Why is it bad to login as root?


Note: For help with configuring sudo privileges via its configuration file /etc/sudoers, please see Sudoers.

In Linux (and Unix in general), there is a SuperUser named root. The Windows equivalent of root is the Administrators group. The SuperUser can do anything and everything, and thus doing daily work as the SuperUser can be dangerous. You could type a command incorrectly and destroy the system. Ideally, you run as a user that has only the privileges needed for the task at hand. In some cases, this is necessarily root, but most of the time it is a regular user.

By default, the root account password is locked in Ubuntu. This means that you cannot login as root directly or use the su command to become the root user. However, since the root account physically exists it is still possible to run programs with root-level privileges. This is where sudo comes in - it allows authorized users (normally "Administrative" users; for further information please refer to...

0 0


Thanks, I really needed that.

As for root, why are you moving root-only stuff in konqueror anyway...? And the general idea is worst case scenario: you _don't_ know what could happen and that's why you don't run root. Not because you know modules could be destroyed (I don't know how they came up wih this one) or because you can accidently delete stuff, etc. Because in this case, we would just alias rm to 'echo' and find solutions for other warnings. But we would not be off the hook - the only way to plan for the unexpected is to limit yourself enough, it just couldn't physically happen. This same idea is applied in other security fiels, such as firewalls (drop ALL, allow Some).

No. It's good.

Let us know how it works out for you.

Maybe even setup apache and host a internet diary of your experiences. A simple filter and...

0 0

David: I only half-agree with your assertion that it is harder to crack unknown accounts than it is to crack a known (root) account.

On its face this is strictly true as there is zero randomness to guessing 'root' on a *NIX system but in reality many systems that one would actually want to break into will have many, many accounts. You can be reasonably assured that at least one, if not more, of those accounts will follow the convention "first initial, last name" or "firstname".

I have a 'username' dictionary that goes along with a password dictionary, which is simply the top 50 female and top 50 male names from the US Census, combined with the top 100 last names (same census) and on any production machine it always manages to find at least a few of the usernames.

I guess what it boils down to is whether we're really talking about just defending against botnet bruteforcers, or a knowledgable attacker. For the latter, I don't think the randomness of usernames...

0 0

I think everyone should be warned NOT to log in as root.

Then they should learn to log in to the desktop as root.

That way they learn NEVER to do it again...

I converted my business computers to Linux in 1998 when Red Hat finally became usable for every day work. I had all my best customers / clients converted to Linux by 2001. I still can't see any good reason to log in to the desktop as root.

But it is possible, and the OP did ask. The OP wrote that he/she was used to logging in as root in their previous Linux distros. And the forum is usually here to answer questions. And I had just had to fix something in MDM and noticed the option was there.

But the warning still stands. Just because it is possible to drive your car from outside, with a brick on the throttle and steering through the window - you should never do it.

Same goes for logging in to a desktop as root - and the results are about as predictable. Advice for any new Linux...

0 0

In playing with my new install of etch I broke KDE in my one lone user account. "OK" I thought "I'll just log in as root, fix the problem, then reboot." This is when I got the error message: "root logins are not allowed."

I can switch to a root X session once I have the machine up and running, but I am not allowed to log into one directly without first opening a user session.

I got around it by booting into single user mode, providing the root password, then startx. However I'd rather avoid this in the future if I can.

Please, no explanations on why I shouldn't open a root X session. I know, I know.... Still, there are times when I really do want to boot directly into a root X session. How do I enable...

0 0

Semi urgent:

All of a sudden, root login to our WebMin interface is failing. But, i can use the same user: root pwd: ****** that I have been using all along to log into the server via SSH-shell terminal session.

I did make any changes recently. I had some notifications that web min ran some auto-updates, and I have a man working on security issues for PCI compliance but I'm not aware of anything he did that would disable root login to the WebMin virtual interface. Of course he could have done something, but I don't know what and cannot check with until next week but I need to get in asap. Anyway... I have logged into WebMin as root since he had been doing his work.. so I think it is something else.

So, how do I trouble shoot this and fix it? (via terminal of course, since I am locked out now from the WebMin application...

0 0

This is an important point, so I'll state it here as well as (with more detail) later in my post: Enabling root logins does not increase your degree of control over your system--as an administrator, you can already run any command or program as root.

I'm not sure the method described by Cihan actually works (without additional steps), since the root user account is disabled via its entry in /etc/passwd. If root logons are enabled in KDM, that just means KDM allows them, not that it ensures they will succeed, and since there would still be no password which is correct for root, it seems unlikely that this method would make it possible to log in as root.

The page actionparsnip linked to in his first post was written with care, and is an important part of Ubuntu's community documentation. It explains how sudo works and why it is considered good to use sudo (or the appropriate graphical frontend) and bad to enable root logins. It also tells you how to enable root logins,...

0 0

TL;DR: Do things as root only when you have to. sudo makes this pretty easy. If you enable root logins, you can still follow this rule, you just have to be careful to do so. Although enabling root logins is not actually insecure if done right, you don't need to enable root logins because you have sudo.

There are really two related questions here.

Why is it bad to to log in as root for one's everyday computer use (web browsing, email, word processing, gaming, etc.)? Why does Ubuntu default to disabling root logins altogether and using sudo and polkit to enable administrators to run specific commands as root?

Why not run everything as root, all the time?

Most of the other answers cover this. It comes down to:

If you use root powers for tasks that don't require them, and you end up doing something you didn't mean to do, you could change or harm your system in a way you don't want. If you run a program as root when you didn't need to, and it ends up doing...
0 0

There are two questions here. One is, why is root login disabled by default in Ubuntu? That's been addressed by several of the posts here.

The second question is, why are graphical root logins particularly disparaged?

All the disadvantages of nongraphical root logins apply to graphical root logins too. But when you log in graphically, you run far more programs, operating in a far more complex way, than when you log in nongraphically. The entire graphical user interface and all the graphical programs needed to use a GUI effectively, would be running as root. A tiny security vulnerability in any of them would enable someone to take complete control over your system.

Logging in as root at all is not recommended in Ubuntu, but there is no consensus in the security community that it is universally a bad practice. Graphical root logins, however, are simply a bad practice, and almost all operating systems have phased them out or strongly recommend against...

0 0

Should the United States start arming Ukraine, so it can better resist and maybe even defeat the Russian-backed rebels in its eastern provinces? A lot of seasoned American diplomats and foreign policy experts seem to think so; a task force assembled by the Brookings Institution, the Atlantic Council, and the Chicago Council on Global Affairs wants the United States to send Ukraine $1 billion in military assistance as soon as possible, with more to come. The Obama administration is rethinking its earlier reluctance, and secretary of defense nominee Ash Carter told a Senate hearing he was “very much inclined” to favor this course as well.

Unless cooler heads prevail, therefore, the United States seems to be moving toward raising the stakes in Ukraine. This decision is somewhat surprising, however, because few experts think this bankrupt and divided country is a vital strategic interest and no one is talking about sending U.S. troops to fight on Kiev’s behalf. So the question...

0 0

While it's possible to do, it is not recommended.

To actually enable root logins first you have to set a password for the root account and then unlock the locked root account. If you don't set a password for the root account the passwd command will return

passwd: unlocking the password would result in a passwordless account.

So, first execute in a terminal

sudo passwd root

you will be prompted for a new Unix password. Write it twice (second for confirmation).

Then execute

sudo passwd -u root

to unlock the account. This should return

passwd: password expiry information changed

If you want to disable root account in Ubuntu you need to lock the root account by using the following command sudo passwd -l root

If you want to work on a root console you can also use sudo -i.

Only do this if you know what you are doing. More information on why to stay with sudo here

pkexec gnome-terminal will open a terminal with a root...

0 0


To actually enable root logins, first you have to set a password for the root account, and then unlock the locked root account. If you don't set a password for the root account the passwd command will return

`passwd: Unlocking the password would result in a passwordless account`

So, first execute in a terminal

sudo passwd root

you will prompted for a new Unix password. Write it twice(second for confirmation).

Then execute

sudo passwd -u root

to unlock the account. This should return

passwd: password expiry information changed

Reverting back

If you want to disable root account in Ubuntu you need to lock the root account by using the following command sudo passwd -l root


Open the terminal:and type

gksudo gedit /etc/ect/lightdm/lightdm.config

(Orignal ) this it what it should already look like:

[SeatDefaults] greeter-session=unity-greeter user-session=unity ...
0 0

Many of us frequently complain about the negativity of the news, particularly now in the economic downturn. The conga line of bruising news blankets consumers in a headline bombardment that is probably making the problem worse. Why do we have this attraction for bad news?

Jim Lehrer's NewHour economics correspondent Paul Solmon did an interesting piece on the cascading effect that consumer pessimism has on our willingness to spend. He said that we are in a state of "learned helplessness". At the worst, continual bad news can even stimulate a state of depression, and people who concentrate on all the bad news work themselves up emotionally and become much more likely to make unwise decisions, like selling all their investments at a huge loss or halting their consumer spending entirely. Even people who don't watch television or read newspapers are getting hit with nuggets of negativity through social networking and informal conversations.

When everyone is talking about...

0 0


Everyone knows Japanese people aren’t exactly Masters of the Universe when it comes to speaking English, despite receiving six years of English education. Six years? Are you kidding? You could build yourself a Great Pyramid in less time. I’m pretty sure. Just chop up some limestone and stack it up. Probably take you a couple of years at best.

But okay, there are clearly some good reasons why Japanese folks can’t speak English. And if you study Japanese, you also need to avoid the same traps.

Ask any foreign English teacher, and they’ll tell you, “The grammar-translation method doesn’t work.” Sure, but people also say that we swallow spiders in our sleep and the Apollo moon landings were merely elaborate hoaxes. Foreigners tend to all say the same thing about Japan because, well, everybody else says the same thing, so it must be true. But the grammar-translation method actually does work. Maybe it’s not the fastest method, but hey, it gets the job done....

0 0

Re: Security.

IMHO there is only so much you can do, security wise, short of unplugging the box, disconnecting it from the network, and welding it inside a 3" thick bullet-proof carbide-steel box.

Think of it this way - if folks can hack the Department of Defense, the CIA, the FBI, and Citibank - the rest of us mere mortals can't do much better.

Re: SSH security.

I not only forbid root access via ssh, I also set the "AllowUsers" parameter to my, and only my, username. This way nobody but my own user can log in via ssh. This may be redundant as in my own case, I only create ONE non-root user anyway.

Unfortunately, as others have said many times before, as soon as someone gets physical access to the box, all bets are OFF!

Certificate exchange for ssh login? Hmmmm. . . . sounds good. How do you do it?


0 0