Ikon · Answer 3 · 2017-10-05T17:07:06.893

1

It's not setting a root password that's a bad idea, it's logging in or running as root without the built-in protections that sudo provides (requiring reentering your password every few minutes, the requirement to prepend sudo on each command, etc.) which serve as a reminder of the power of an error. If you instead have a root password set, and use su to start a root shell (or, equivalently, log into the GUI as root), you're setting yourself up to reinstall and possibly destroy any stored data on the machine, just because you forget you've given yourself absolute authority.

Ubuntu made the choice to, by default, not allow root login, specifically to avoid making it too easy to screw yourself. Setting the root password encourages you to login and run as root, which is why it isn't recommended to do so.

edited Oct 05 '17 at 17:07

answered Oct 02 '17 at 16:27

Zeiss Ikon

5,128

1

logging in as root doesn't make it more likely to make a mistake as you imply; however, running normal tasks while logged in a root does present a virus or other attack the permission it needs to invade your system. This is the main reason for disabling root login. – ravery Oct 02 '17 at 16:32
Logging in as root also makes it easier to forget you have the ability to hose yourself without thought. many commands are self-limiting just by root ownership, but if you're root, you own everything, and a tiny error that would just give a message in normal user, will leave you reinstalling. – Zeiss Ikon Oct 02 '17 at 16:36
2

you could make the same error using sudo and it would have the same effect. – ravery Oct 02 '17 at 16:37
Viruses are rare and one does not need root access to cause problems. IMO there are 2 main reasons to use sudo, rather than the root account. The first is security, if you run a ssh server you will see tons of cracking attempts targeting root. Not the only example, but it is sometimes easy to install/enable a server such as VNC or ssh and then have your router UPnP forward the port. The second reason is sudo has more features. su or logging in as root is all or none, you can limit what commands can be run as root with sudo and sudo has better logs. – Panther Oct 02 '17 at 16:41
See https://help.ubuntu.com/community/RootSudo#Benefits_of_using_sudo and https://help.ubuntu.com/community/RootSudo#Misconceptions for details. – Panther Oct 02 '17 at 16:43
1

This answer is wrong. sudo's timeout behavior is just one of several benefits, and Ubuntu doesn't "not create a root account". The root account exists and, if it didn't, you would not be able to run commands as root with sudo. Later on that page is a list of nine benefits of sudo and most of them remain intact even in an interactive root shell, which sudo provides you by design with its -s and -i options. – Eliah Kagan Oct 05 '17 at 09:14

What stops someone from setting root password?

3 Answers3

Linked