Questions tagged [root]

76 questions
102
votes
13 answers

Why is root security enforced but $HOME typically unprotected?

Coming from the comments in this question Why is it bad to log in as root?: The sudo mechanics is in use so non-administrative tools "cannot harm your system." I agree that it would be pretty bad if some github project I cloned was able to inject…
phil294
  • 1,032
  • 2
  • 6
  • 11
65
votes
4 answers

Are most Linux systems that allow non-root users to execute code straightforwardly rootable?

long story short if you can execute code on a box it is usually straightforward to get root (quote source) The immediate implication of this quote (if it's accurate) is that if you're running a multi-user system and don't try your darndest to…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
35
votes
8 answers

Why do companies not give root access to employees on their desktop machines?

Why do companies typically not give their employees root access to their desktop machines that are only used by a single employee? If what I can do on my machine poses a threat to the rest of the network, isn't a security flaw in itself? Why would…
Bananach
  • 477
  • 1
  • 4
  • 5
33
votes
2 answers

Ability To Change Root User Password (Vulnerability?)

I am studying for my RHCSA exam, and one of the topics is the ability to "change a forgotten root user password." This is an official exam objective and even has official Redhat documentation. How is this not a glaring security vulnerability?…
Tobin Shields
  • 662
  • 1
  • 8
  • 12
11
votes
1 answer

Docker runs container processes as root - should I be worried?

I am running a (QNAP) NAS with Docker functionality ("containerstation"). I thought it would be a lot safer to install apps via containers instead of apps from the store (or 3rd party stores). Many packages are outdated in their official store and…
Critical joe
  • 193
  • 1
  • 2
  • 9
8
votes
3 answers

How do I create an invisible and persistent user on linux?

For my software security class we are required to hack into a server created by our professor. I have hacked into the server, and have the password for the root user. Now that I am root, I would like to ensure I have persistent access to the…
8
votes
3 answers

Difference between root login and passwordless sudo

Cloud images of some popular operating systems do not let the user to log in as root, yet they use a very standard user name (for example ec2-user, ubuntu) and allow these users to use passwordless sudo. What is the reason for this choice? Is it…
Julian
  • 83
  • 3
7
votes
2 answers

/opt and sudo unzip to /opt, is it safe?

Usually we place things in /opt so they are owned by root but normal users can execute them. This prevents normal users modifying the binaries so they cannot execute arbitrary stuff. However, to put things there using sudo unzip something.zip -d…
Guerlando OCs
  • 405
  • 4
  • 14
6
votes
1 answer

Is android keystore still vulnerable if root access is received?

I studied this paper - http://www.cs.kun.nl/~erikpoll/publications/AndroidSecureStorage.pdf which states that if attacker has root access to the device it's easy to use keystore keys with another (hacker's) application. Is it still the case? I am…
Mykolas777
  • 61
  • 4
5
votes
2 answers

Preventing users from bypassing root/jailbreak detection measures

A pentest was made to our mobile app (Android and iOS version) and we received feedback stating that jailbreak/root detection was ineffective because it was relatively easy to reverse engineer the application and change the return value of the…
Victor
  • 189
  • 1
  • 6
5
votes
1 answer

Gaining root access on an Android phone exploited with MetaSploit

I have been using MetaSploit for a while (3 years), and I have just started exploiting Android. My Android has root access, and SuperSu is configured to 'grant' all SU requests. I have the payload installed on my phone, but, whenever I try to use…
Python
  • 111
  • 2
  • 2
  • 7
5
votes
1 answer

Harden root remote access

I'm trying to find a good method for hardening a server while allowing automated remote management via ssh (ansible). The popular choice is login with a normal user and then use sudo, but this has some problems: Passwordless sudo: this is a no-no.…
4
votes
1 answer

How can a bad process obtain root by waiting for a user to run a command as sudo?

A comment on this answer states: The whole linux desktop provides very little protection against bad processes running as the user. A bad process could just watch the keyboard input and wait for the user to run a command as sudo. The bad process…
Primusa
  • 143
  • 4
4
votes
1 answer

How to add a custom CA to androids trusted root system folder

As of Android 7.0 no custom certificate will be used by android apps. App developers need to specifically write codes and change app settings to follow a custom CA. But this is difficult while testing for certificate pinning in a UAT environment.…
Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33
4
votes
1 answer

How to properly protect /home with separate user accounts on Linux

A great quote from this InfoSec stackExchange thread. The way to prevent malicious code from damaging files in your home directory is to not run it using your account. Create a separate_user that doesn't have any special permissions and run…
stackinator
  • 141
  • 2
1
2 3 4 5 6