14 August 2009

The Root Password Rumour

Every now and then, I see people make the following claim:

Ubuntu has a root password; they just don't tell the user what it is.

Rubbish. Some versions claim it is a randomly generated one. Rubbish. There is no root password, and this statement mustn't be confused with "the password is carriage return" (a usage RMS tried to popularize at MIT). Take a look at /etc/shadow, if you will (sudo less /etc/shadow). On a default install, the first few lines will look something like this:

root:*:14438:0:99999:7:::
daemon:*:14438:0:99999:7:::
bin:*:14438:0:99999:7:::
sys:*:14438:0:99999:7:::
sync:*:14438:0:99999:7:::

Contrast this with the line containing your user's name.

test:$6$.XQFA5P3$JYH9CpZS00DUAPDXcxc5qzP2vaNLrGj2TB5dlLj6rEVCOMpTt5XmFH7eL2TiDtXGApTknWhO6phpGyuac3DCU.:14470:0:99999:7:::

What is different? The second field (the part after the first ":") is a "*" for those system users and a long jumble of numbers and letters for the human users. The "*" means that the user cannot login using a password. The long jumble of numbers and letters? That is a hash of the user's password. In this test user's case, that is a hash of the string "password". If you're interested in the other fields, see man 5 shadow. This password has been encrypted with SHA-512, as evidenced by the $6$ at the start of the hash. See man crypt for a list of other possible prefixes. Note that $1$ means MD5, a hash which has been rather thoroughly broken. Since 8.10, SHA-256 and SHA-512 are available and will be used if you reset your password. If you've still got an MD5 hash in there, it's likely a good idea to do so, if only because it means you haven't changed your password recently enough.

This rumour usually comes up in the context of someone pointing out that if you are a remote attacker, you can guess that root has all the power and so all that is needed is to brute force root's password. In Ubuntu's default setup, this won't work because there is no password that would succeed, regardless how long you spent generating new passwords to try. Instead, the attacker would need to guess the correct combination of user-who-has-sudo-access and password—something exponentially harder. Well-meaning but misguided folks, attempting to protect us Ubuntu users from a false sense of security, then warn us that no, we're wrong, Ubuntu does have a root password. Well, the evidence is in /etc/shadow for all to see. Ubuntu has a locked root account, just the same as if one were to run sudo passwd -l (see man passwd).


21 comments:

cantormath said...

"Ubuntu has a root password; they just don't tell the user what it is."

That is not true at all, One needs only read the manual.

http://ubuntuguide.org/wiki/Ubuntu:Jaunty#Assign_a_root_password

It is safer in many cases not to do things as root. It is not that Canonical does not tell you about root, you simply do not normally need to set a root password to use root. It is not a secret, but if you don't know about root, you should probably read more Linux howto's manuals etc..and you are probably better off not messing with root. It is easy to google knowledge about using or "enabling" a root user.

You can also type 'sudo -s' to become root. This concept did not start with Canonical.

Debian practices similar techniques.
http://wiki.debian.org/Root

Mackenzie said...

Like I said... "rubbish." The people making that claim say that when you assign a root password, you're *really* just changing it from the random one Ubuntu set to one you know. And they're wrong.

Also, "sudo -i" is often better since it uses root's environment.

Ian MacGregor said...

MacKenzie, I've been using Ubuntu since Warty was released and it's good to see others know what they're doing on this wonderful distro. Keep up the good work :)

Miraceti said...

Thank you very much for this explanation, I now understand how Ubuntu's root is as secure as possible.

alvare#ClrnD said...

The first thing I do after installing ubuntu is "sudo passwd root", you can't live without ever going root.

I also add:

Defaults insults
Defaults rootpw

to /etc/sudoers so that sudo always asks for the root password (and for it to insult me every time I typo :).
It sounds like the safer way for me.

But I can not definitely live without the root account.

Fran├žois said...

"you can't live without ever going root"

Why don't you just use "sudo su"? You become root, and you don't need a root password to do that.

Michael said...

The root field in my Jaunty /etc/shadow looks like this:

root:!:14335:0:99999:7:::

The man page for shadow suggests than an '!' is the same as a '*'.

But why is mine different? I haven't knowingly made any alterations from the default install.

Does it even matter?

alvare#ClrnD said...

WTF?
People are now looking for workarounds to avoid login as root ?

Why?
And it's not even the same, when using scp to copy things from a computer to another, if you want to touch system files you need to use root@host (or when using sftp to browse remote files).

Also sometimes using X as root is useful, and you need an account for that.

But please, it's almost impossible to get cracked when downloading stuff from the internes, you almost always can reed the source. Also when downloading some strange binary you can always run it from gdb or use strace to know what is it doing, or use some disassembly soft (except from offuscated binaries, but I wouldn't run one as root).

So come on, Ubuntu should ask for a root password when finishing the install, but it doesn't in order to avoid confusing new users.

Mackenzie said...

alvare:
OK so I didn't go into the other advantages of sudo, but:

If you use root instead of sudo, you either have to change the password and make everyone learn a new one OR make someone forget the old one when you want to remove someone's access. Compare to removing someone from the "admin" group.

If you use sudo, there is an audit log, so you know which junior admin is the one that broke the config.

Also: what purpose does logging in at a GUI as root serve? Unless you want to get owned?

Mackenzie said...

Oh and use ssh keys. Keeps the "no password for the jerks to brute force" advantage while also letting you do that scp just fine.

Mackenzie said...

Michael:
Did you install an older version and upgrade, perhaps? I suspect that before the SHA-512 transition ! was used, and now * is used. That would make people who upgrade from Hardy or earlier have "!".

Michael said...

"Did you install an older version and upgrade, perhaps?"

That may be the answer though I honestly can't remember if this is an upgrade or not.

Thanks.

gnumber9 said...

So I suppose the tip is how to examine /etc/shadow... I had never heard the rumor that a backdoor existed.

Mackenzie said...

Well as a random password it wouldn't be a backdoor, because then it's not like the devs would know the randomly generated password either. However it would get rid of that nice "can't be brute forced" thing Ubuntu's trying to take advantage of.

bethlynn said...

I use on a daily basis "sudo bash."

It drops me into a root shell which takes away 90% of my desire for a separate root password. Root password are nice for when you want to lock down single user bootups though.

Rohit Saraf said...

Well it is not so..
i m myself a gnome-developer
they do not make a root passwd actually as root passwd is equally valuable to ur passwd.. using a default passwd is security prone. :)

Anyways nice work!

regala said...

I guess it's a matter of choice. No solution is "better" than any other, it's the admin problem to make the environment best suited for himself.

Sudo comes with advantages that are undeniable, as grouping, letting people access root at HIS convenience, not theirs, without changing root passwd settings (being locked or not, being starred or not, etc...)
However, there are situations where not knowing root's passwd or trying to login root with a locked password, will drive you crazy, even amock :)
Example: LDAP is down, and no accounts work, you are from them people who fear SSH public keys, nfs automount is down, and you have no immediate physical access to the box: you can't do anything before getting to the box.

I know this is as extreme a situation as any admin could fear worse, but that already happened. And root being starred in that very case made people swear :)

Well, anyway, there's no reason to bitch at Canonical for this choice, which is as good as any other decent choice, considering that no "newly installed box" should be expected to be properly secured.

Thanks for the explanation, anyway, (while passwd -l doesn't do exactly the same thing, as it allows one to reset passwd to its previous value afterwards).

Mackenzie said...

Yeah, you can lock/unlock by inserting/removing a * or ! before the rest of the hash. If no password's been set, it's just the * or !.

Leslie Satenstein said...

One of the wonderful features of a gui environment, and in particular, is a root logon gui environment.

With a root gui logon, I can do a directory listing, mark the files I want to process, and process them. I either copy, move, delete or change properties. Since the file names do not follow patterns, in the terminal mode, the work takes 5 to 10 times longer, with more chance of error. Yes, definately, more chance of error.

I hardly use UBUNTU because of the non-gui facility. I do have a root password and use root extensively via the terminal mode.

To have a root password for terminal use is a very simple operation. Email me if you want to know how. I wont post it here because the desire is to keep root password unknown.

Leslie Satenstein said...

Here is a second point to danger.
I have a system with one logon, so that one logon is also a sudo user / admin.

I share that common logon with others, and thus all the individuals who share my logon are also available to use the sudo command and root.

What is worse, I have not tried to see what happens if my logon requires no password. Will they have root, by demand?

Mackenzie said...

If all you want is a root file browser "gksudo nautilus" will do just fine, won't it?

And why on earth are you sharing your login credentials with other people? They can screw with your files! And well, of course you shouldn't be letting people who don't trust use your sudo user. Why not use the Guest Login feature if they just need to borrow it to check email?