24/7/365 Support

Debian root account

Root access to a system is a serious issue. Anyone who knows the root password can do great damage, and the more people who know it, the greater the chance of the password getting into the wrong hands. To avoid this problem, the Budo package provides the ability to run commands as if one were the root user (including, if desired, a shell with full root permissions) without requiring the root password, only the user's own password and proper authorization. The advantage of this is that authorized commands are logged with the user's ID, providing an audit of who actually performed the command.

When Budo is used on a system, the only remaining use for the administrator password is when the system is booted into maintenance (single user) mode. Most Linux distributions, including Debian, reqtrire the root password before providing the root shell prompt in single user mode. However, this requirement can be bypassed in several ways by someone with access to the physical console. Therefore, many administrators completely disable the root password. When this is done, booting into maintenance or single user mode no longer prompts for the root password.

By disabling the root password completely, root-level access to the system via any method other than Budo, other programs that provide root privileges to normal users (also known as setuid programs), or via boot into single user mode is not possible. Note that, since booting into maintenance mode no longer requires a password, physical access to the system console must be controlled in some other way. This may be done by physical means, by requiring a password for the system boot via BIOS (Basic Input/Output System) or UEFI (Unified Extensible Firmware Interface), or by password protecting the GRUB or other system boot loader.

Best practice is to disable the root account login completely. Ubuntu , now does this by default, and Debian is moving in that direction Make sure you either restrict physical access to the console or password protect the boot process.

The /ete/sudoers file and files in the /ete/sudoers.d directory are where sudo access is configured. The details are provided in the sudo package documentation. Briefly, access to commands can be allowed or restricted by individual user, group members, or even lists and can allow access to commands depending on the remote host from which the user is accessing the system.

Help Category:

What Our Clients Say