It is nothing but a nuisance to attackers who already expect it, but a huge pain for legit users. If you know the luks password it is game over anyway. Anything else is just annoyance, so don’t annoy the real users.
Yesterday I had to reset the main user password of a librem13. The owner got the delivery last week, put in the passwords just to check pureOS and proceed to not use the computer for a week, by the time the password was forgotten.
I booted into single user mode only to find the root account locked. Debian list has a huge thread about why this is silly and futile. To sum the history, what I could have solved in 15min took me over 4 hours and a couple live ISO downloads that added to the waste.
I have never used the root account on any Linux computer.
Regardless though you can enable the root account if you want to use it.
So the debate is really only about whether
it defaults to disabled and the people who want to use it have to enable it
v. it defaults to enabled and the people who want not to use it have to disable it.
Given that the account serves no purpose, I agree with the choice of the former. It would also be a risky and unexpected change for any existing distro (changing in either direction). So basically every distro should stick with whatever choice was made at Day 1.
I have never used it either, ever. When I set things up, I always set the machine up to use sudo. And yet when I tried to log into the console the other day, I found that the root account was locked. No way to get in at all. No option to log into my account was presented at all. Fuggeddaboudit!
No clear reason why the root account was suddenly locked. But there it was. So, I had to nuke the disc and re-install the OS from scratch. Luckily I had done a full data backup the previous day.
Maybe. Maybe there’s a niche scenario that I have never encountered. You will note that the OP (6 years earlier) was using “single user mode”, not something that I use.
It depends on what you mean by the console. There’s the single window graphics terminal for when the GUI fails to start. It presents a “login:” prompt, so it should work to log in as another user but it is such an infrequent thing that I can’t swear to that. Then there are more exotic scenarios involving a serial console (where the hardware supports it) that I haven’t even tried - but which may be applicable in a headless scenario.
Honestly, I always use a Live Boot for some kind of emergency recovery. So no login at all is required (and no password required for sudo) - and it’s a full normal boot with GUI and, if you want it, network - and I can usually repair whatever needs to be repaired on the normal boot disk. (That would include, I guess, unlocking the root account if the absolute need had arisen.)
Clearly this is not a recent change though, given the age of the topic.
It’s kind of like what Microsoft does. “We know better than you do, about what’s good for you”. All Linux distros should have two states that can each be invoked using the following commands.
sudo lock root (after this command, regular root rules apply. No password required to invoke but root passwords are needed after invoking)
sudo unlock root (requires root password to invoke but then root permissions no longer exist nor are needed for anything. Everything that requires root permissions then works for any user)
I also do not like that a root login choice does not appear on the login screen on most distros. Someone else decided for me that I shouldn’t login as root. This feature isn’t there to keep hackers from logging in. It’s there to prevent you and I from logging in as root.
But is that because the root account is disabled? There is after all no point showing an account that you can’t log in to. I admit that I haven’t sought to peruse the code that selects users for display on the login screen.
It’s a two-edged sword anyway. I have one computer that for some reasons (beyond the scope of this topic) has a heap of accounts that are valid to log in to and the login screen is absolutely cluttered with accounts that I would never want to log in to.
A nicer approach might be an initial login screen with an abbreviated list but a button that can be used to expand to the full list (which in your case might then include root).
On the other hand, there was a time when the login screen comprised an input field for username and an input field for password. So you can (attempt to) login as absolutely any user, whether valid to log in to or not. I’m not sure whether typical Linux distros can still be configured back to that approach.
At the end of the day, nothing is ever truly decided for you with open source.
Don’t like the way root access is managed? Change from su / sudo / whatever to what you are proposing, or something functionally equivalent. (Sounds risky to me. root access should be something that is universally well managed. Users inventing their own security models is a bit like users inventing their own encryption algorithms. Nothing stops you but …)
Don’t like the logic that controls which users are and aren’t listed on the login screen? Change it.
And as per the login screen getting cluttered, that’s unlikely to ever happen on most computers. It would be just root and me. Most family members don’t like Linux anyway.
Because it is not used and serves no purpose. (I mean presumably the root account itself needs to exist but it is not ever used to log into. This is in part a consequence of the sudo approach to privilege elevation.)
If nothing else, good security practice is not to enable things that aren’t used.
In addition, the decision sits well with the philosophy of “the power of defaults”. Hence quoting from my post above
So the debate is really only about whether
it defaults to disabled and the people who want to use it have to enable it
v. it defaults to enabled and the people who want not to use it have to disable it.
From a security perspective, given that this is a dangerous account not to manage properly and given that it opens up an additional point on the attack surface, it makes sense that it needs to be a conscious decision to enable the root account, not something that happens automatically or by accident.
“The power of defaults” philosophy does always mean that “someone else decided for me”.
I guess the alternative is that on first boot of a new install, or as part of the install, there are no defaults but a very lengthy series of questions that, in a neutral way, ask (force) the user to decide. However this illustrates the strength of the “the power of defaults” philosophy because the average user will not have the patience or knowledge to answer all the questions and will be crying out for each question to have a default ‘safer’ answer so that the user can just click through …
(and most users will just click through)
If only 0.5% of people want to use the root account approximately once every 5 years then disabling it by default works for me. If you are in the 0.5% then …
as far as I am aware, it is only two operations to enable it (one to clear and/or replace the intentionally invalid password and one to remove the account expiration).
I think it’s not a situation where the creators of the OS are just not able to present the options about security like root access, adequately. If we assume that most people will not want to answer questions at installation time, then we’ve already started thinking that we know better than they do, with respect to the availability of their own choices.
The OS creators could create a GUI with just a few slider switches in the Settings that controls the root access properties. Slide one switch to the right that says “Create root account". Slide another switch to the right that says “Add root to login screen". Slide another switch to the right that says “Never ask for root password". Slide another switch to the right that says “Automatically add sudo command where required in terminals".
But it appears that the creators of the OS are most likely opposed adamantly to these kinds of changes to the OS, fearing that this would compromise Security. They don’t want these choices to be available because they think that people would make irresponsible choices. But maybe I just want full root access temporarily, to troubleshoot a problem. Maybe I use the PC in a way that I don’t need security at all. The PC doesn’t have any big secrets to protect.
GUI? If you are up for logging in (literally) as root then you ought to be up for using shell commands to make that possible.
As said, I wouldn’t be confident that everything would work if you didn’t have a root account at all. The actual question is whether root is enabled for login - and, if that choice is presented, I think that needs to be a choice either made at install time or at first boot after install. (Note that this would necessitate prompting for a password to give to the root account. It’s not just a yes/no choice.) But, sure, if you insist that it should be a dynamic choice made and unmade at any time after install, a shell script should take care of it.
Then you don’t need any interface, GUI or otherwise, for adding root to the login screen. If it is enabled for login at all then it can appear on the login screen. I wouldn’t advocate for a specific control just for whether root appears on the login screen. See next.
Would I like a little more control myself over which users do and don’t appear on the login screen? Yes. With enough enthusiasm to trawl through code/the web and make the change myself (if necessary)? No.
That can be covered by account expiration. By default (i.e. out-of-the-box) it is already expired. Most people who override that … change the root account to “never expire” instead of “already expired”. However when overriding it you (your shell script) has the option of instead setting an explicit expiration date that is X days in the future (or, using more code, to a calculated date that is literally X days in the future - see man chage).
Assuming that we are talking desktop / laptop, not the Librem 5, the internet says that you can get rid of the login screen’s list of users and revert back to the username and password prompt, which presumably would allow you to attempt to log in as root at any time and regardless of the state of the root account.
No, it’s not. Microsoft wants to do shady things and forces your PC to be that shady for Microsoft. As user you have no other choice than accepting it or fighting against it all the way along - new on each update. On Linux however, you’re “forced” to get the defaults other people decided they’re good defaults. But you also can change everything and no update will ever remove your decision. The code is free to change and usually you don’t even need to change code while on Windows they often forcing proprietary code on your PC when updating, which makes the fix harder to achieve.
Sure, sometimes things can be annoying, but I think the comparison with MS is a bit too harsh, especially if you listen to all the Windows news from last 3 months.
