Hi Everyone,

Is there a way that I can give myself root permissions in Mandrake 8.1? It's kind of a pain in the butt to have to type the root password in every time I want to change something.

Neil

I dunno, but there's a reason you have 2 accounts. It's for your benefit. Trust us!

I agree with Jomboni, having a seperate user for yourself is always a good idea. If you want to make the process easier, look into sudo, it allows you to execute things as if you were root.

SC

Originally posted by scanez:
<STRONG>I agree with Jomboni, having a seperate user for yourself is always a good idea. If you want to make the process easier, look into sudo, it allows you to execute things as if you were root.

SC</STRONG>

Thanks - that sounds like what I'm looking for.

Originally posted by Jomboni:
<STRONG>I dunno, but there's a reason you have 2 accounts. It's for your benefit. Trust us!</STRONG>

That's wrong. When setting up Mandrake 8.1 you have the option of setting a password or not setting a password for root. Coming from a Novell background I set it for security just out of habit. Since this is a home PC I don't see what the benefit is. I gave myself the second account.

Neil

Originally posted by nfallon:
<STRONG>That's wrong. When setting up Mandrake 8.1 you have the option of setting a password or not setting a password for root. Coming from a Novell background I set it for security just out of habit. Since this is a home PC I don't see what the benefit is. I gave myself the second account.

Neil</STRONG>
I hope you are joking. Not setting a root password?

Originally posted by Strike:
<STRONG>Originally posted by nfallon:
That's wrong. When setting up Mandrake 8.1 you have the option of setting a password or not setting a password for root. Coming from a Novell background I set it for security just out of habit. Since this is a home PC I don't see what the benefit is. I gave myself the second account.

Neil</STRONG>
I hope you are joking. Not setting a root password?

It's one of the options when installing Mandrake 8.1

Now tell me what the benefit of me installing a password on my home system is.
There are no kids in the house, my wife has her own system, and nobody touches the computer. The computer is shared on my home network and is only used by me for experimentation. As a network admin for the last 20 years I don't see what difference it makes on a home system that is only touched by me.

My original question wasn't how to disable the password but how to give myself the root permissions.

Neil

The answer to your question is to make yourself UID 0. But it is still a bad idea, period, IMO.

Originally posted by Strike:
<STRONG>The answer to your question is to make yourself UID 0. But it is still a bad idea, period, IMO.</STRONG>

Strike,

You keep telling me it's a bad idea but you are not giving me your reasoning behind your statement. I've given you the reason that I don't see a problem with it.

You're saying that a user shouldn't have the same rights as the administrator even though the user is the administrator of the system. Please tell me what I'm missing here. For 20 years I have set up a user account for myself and given myself administrative privleges on both Novell and Win x systems. That's how most people are taught to do it in their networking classes. Why should Linux?

Neil

well, nfallon, i agree with strike - you just.................should, ok? lol

do what you like - the spirit of linux is to experiment and use it how you want, and i think anyone with a little sense would put a password on anything they deem worth protecting. have fun!

€/

You are missing something very important, you sound like you think there are only two groups, the user group and the root group which is only one person, root.

C'mon, we all know here is the adm group as well. Go to /etc/groups and enter your username after the other names in the adm group. You get administrator priviledges, but you're not root that way.

By default on Mandrake 8.1, a user of the adm group can NOT touch root, boot and etc dirs but can easily manage mnt, home and other directories.

Become an adm and you'll feel much better :)

I'm not an expert to answer the question whether it's good not to give root a pass.

Maybe it's true.

But is that safe when if I'm under attack?
Is it?

Part of my job involved running penetration tests on servers to ensure that the systems are secure and if they aren't, then to make them. A system, regardless of what it's being used for, should have passwords. A password is your first line of defense, and is likely the first thing that a script kiddie will try out on your system to gain root. Although a lot of people consider it lame to do manual password guessing, believe it or not, a lot of systems are cracked in this way.

If your Linux system is running any services at all such as ftp, telnet, ssh, rsh, popd, imapd, etc, then an attacker can attempt to crack into your system since you have no root password. If you don't have those services running, you still have your system on a shared network. If someone cracks in, they can crack into your Linux box and use it to mount an attack on another server, thus effectively getting your IP logged into the victim server. At the end of it all, the attacker formats your hard drive, thus removing all traces that they were there. How will you prove that it wasn't you who mounted the attack?

Security is always important regardless of what the system is being used for. Choosing a password is not enough. A bad and easily guessed password is as good as not picking a password. Is it so hard to take a couple of seconds to type a password? Is it better to spend a couple of seconds typing a password or spend days proving that it wasn't you who defaced the FBI's website?

[ 05 November 2001: Message edited by: X_console ]

Well put X_Console, im not a linux or security expert, but i know how mutch important passwords are, for example i made to crack my one system trough internet, now imagine a professional, he only takes 2seconds to crack my system how we was at that time, now im proud to have my system a little bit more secure (not enougth), i can understand why do we have to put an admin password if im the only login in the system, but you must think that some day you can make an error that it could compromisse your system functions.
But if you insist on being admin all the time you can edit /etc/passwd and where is your user account replace the "501:100::/is/home" by "0:0::/is/home." with this you will make your user to become root. Be warrend this is not a very good idea Remember security is fun, i like to test my one system, but i can not go deper because im not an security expert or system cracker, so i just do simple tests to my system and i say they are secure, but i know that they are not secure, but i donne all i know about security. Speaking about security is hack attackes a good book?
They told me it was a good book to understand security, if any one here as an opinion i woud like very mutch to ear it, or if you know another book that is better please name it, thanks
Hope i helped :)

Yes, but that question about whether it's good not to leave a password for root, has not been answered yet. Do we assume that it's definitely necessary?

...

I have a sinmple question, if someone say.. attacks my system, and I don't have given a root password, does he just pass?
I mean, I have no idea of the attack methods, is that a ticket to paradise for an attacker?

There are lots of documentation online for beginners who want to understand security. Some good sites:
http://www.packetstormsecurity.com http://www.securityfocus.com (they have a beginner's section) http://www.phrack.org (might be a little too advanced) http://security.oreilly.com (for books) http://www.hackingexposed.com (quite a popular book) http://docs.rinet.ru:8080/LomamVse/ (Maximum Security, apparantly this is now available online)


I really recommend reading the O'Reilly books and the Hacking Exposed book. It highlights the techniques used to crack into systemsewll as defensive measures that you can use to help secure your system.

Also check out the Security NHFs here at LNO for the basics on securing your Linux box.

Yes it is necessary to have a root password. Here's a simple analogy. You decide that you're tired of the world and the politics that run it, so you move to a deserted uncharted island. There you build a house with a front door. Would you create a lock for the door? You assume there are no humans who'll break in, but wouldn't you still want to lock your door even though you're far away from civilization?

A system without a root password is a free ride for a cracker. Here's an example. Let's say you have no root password. You're running telnet and ftp and you need to be able to ftp in as root and download files only root has access to, so you enable root logins through ftp. You figure, what harm can it cause right? After all, /etc/securetty prevents remote users from logging in as root, even with the right password.

1. As root I can ftp to your server and delete any files I want. You can jail the user and that will help to a certain extent.

2. Or more advantageous to me would be to login as root through ftp, download the passwd and shadow files, modify them by adding a regular user account, upload them back to your server, thus overwriting your original passwd and shadow file. Now I can telnet to your server, login as the regular user I created, and then su to root. I now have full control of your system.

nfallon :

I'm going to go against the grain here and suggest that you set things up the way you like. Assuming 1. You are behind a firewall - you owe it to everyone else not to become a bot and 2. You really don't care if you hose your system.

Having said that, if you've installed linux to learn then you will learn much more from setting things up 'correctly'.

The best protection a non priveleged account can offer is protection from yourself. You don't really want to get things tweaked exactly how you want them and then blow it all away with a foolish keystroke .....then again that might be the way you'd like to learn about backup as well.

Originally posted by evil_roy:
<STRONG>nfallon :

I'm going to go against the grain here and suggest that you set things up the way you like. Assuming 1. You are behind a firewall - you owe it to everyone else not to become a bot and 2. You really don't care if you hose your system.

Having said that, if you've installed linux to learn then you will learn much more from setting things up 'correctly'.

The best protection a non priveleged account can offer is protection from yourself. You don't really want to get things tweaked exactly how you want them and then blow it all away with a foolish keystroke .....then again that might be the way you'd like to learn about backup as well.</STRONG>


I think I can manage not to change anything that I can't change back. I also think I know after 20 years as a Lan Administrator how to back up a system.

Not one of you has read the fact that I am using the machine as an experimental machine.

Have any of you ever used DOS 1.0? I know what can happen on new operating systems. I started with DOS 1.0 which was unforgiving. I also know the importance of a password in a networked environment. I never said that I didn't. I asked for clarification on why I should not give myself root permissions on a box that nobody can get to and is here to experiment on.

Only one of the above posts addressed the question. The answer that I may screw something up. That scenario I have taken into account. That's why there is no data of any importance being stored on the machine.

And no I am not the type of person that learns through crashing a system and starting from scratch. That's why you will see me ask questions in these forums and read what I can can to find out the answer before attempting to do something.

Neil

Having stopped reading way back up where you said "as a admin for &lt;x long&gt; i don't see the point in having a password on root on a home system that's not connected to the 'net" or something along those lines, I gotta point out the #1 reason to make it work properly as a non-root user - no/limited sudo, no su'ing, so setuid/gid bits - it means you have a properly configured system.

That's the way it is designed to work. I have full use of my system, and the only time I need root level access is when i connect/disconnect from the 'net, or update/install software/the kernel.
Remember, Linux is a true multiuser system - when properly configured, you (and whoever else is allowed) should be able to use (as opposed to maintain) your computer without any special rights, even at the same time.

Originally posted by ph34r:
<STRONG>Having stopped reading way back up where you said "as a admin for &lt;x long&gt; i don't see the point in having a password on root on a home system that's not connected to the 'net" or something along those lines, I gotta point out the #1 reason to make it work properly as a non-root user - no/limited sudo, no su'ing, so setuid/gid bits - it means you have a properly configured system.

That's the way it is designed to work. I have full use of my system, and the only time I need root level access is when i connect/disconnect from the 'net, or update/install software/the kernel.
Remember, Linux is a true multiuser system - when properly configured, you (and whoever else is allowed) should be able to use (as opposed to maintain) your computer without any special rights, even at the same time.</STRONG>


I plan to develop device drivers on the system!

Not being a Linux guru (although not a compelte newbie either) I'll start by saying that the root account should always be passworded. You said you plan to develop drivers, and as such, you'll be doign work (time consuming work) you don't want to loose over a typo in a command typed as root.

Security is another issue of course.
As a network engineer myself, i can see no valid reason for that box not to be secured.
Someone pointed out "how can you prove you didn't deface the fbi's website) and i'd like to address that.
Frankly, if the hacker who, using the method posted, ftp'ed as root, created an account, ssh or telneted , then su, hacked whatever, and formated my drive, the "can you prove " argument dies off.
Why?
First of all, in the US, you are innocent until proven guilty.
so , can you prove my machine did it? well, most likely not, especially not if the hacker bothered shreding all the files first, or formating in such a way that data recovery isn't possible.

Second of all, anyone who tried to take you to court, with nothing but "oh well it was comign from your IP" would get laughed in the face silly.

Ip spoofing is still out there, and a lot of networks (especially smaller isp's) don't have proper filters on their routers (much less proper routing policies, but thats a separate matter)

now that i've said that, the root account is not comparable to the administrator of a windows system, they are similar, but not identical.

Learning linux the right way, rather than pickign up bad habits from the start is a better idea IMHO.

Aside from the root password issue, you do not want to give a regular user root status on the system. Even if it is yourself.

The reason it is recommended that you create a seperate account for you to use is because if you accidentally type 'rm -rf /' and hit enter without realizing what you have just done, you've just wasted a lot of time. That's just one scenario, mind you. There are many more. For example - viruses.

Viruses are not a major problem on Linux systems. Two reasons for that.

1.) Not enough people use Linux (compared to Windows) that it makes it worthwhile for a programmer to write a virus. Right? It's more fun to destroy something when you can destroy a lot of that something.

2.) Permissions. Linux has 'em. Windows doesn't. However, if you give a regular user root access, and you run a virus unknowingly, you are...well...for lack of a better term, screwed.


It really is not that big of a deal to type in the password for root. If you are using a graphical interface (KDE) you can set up the programs that need to run as root often to automatically login as root. (Still not safe - but not like giving yourself complete root access.)

And, like X_Console has been saying - some person with some idle time on their hands may decide your computer should be used in the next attack against the FBI's computer system.


Dark Ninja


SIDE NOTE: If this computer was not connected to a network or to the internet in any way, then, this would be a different story. But, it is. You should take proper measures in protecting yourself, and, you should also take these measures in order to protect the internet community.

Let's look at it from another perspective. Let's say you own a company and you're developing this secret brand new product that will revolutionize the computing industry. Only a select few people know. Suddenly your system is cracked into, your product specs are leaked out, and you've lost millions in design and planning. You investigate the the attacker's IP leads to a Linux box. Wouldn't you want to question the owner and find out who's responsible? Millions of dollars were lost, and someone has to take the blame.

Frankly I don't want to have to waste my time dealing with a company and authorities who suspect that I cracked into their network and stole information. Sure, maybe they can't prove it was you, but they can sure take up a lot of your time and inconvenience you. I don't want my reputation to be ruined as a network/systems administrator for many years who's system got cracked because it was too inconvenient to type the root password. What would my boss think? If I can't secure my own home systems, what would make him think I can secure an entire network of hundreds of machines? What happens if the attacker didn't format your system but instead left some of the stolen documents on the system and just modified the log files to make it look like you did attack? Spoofing or no, you're going to have to hire a lawyer to prove it wasn't you and lawyers cost money.

Innocent until provent guilty, ask yourself how much value that statement holds. You left your wallet on your desk, you see the janitor pass by, next thing you know your wallet's gone. Did the janitor take it? He was the only one there. Or was he? Who do you blame first? It's human nature to blame whoever we saw first. In our minds, that person is already guilty, until proven innocent.

Do you really want to be the headline news on Yahoo or CNN about the person suspected of cracking into a company and causing them to lose millions of dollars?

Please understand that this is not a flame or anything of the sort. It is not my intention to offend anyone. I'm just expressing my views on this matter and why I think even the most basic security practices must be put into place.

I can understand all of the points that evryone has made. The point that you're not understanding is that this machine will not have access to the internet.

As far as hackers go I think I can deal with that. The above statement says it all.

If the machine was going to be used as an internet client or in a position that someone could get into the system I would agree with what all of you are saying. I asked the question out of pure convienence for myself while developing applications.

Neil

Originally posted by Dark Ninja:
<STRONG>Aside from the root password issue, you do not want to give a regular user root status on the system. Even if it is yourself.

The reason it is recommended that you create a seperate account for you to use is because if you accidentally type 'rm -rf /' and hit enter without realizing what you have just done, you've just wasted a lot of time. That's just one scenario, mind you. There are many more. For example - viruses.

Viruses are not a major problem on Linux systems. Two reasons for that.

1.) Not enough people use Linux (compared to Windows) that it makes it worthwhile for a programmer to write a virus. Right? It's more fun to destroy something when you can destroy a lot of that something.

2.) Permissions. Linux has 'em. Windows doesn't. However, if you give a regular user root access, and you run a virus unknowingly, you are...well...for lack of a better term, screwed.


It really is not that big of a deal to type in the password for root. If you are using a graphical interface (KDE) you can set up the programs that need to run as root often to automatically login as root. (Still not safe - but not like giving yourself complete root access.)

And, like X_Console has been saying - some person with some idle time on their hands may decide your computer should be used in the next attack against the FBI's computer system.


Dark Ninja


SIDE NOTE: If this computer was not connected to a network or to the internet in any way, then, this would be a different story. But, it is. You should take proper measures in protecting yourself, and, you should also take these measures in order to protect the internet community.</STRONG>

You are wrong about permissions on windows. FAT and FAT32 partitions can't provide ANY decent permission system. They just have that elemendary school "read only" option.

But on win XP, 2000 and NT there is some decent partition called NTFS.
What makes NTFS an ALPHA in security matters is how Microsoft treats their customers.

They assume people are stupid, even network administrators.

An administrator of NTFS can't delete his system files! He gets 'access denied' all along.

And there is NO account who won't take this message. The have some "virtual" users for these matters I think.

But anyway, what matters is that on NTFS you 're not the man, microsoft is.

What else do you need to agree that 'Microsoft sucks' rants are necessary! :)

Originally posted by nfallon:
<STRONG>I can understand all of the points that evryone has made. The point that you're not understanding is that this machine will not have access to the internet.

Neil</STRONG>

LOLOLOL!!!

you rule!

LOLOL!.

Of course we assumed that! What did you think:

"Computer, computer, can you hear me computer?"
Scottie

You said you had your Linux box networked to your "other" computer. (Or something of that nature.) If that "other" computer is on the internet, then the Linux box is on the internet.

And...yeah...from the way you are talking, it sure seems that you were putting it on the internet.


Dark Ninja


P.S. FateSWarm - I was referring to Windows 95/98/ME when I was doing my spiel. :D I must have forgotten the almighty Windows NT/2000/XP systems. Thanks for clearing that up.

Originally posted by Dark Ninja:
<STRONG>You said you had your Linux box networked to your "other" computer. (Or something of that nature.) If that "other" computer is on the internet, then the Linux box is on the internet.

And...yeah...from the way you are talking, it sure seems that you were putting it on the internet.


Dark Ninja


P.S. FateSWarm - I was referring to Windows 95/98/ME when I was doing my spiel. :D I must have forgotten the almighty Windows NT/2000/XP systems. Thanks for clearing that up.</STRONG>


Dark Ninja,

Show me one of my posts that said that I was putting the box on the internet or on a network that has an internet connection. I said that it was going on my home network. I also stated above that it would not be on the internet or have access to it.

My wife and I both have our own cable connections via our own systems that we use for the internet.

Because I have been into networks for 20 years I have always had a network setup at home to experiment with.

Neil

If you keep your system secure, than you keep everyone's system secure by not letting anyone use your computer to attempt to gain access to someone elses. Every day I look in my firewall log and trace back attempted port scanning from Linux boxes that aren't kept secure. One day that box might be on the internet.

eh I say, do what you want, experiment, but its not only for security reasons, like a few people have said already, if you're unsure, or even if you just make a typo, as root, or a user that basically is root , you can really hose your system, just good to know. but to do it, like someone said, edit ur /etc/passwd file and set ur UID and GID to 0, good luck and have fun with linux ..
-neural

Originally posted by X_console
There are lots of documentation online for beginners who want to understand security. Some good sites:
http://www.packetstormsecurity.com http://www.securityfocus.com (they have a beginner's section) http://www.phrack.org (might be a little too advanced) http://security.oreilly.com (for books) http://www.hackingexposed.com (quite a popular book) http://docs.rinet.ru:8080/LomamVse/ (Maximum Security, apparantly this is now available online)


I really recommend reading the O'Reilly books and the Hacking Exposed book. It highlights the techniques used to crack into systemsewll as defensive measures that you can use to help secure your system.

Also check out the Security NHFs here at LNO for the basics on securing your Linux box.

i understand there are many choices of O'Reilly's.
which one would you recommend for like covering overall security fundamentals of linux box?

Since your are so adamant about not having a root password or giving yourself root privleges, go ahead and do it.
Just remeber when you are root or have root privleges and you enter the command: rm / home/nfallon/file.txt, / goes away! This is how we learn, the hard way. root should be used sparingly.

If you cannot see the issues surrounding the need for a root password and you dont want to be prompted for root's passwd then why not just login as root and run that way.

However, from experience, this will lead to trouble in the end. If not from hacker, crackers, and the like, then most assureadly from yourself! Its a painful lesson that everyone is trying to save you from.

Just my 2c...

OK folks, let's not resurrect a dead debate here. Look at the post dates; before shadowrider's post this thread was dormant for almost 2 years.


shadowrider,

X_console rarely visits the forums any more, so don't be surprised if he doesn't see this. If you have a question regarding books on security, post a question in the Web Serving/Security forum; I'm sure you'll get a number of good suggestions there.

:)