What does locking the root password do?

Starting a new thread to deal with people’s questions to avoid overcrowding the other thread.

The Librem 5 apparently comes with the root account password locked. This means…

  • You cannot log in as root using a password
  • You can use sudo to do root things like installing/updating packages
  • You can easily set a password on the root account to unlock it

For comparison with rooted Android phones, the Librem 5 is still considered “rooted” because you can do things as root with sudo, even with the root account password locked.

There are probably other things people can add on and ask as needed.

4 Likes

Are people surprised by this? Many distros have done this for more than a decade, most notably Ubuntu.

1 Like

In linux-land, using sudo instead of logging into root is considered proper etiquette. On my linux systems, I only use sudo and have never encountered an issue. Is there something that I am missing? Thanks.

1 Like

Can you make your first post a hub for all the related info (if you have the time and inclination)? Gather the best comments/solutions and commands from that previous thread and add links (search) if there are any old thread about this etc. In time this could become central as more people get their phones and start to experiment with root.

I think I’ve got all the important points here, but this is probably something that really needs a question and answer section in the Community FAQ. I may be able to edit it in sometime.

Also to the previous commenters, I think the confusion just comes from a lack of familiarity with Linux, which is totally to be expected if this phone is to reach a wider audience as we all hope!

There are at least tens of different articles on the internet already about this as it’s nothing unique about the Librem 5 or PureOS, why repeat everything here too?

EDIT: Here’s a thorough guide from google https://www.wikihow.com/Change-the-Root-Password-in-Linux

For historical reference, here is the initial issue we filed related to this: https://source.puri.sm/Librem5/OS-issues/-/issues/60

Note that we decided to go a step further than the ticket requests, and instead of just disabling the root password (having ! in /etc/shadow), we actually lock the root account itself. You can follow the merge request linked to that ticket to see the exact way we accomplish this.

6 Likes

True, you can find all kinds related from the web put the best should still be gathered. Or at least point to the best sources and tell what to keep an eye for (like that sudo su is not usable) - less experienced will love you for it. Just trying to think what could be helpful.

Or just lack of familiarity with root

I know for people who have been using Linux for decades a lot of the questions fielded here can be annoying. But I think it is important that questions like this be fielded here, and not answered with, go google it.

The reason for this is because many people already find many Linux related topics confusing. Throwing them to the wolves through internet related answers could serve to over complicate already complicated subjects, and could help spread misunderstanding and misinformation.

Furthermore, this thread isn’t purely about the technical aspects of locking the root account. It is also about why Purism did this, and to allow them to expound some on it.

All in all this thread is warranted and necessary, especially as the Librem 5 gains popularity.

2 Likes

I imagine perhaps locking root password is so noobs new to linux dont sudo su and log into and operate inside the root user account as you can really bork your system doing so if you start experimenting with terminal commands .

Where as sudo will only operate one command , sometimes multiple if done inside a short time when the sudo password was entered ,

Once you sudo su or log into the root you have full root privileges . If you get a virus which is extremely rare for a linux system when logged into root account an algorithm could run changing settings where your system could get hijacked without asking permission to make those changes that could lead to intrusion.

In general it’s always safer to use sudo and I really dont even see a reason for operating logged into root unless you plan on doing an extended amount of work to the system where youd have to keep re entering sudo . Even then I’d rather continue entering sudo .

2 Likes

This.

If you look at /etc/shadow it begins with root:!:

That means that it is literally impossible to password authenticate into the root account.

This doesn’t matter at all (apart from being a good thing) because

  • you can still execute functions as root using sudo
  • sudo prompts for your password, not root's password

This is explained, albeit not in a crystal clear way, in
man passwd
man shadow

So the effect of all this is …

no, not really. A Linux noob can still get into root and can still stuff the phone up.

However it should be the case that if a Linux noob avoids the shell prompt then the Linux noob can stay safe.

But sudo SU or root account would allow virii esque algorithms to stealthfully change things without your permission if you clicked on a corrupt email or link as opposed to the off chance of that happening while you are in sudo shell

I don’t consider myself a Linux noob even, but I have not ever bothered looking into this.

What does locking root accomplish when sudo exists? What functional difference is there? What makes it good practice to block password access to root?

1 Like

Sorry but you didn’t (not in the mentioned MR at least), the patch you’re referring to is doing exactly that - locking root’s password.

And what that option is doing is

        elif self.settings['lock-root-password']:
            self.message('Locking root password')
            runcmd(['chroot', rootdir, 'passwd', '-l', 'root'])

Just makes brute-forcing root’s password impossible via console and su (as it’s disabled by default nowadays in ssh anyway)

2 Likes

Not generally a problem if sudo prompts for your password - unless of course you enter your password when prompted.

In theory, I think it would be possible to trick a user into entering the password to allow sudo to proceed, particularly a noob user.

The seriously security-conscious would have two accounts - one for general use which does not have unrestricted sudo rights (or has no sudo rights at all) and one for admin use which does have unrestricted sudo rights.

That may or may not be satisfactorily convenient.

This is how I have set up Mrs @kieran, who by comparison with me is a noob user.

It’s just good security practice to disable something that is not used.

Distros like Ubuntu never require you to login as root - so why leave root as a valid account that could in theory be logged in as? Why give hackers a chance to brute force the account? Or find a crypto weakness in the hashed password? It may be a very very small exposure but why even offer it?

As a theoretical example, assuming you allow ssh access into the Linux computer, and assuming that ssh is configured only to allow password authentication … why even offer the possibility that someone could ssh in as root? (This is a bad example though because most SSH servers by default wouldn’t allow root in at all.) By locking the root account though, you are covering all inbound protocols that use password authentication, regardless of whether the server applies a special rule for root.

sudo is a very flexible command. It can be configured to allow only certain commands or to apply other restrictions. However, as used by most people, if you can sudo at all then you have no restrictions.

1 Like

Sudo SU is akin to logging into root . You are then in a root account like shell where while in Sudo su you are no longer prompted for a password for the duration of your being in .

Yes, although I prefer sudo -i

I think it is considered bad form to do either - particularly if you are a noob, since you may forget that you are still executing shell commands as root, albeit that the shell prompt gives you a clue.

1 Like

Sure. I only do it myself when I dont feel like logging out to log back to root for extended tinkering but I am not a noob either.

for people that are not familiar with the CLI in Linux or the BASH shell there is a really simple trick to remember.

when at the CLI (in a terminal GUI) look for these things :

  1. the dollar sign ( $ ) means that the account you are currently logged in, is a standard non-sys-admin level account. this means that whatever you type in, is LESS likely to cause something MAJOR.
  2. the hashtag sign ( # ) means that the account you are currently logged in, is a sys-admin level account. this means that whatever you type in, has the potential to cause something MAJOR. in some cases it could even be something unexpected, even if you have a general idea about what you are doing. shit happens sometimes.

to be prudent means to always have a back-up or have an auto-backup-system in place.

some general topics for people to be interested in if they want to get deeper into the know are :

  • Linux - User and Group Management
  • Linux - System Information and Directory Structure Tools
  • Linux - Shells and Processes
  • Linux - Files and Permissions
  • Linux - Desktops and Remote Access

hope this helps at least somebody !

4 Likes