Linked by Thom Holwerda on Tue 28th Feb 2012 23:11 UTC
Linux Linus Torvalds on requiring the root password for mundane tasks. "So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace 'my kids' with 'sales people on the road' if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place." Yes, it's harsh (deal with it, Finns don't beat around the bush), but he's completely and utterly right. While there's cases where it makes sense to disable certain settings (public terminals, for instance), it is utterly idiotic that regular home users have to type in their root password for such mundane tasks.
Thread beginning with comment 508834
To read all comments associated with this story, please click here.
The opposite is also true...
by rklrkl on Tue 28th Feb 2012 23:51 UTC
rklrkl
Member since:
2005-07-06

It may be "idiotic" to prompt for root's password for mundane tasks, but it's also "equally idiotic" to allow your own unprivileged password to be used to authorise "non-mundane" superuser tasks (particularly the installation/removal of system software).

This is something Ubuntu does via its sudo system and it's 100% wrong - tasks that can significantly change your system installation should require a privileged username/password and not a normal user's! Ubuntu is also dumb for not accepting root's (privileged) password when it prompts for privilege escalation - it only accepts your own (unprivileged - or at least it should be) password!

The very first thing I do on such a broken Ubuntu system is "sudo passwd root", so that I can su to root and do my privileged stuff that way. I don't know if they fixed it in later Ubuntu releases, but if you had to fsck the system disk on bootup of early Ubuntu releases, it would say "enter root password for maintenance" as part of the boot sequence. Genius that, because Ubuntu sets a random root password and never tells you it, ho hum.

Edited 2012-02-28 23:56 UTC

Reply Score: -2

No it isnt Member since:
2005-11-14

Wow, you completely do not understand the purpose of sudo or how it works. If you don't want a user to be able to use sudo, don't place the user in the sudoers list. Anyone in that list is by definition a privileged user (a sudoer), so sudo does in fact require a privileged username and password.

Reply Parent Score: 13

Delgarde Member since:
2008-08-19

Wow, you completely do not understand the purpose of sudo or how it works. If you don't want a user to be able to use sudo, don't place the user in the sudoers list. Anyone in that list is by definition a privileged user (a sudoer), so sudo does in fact require a privileged username and password.


It's been a while since I did a clean install of either, but I believe the default configuration of both Ubuntu and Fedora is for users to "sudo anything", using their own password for authentication. Easily changed, but it *is* the default.

Reply Parent Score: 2

RE: The opposite is also true...
by AdamW on Wed 29th Feb 2012 02:35 in reply to "The opposite is also true..."
AdamW Member since:
2005-07-06

Ubuntu's philosophy is that the first created user account *is* a privileged user. It's a perfectly reasonable philosophy that applies to most Ubuntu use cases. User accounts beyond the first get fewer privileges than the first created account, and you can downgrade the first created account also if you prefer that.

Reply Parent Score: 4

Soulbender Member since:
2005-08-18

This is something Ubuntu does via its sudo system and it's 100% wrong - -asks that can significantly change your system installation should require a privileged username/password and not a normal user's!


Your understanding of sudo is 100% wrong. What security do you think having to use the root password rather than your own gives? Hint: none. They're both passwords that you have to give and neither has an inherent security advantage over the other.
This is exactly how sudo is designed to work and it means that you can delegate privileges better than if you use a single root password.

it only accepts your own (unprivileged - or at least it should be) password!


There's no such thing as an unprivileged password. There are accounts with more or less privileges.

The very first thing I do on such a broken Ubuntu system is "sudo passwd root", so that I can su to root and do my privileged stuff that way


Never work as root, use sudo or if you really think you need to continue this bad practice: sudo su -

Genius that, because Ubuntu sets a random root password and never tells you it, ho hum.


root on Ubuntu has an empty password, not a random one, and that is why you can't log in with it. Accounts with empty passwords can by default not have interactive sessions.
And no, Ubuntu does not prompt you for the root password when fsck has to be run at boot.

Edited 2012-02-29 05:19 UTC

Reply Parent Score: 13

laffer1 Member since:
2007-11-09

This is wrong. sudo is great for desktops. However, for servers, you should never use sudo. Why? Most servers have servers such as openssh and mail running. That means someone can brute force your password remotely. If you have a root password set, then even if they get into your account, they must take the time to brute force root. Hopefully this extra time will make it possible for someone to notice the attack.

Full sudo rights on a server == full root for everyone on the internet courtesy of botnets.

Reply Parent Score: 3