What does locking the root password do?

There are at least tens of different articles on the internet already about this as it’s nothing unique about the Librem 5 or PureOS, why repeat everything here too?

EDIT: Here’s a thorough guide from google https://www.wikihow.com/Change-the-Root-Password-in-Linux

For historical reference, here is the initial issue we filed related to this: https://source.puri.sm/Librem5/OS-issues/-/issues/60

Note that we decided to go a step further than the ticket requests, and instead of just disabling the root password (having ! in /etc/shadow), we actually lock the root account itself. You can follow the merge request linked to that ticket to see the exact way we accomplish this.

6 Likes

True, you can find all kinds related from the web put the best should still be gathered. Or at least point to the best sources and tell what to keep an eye for (like that sudo su is not usable) - less experienced will love you for it. Just trying to think what could be helpful.

Or just lack of familiarity with root

I know for people who have been using Linux for decades a lot of the questions fielded here can be annoying. But I think it is important that questions like this be fielded here, and not answered with, go google it.

The reason for this is because many people already find many Linux related topics confusing. Throwing them to the wolves through internet related answers could serve to over complicate already complicated subjects, and could help spread misunderstanding and misinformation.

Furthermore, this thread isn’t purely about the technical aspects of locking the root account. It is also about why Purism did this, and to allow them to expound some on it.

All in all this thread is warranted and necessary, especially as the Librem 5 gains popularity.

2 Likes

I imagine perhaps locking root password is so noobs new to linux dont sudo su and log into and operate inside the root user account as you can really bork your system doing so if you start experimenting with terminal commands .

Where as sudo will only operate one command , sometimes multiple if done inside a short time when the sudo password was entered ,

Once you sudo su or log into the root you have full root privileges . If you get a virus which is extremely rare for a linux system when logged into root account an algorithm could run changing settings where your system could get hijacked without asking permission to make those changes that could lead to intrusion.

In general it’s always safer to use sudo and I really dont even see a reason for operating logged into root unless you plan on doing an extended amount of work to the system where youd have to keep re entering sudo . Even then I’d rather continue entering sudo .

2 Likes

This.

If you look at /etc/shadow it begins with root:!:

That means that it is literally impossible to password authenticate into the root account.

This doesn’t matter at all (apart from being a good thing) because

  • you can still execute functions as root using sudo
  • sudo prompts for your password, not root's password

This is explained, albeit not in a crystal clear way, in
man passwd
man shadow

So the effect of all this is …

no, not really. A Linux noob can still get into root and can still stuff the phone up.

However it should be the case that if a Linux noob avoids the shell prompt then the Linux noob can stay safe.

But sudo SU or root account would allow virii esque algorithms to stealthfully change things without your permission if you clicked on a corrupt email or link as opposed to the off chance of that happening while you are in sudo shell

I don’t consider myself a Linux noob even, but I have not ever bothered looking into this.

What does locking root accomplish when sudo exists? What functional difference is there? What makes it good practice to block password access to root?

1 Like

Sorry but you didn’t (not in the mentioned MR at least), the patch you’re referring to is doing exactly that - locking root’s password.

And what that option is doing is

        elif self.settings['lock-root-password']:
            self.message('Locking root password')
            runcmd(['chroot', rootdir, 'passwd', '-l', 'root'])

Just makes brute-forcing root’s password impossible via console and su (as it’s disabled by default nowadays in ssh anyway)

2 Likes

Not generally a problem if sudo prompts for your password - unless of course you enter your password when prompted.

In theory, I think it would be possible to trick a user into entering the password to allow sudo to proceed, particularly a noob user.

The seriously security-conscious would have two accounts - one for general use which does not have unrestricted sudo rights (or has no sudo rights at all) and one for admin use which does have unrestricted sudo rights.

That may or may not be satisfactorily convenient.

This is how I have set up Mrs @kieran, who by comparison with me is a noob user.

It’s just good security practice to disable something that is not used.

Distros like Ubuntu never require you to login as root - so why leave root as a valid account that could in theory be logged in as? Why give hackers a chance to brute force the account? Or find a crypto weakness in the hashed password? It may be a very very small exposure but why even offer it?

As a theoretical example, assuming you allow ssh access into the Linux computer, and assuming that ssh is configured only to allow password authentication … why even offer the possibility that someone could ssh in as root? (This is a bad example though because most SSH servers by default wouldn’t allow root in at all.) By locking the root account though, you are covering all inbound protocols that use password authentication, regardless of whether the server applies a special rule for root.

sudo is a very flexible command. It can be configured to allow only certain commands or to apply other restrictions. However, as used by most people, if you can sudo at all then you have no restrictions.

1 Like

Sudo SU is akin to logging into root . You are then in a root account like shell where while in Sudo su you are no longer prompted for a password for the duration of your being in .

Yes, although I prefer sudo -i

I think it is considered bad form to do either - particularly if you are a noob, since you may forget that you are still executing shell commands as root, albeit that the shell prompt gives you a clue.

1 Like

Sure. I only do it myself when I dont feel like logging out to log back to root for extended tinkering but I am not a noob either.

for people that are not familiar with the CLI in Linux or the BASH shell there is a really simple trick to remember.

when at the CLI (in a terminal GUI) look for these things :

  1. the dollar sign ( $ ) means that the account you are currently logged in, is a standard non-sys-admin level account. this means that whatever you type in, is LESS likely to cause something MAJOR.
  2. the hashtag sign ( # ) means that the account you are currently logged in, is a sys-admin level account. this means that whatever you type in, has the potential to cause something MAJOR. in some cases it could even be something unexpected, even if you have a general idea about what you are doing. shit happens sometimes.

to be prudent means to always have a back-up or have an auto-backup-system in place.

some general topics for people to be interested in if they want to get deeper into the know are :

  • Linux - User and Group Management
  • Linux - System Information and Directory Structure Tools
  • Linux - Shells and Processes
  • Linux - Files and Permissions
  • Linux - Desktops and Remote Access

hope this helps at least somebody !

4 Likes

I don’t think I’ll be satisfied until after I know how to do a complete wipe and reload of the OS. To get good at anything, you need to take risks and to occasionally break things. If I damage the OS on my Librem 5 (and I am sure I will), how difficult is it to do a factory reset and start over?.

1 Like

I don’t want to derail this topic, but you can see the docs here (https://developer.puri.sm/Librem5/Development_Environment/Phone/Troubleshooting/Reflashing_the_Phone.html) to learn how to reset/reflash your phone. It is not necessarily beginner-friendly though, fair warning.

2 Likes

For reference, I was able to unlock the root password in the QEMU image:

Not difficult at all, if it is anything like Pinephone. Tomorrow morning I get to install the os for the third time in as many days; tor browser keeps crashing it so it looks like no tor browser on mobian for me.

I always wondered at the mechanism how some distros have you set the root password at install time and others don’t. Now I know.

2 Likes