4

It is a commonly accepted best security practice to disable remote root logins on *nix systems including Linux. Thus, in order to log in directly as root, you need to have physical access to a trusted console (in the case of many Linux systems, one listed in /etc/securetty).

As a consequence of the above, to gain root access remotely, you first need to break into an ordinary user's account, then additionally escalate to root access. In this case, the password on the root account only protects against a password-cracking attack on the root account, not any of the other multitude of possible ways for an attacker to escalate privileges.

Given that the system console should be physically secured anyway (even in most homes it's usually kept behind a locked door when unsupervised; many homes have burglar alarm systems installed; and even workstations in corporate locations are almost always either behind locked doors or in alarmed areas; servers even more so), and that if an attacker has physical access already file system permissions present barely an obstacle, why would the root account need a strong password? Couldn't we use a simple password for the root account more to protect against simple mistakes or casual attackers, than determined attackers?

user
  • 7,670
  • 2
  • 30
  • 54
  • This question was officially inspired by [Why does one need a strong password on Unix?](https://security.stackexchange.com/q/149768/2138) and particularly [George Bailey's answer to that question](https://security.stackexchange.com/a/149773/2138). – user Jan 30 '17 at 10:43
  • Do all ordinary users have strong passwords? It could also be a service that's exploited and then attacker elevates privileges to root. – domen Jan 30 '17 at 10:48
  • @domen I thought back and forth about including ordinary user accounts having strong passwords, but ended up deciding to make it a point for answers to make. (I'm not asking this question because I need to be told the answer *myself*, but rather because it came up as a genuinely separate variation of the other, linked question that complements it well.) – user Jan 30 '17 at 10:51
  • A root intrusion could be caused by a weak password, but may be more likely to occur from running a vulnerable service on the `root` account or other reasons. My comment was not clear, but I was thinking the question should be more like why to protect `root` in general, and why an intrusion on root is so much worse than non-`root`; and not to focus on the particular attack vector as much as the difference in damage. Anyway, that's just what I was thinking. – 700 Software Jan 30 '17 at 13:04

5 Answers5

2

If you follow the principle of least privilege and layered security you have to make sure that on each level of a system you implement strong security measures. At each level means you do not make any assumptions about how easy/difficult it might be for an attacker to get to that level in the first place.

When you write

As a consequence of the above, to gain root access remotely, you first need to break into an ordinary user's account, then additionally escalate to root access. In this case, the password on the root account only protects against a password-cracking attack on the root account, not any of the other multitude of possible ways for an attacker to escalate privileges.

you are perfectly right, but why do you say

only protects against a password-cracking attack

? A strong password eliminates this very attack vector even if there might remain other attack vectors to escalate privileges. The other attack vectors need of course to be taken care of as well.

kaidentity
  • 2,634
  • 13
  • 30
1

The root password is the protection to avoid that ordinary users can launch administrative commands. The only case where root password could be weak is if any user in the system (including daemon users like www or postgresql) can use sudo to gain administrative access with no password - or more precisely having a root password is more or less equivalent to that weird configuration

Because even normal sudo requires that the user:

  • has a normal password (daemon users usually have a reject all password)
  • know its own password

So if an attacker breach the security of an application and gain access to a non root user, he still will have to find a password to gain root access. And if the root password is weak it will be much simpler to pass that second barrier.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

In your question, you've only covered two areas - the physical aspect and the attacks from a normal attacker. If the attacker is more determined or better funded, it's safe to assume that he/she has access to more sophisticated attacks - maybe even undisclosed 0days. If your system is breached, as you said - there are still dozens of ways an attacker might be able to escalate his privileges, but why not try some easy passwords to escalate privileges? (I love an MD5 that starts with 5f4d.. :))

Also, many users (even security conscious administrators) tend to reuse passwords. That's a well known fact. By requesting that the root account have a complex password, you're reducing the chances of the administrator wanting to type that string out again into other applications, that might not store the passwords safely. This sort of reduces the chance of password reuse.

As someone in the linked answers already mentioned - you could simply attack the user in a bunch of different ways (let them download a backdoored binary, MITM their traffic and then attempt to login to an alternate account created by the same user, create a malicious application (yes, this sounds far-fetched, but - hey.)

I'll put my head on the chopping block - In most of your cases, I don't think you need to really worry about your root password. If you're confident about the rest of your security habits, then no one can stop you from using password123# (but just send me a link to your server :P)

thel3l
  • 3,384
  • 11
  • 24
  • since 5f4d.. = ? – Roger Jan 30 '17 at 13:12
  • @Rogier - that's how the md5 for the string `password` starts :) – thel3l Jan 30 '17 at 13:20
  • lol thanks, didn't check it but thought something like `toor` maybe :-) – Roger Jan 30 '17 at 13:49
  • "but why not try some easy passwords to escalate privileges?" - how attacker does that? answer is probably long, so can you give some link? using sudo or su? what programs other than sudo and su ask for password? cannot they distinguish password typed from local physical keyboard? it is possible to put command line arguments into shell_exec in php, but password is typed after the program runs, can the password also be provided somehow from inside php? – qdinar May 29 '21 at 07:30
0

There is a legal aspect to this too. If your server did get breached, and in the subsequent investigation it was found that your root password was weak, it's possible that any penalties imposed would be increased, due to a perceived lack of due diligence, even though, as previously noted, the actual risk is minimal. It's a similar reasoning behind security issues, both on computers and otherwise: the risks from having server passwords written down in a secured room which has fully enforced restricted access are minimal, but if you keep them on a desk in there, rather than in a locked box/drawer, you might find that audits pick up on it.

Even if the legal risk didn't apply, there are similar arguments for the potential reputational aspects. Most people reading this site know that the actual risks are minimal, given the other precautions being correctly implemented, but they're in the minority. Consider that it's fairly well known that for a long time the nuclear launch codes for the USA were "00000000", but getting access to a system which allowed you to enter those wasn't trivial - reports on this tended to focus on "look at the really easy to guess password" rather than "if you got hold of the appropriate access, from a tightly controlled network, and convinced the duty staff that you were authorised, and had the appropriate previous credentials, you could launch a missile by pressing and holding 0".

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • What is the criteria for weak passwords? Any standard you van measure against? – Roger Jan 30 '17 at 11:40
  • Very debatable. "Password1" is probably weak. "BN&^G76gh8nfw9ehdsjkh9*&^%3" is probably strong. Somewhere in between is a cutoff point, but it would depend on the system where that point fell. For a bank, it's probably higher than for a personal blog... – Matthew Jan 30 '17 at 11:42
  • Well. Thats my point, from a legal point I mean. Unless it's specified ( min chars, numbers, letters, etc). – Roger Jan 30 '17 at 11:46
  • 3
    In a lot of legal systems which are currently used, it doesn't matter - they rely on having an expert say "it's weak" or "it's strong". That's a fairly sensible method, since it automatically updates as time moves on, unlike a fixed definition. For an example of the contrary position, look at how the South Korean banking industry was stuck on unsupported versions of IE due to a law specifying the use of a specific technology. – Matthew Jan 30 '17 at 11:56
  • Aha, thanks for explaining! Didn't realise that at the end its just a 'judgement' call by the expert. Especially since there is a relationship between timestamp (of breach) and the cracked passwd. – Roger Jan 30 '17 at 13:11
0

There is an alternative where you do not need that strong password: lock the root account.

In that case, you could get away with not setting a strong password for that account. In reality, I would probably do both, because it doesn't require much effort.

See https://askubuntu.com/questions/20450/disable-root-account-in-ubuntu for a discussion about this.

In general, it makes more sense to see what sudo can do for you, than it does to provide the ability to su - root.

One key area where this is important is auditing: with sudo (even if someone runs sudo -i or sudo su - root), you can still get information about the actual user doing all this (recorded by auditd as the AUID).

Community
  • 1
iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24