Forums | MacLife
You are not logged in.
#1 2009-09-21 4:51 pm
Ubuntu forum craziness
The ubuntu forum has a crazy rule that you are not allowed to tell other users how to "unlock" the root account.
I respected the rule, but noted that it was silly to not allow instruction on how to use a standard unix tool as old as unix itself.
Despite the fact that I respected the rule, I got an infraction.
So ...
sudo passwd root
Works on OS X as well. At least did in 10.0/10.1
Geez - as much as I've been enjoying Ubuntu, that kind of censorship on their forum is a real turn-off.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#2 2009-09-22 12:26 am
- jerwin
- Sophist
- From: The Garden of Pure Ideology
- Registered: 2003-01-01
- Posts: 7028
Re: Ubuntu forum craziness
If you need a root password, you're doing it wrong.
Please do not suggest this to others unless you personally are available 24/7 to support the user if they have issues as a result of running a shell as root.
Is there a mac equivalent to gksudo? Seems like it would be useful.
Some subjects actually enjoy pain, and withhold information they might otherwise have divulged in order to be punished.
Central Intelligence Agency. (1983). Human Resource Exploitation Training Manual
Online
#3 2009-09-22 12:59 am
Re: Ubuntu forum craziness
No, you are not doing it wrong.
Many of us run services with some kind of remote login.
With sudo enabled, brute force the account and the box is rooted.
Way back when, I thought I had a secure root password - by some fluke, it was just one character off of a leet speak version of a word in a Klingon dictionary.
Yes, you can use pass phrases etc. but you can also create a root password and disable sudo.
Pass phrases don't do much good for using a web interface to check your system mail.
sudo really only should be used to enable specific users to run specific commands that are not capable of spawning a shell.
It's not wrong, just a different philosophy to system administration, a philosophy embraced by the vast majority of *nix implementations, including Linux.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#4 2009-09-22 1:01 am
Re: Ubuntu forum craziness
And regardless of which philosophy you subscribe to, forbidding users from answering a question is just plain wrong.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#5 2009-09-22 2:15 am
- jerwin
- Sophist
- From: The Garden of Pure Ideology
- Registered: 2003-01-01
- Posts: 7028
Re: Ubuntu forum craziness
The attitude seems closely related to kernel taints-- my guess is that ubuntu folks are tired of supporting people running as "root."
Perhaps your sudoers file needs to be a bit more fine grained?
Some subjects actually enjoy pain, and withhold information they might otherwise have divulged in order to be punished.
Central Intelligence Agency. (1983). Human Resource Exploitation Training Manual
Online
#6 2009-09-22 2:33 am
Re: Ubuntu forum craziness
jerwin wrote:
The attitude seems closely related to kernel taints-- my guess is that ubuntu folks are tired of supporting people running as "root."
Perhaps your sudoers file needs to be a bit more fine grained?
But there is no damage a user can do as root that is not just as easy to do with sudo.
btw - Ubuntu makes it cake to install the kernel tainting nvidia driver ...
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#7 2009-09-22 10:45 am
- jerwin
- Sophist
- From: The Garden of Pure Ideology
- Registered: 2003-01-01
- Posts: 7028
Re: Ubuntu forum craziness
You said someone could have gotten in by brute forcing passwords. Why not use keys and turn off password based authentication.
Then fine grain your sudoers file. Give one user access to only the most commonly used commands. Then give the other user access to a root shell, but only if he's logged in from a trusted machine (i.e, your own personal pc)
Some subjects actually enjoy pain, and withhold information they might otherwise have divulged in order to be punished.
Central Intelligence Agency. (1983). Human Resource Exploitation Training Manual
Online
#8 2009-09-22 3:16 pm
Re: Ubuntu forum craziness
jerwin wrote:
You said someone could have gotten in by brute forcing passwords. Why not use keys and turn off password based authentication.
Then fine grain your sudoers file. Give one user access to only the most commonly used commands. Then give the other user access to a root shell, but only if he's logged in from a trusted machine (i.e, your own personal pc)
keys make things tough to deal with when you are out of town and your laptop is stolen or drive goes.
You can buy a new laptop, but the signed key exchange is a little difficult to set up.
With password authentication, it's a lot easier to authenticate from any machine any time.
It's KISS and therefore less likely to be problematic.
If a user wants to use sudo for everything, let them.
But if a user wants to enable root password, it's their smurfing box - who the hell is ubuntuforums to prevent them from getting assistance with how they want to do things on their box?
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#9 2009-09-22 6:25 pm
Re: Ubuntu forum craziness
Isn't the idea of open source founded in the principle of an open exchange of ideas and technology? If Ubuntu is so paranoid of allowing people to change the root password, then they should lock it down. If Ubuntu insists upon censoring their forums, they should rename their next release to something more Soviet-sounding.
There's what you love to do, and then there's what you get paid to do. Those two things are often different.
Offline
#10 2009-10-05 11:20 pm
Re: Ubuntu forum craziness
Code:
sudo su -
No root "enabling" required.
Offline
#11 2009-10-07 6:47 am
Re: Ubuntu forum craziness
Gipetto wrote:
Code:
sudo su -No root "enabling" required.
but if you run any services, it opens you up to the possibility that a brute forced password now owns your box.
Since these services reject root login even with correct password, it is safer to give root a password and disable sudo.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#12 2009-10-07 10:15 am
Re: Ubuntu forum craziness
Your service users should be non-login users anyway (or maybe I'm missing your point)
Code:
useradd -r -s /bin/bash -g servicename servicename; # create a "no password" entry in /etc/shadow passwd -l servicename;
Then invoke them as:
Code:
/bin/su -s /bin/bash -c "/path/to/bin/startup.sh" servicename
And, yes, root login should be disabled, but the root account can still be active. The only way to get to it should be via su.
Last edited by Gipetto (2009-10-07 10:16 am)
Offline
#13 2009-10-07 3:55 pm
Re: Ubuntu forum craziness
Gipetto wrote:
Your service users should be non-login users anyway
That's not how ubuntu sets it up, nor is it how the industry is run.
Typically you have some software running to detect if the root shell was spawned by a user not in the wheel group that takes the machine off line as soon as it detects it because that indicates a successful root kit.
Your admins (in the wheel group) usually directly log in, rather than having two different accounts.
sudo is intended to give specific elevated privileges to meet specific needs (like to allow your web guy to restart apache or MySQL without needing to be root) and is not intended to give blanket access like default ubuntu install.
Now default ubuntu install is perfect for the home user, their target, but when a user asks how to set things up the way unix was meant to be run, it's a bit silly that the forum has a rule against explaining how to do it.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
