In Linux there is a way to reset the root password; why is this allowed?
Anyone having access to the physical machine can change the root password, without knowing it.
Is there is a way to protect against this?
-
1Suppose you had a system where you could not change the root password but someone watched you type it in so you needed to change it. What would you do then? Would you format the drives and install a new instance of the operating system? Wouldn't it be easier to change the root password?user13757– user137572017-03-31 13:35:36 +00:00Commented Mar 31, 2017 at 13:35
-
1Rather than ask a "why is this allowed" question, it is better to ask "how do I keep users with root access from changing the root password." I understand the challenges if you are posting to a site in a language that is not your native one. There are many legitimate reasons to change the root password, as @DrEval has already suggested. As far as the physical access point, if the attacker has physical access to the machine there is not much chance of stopping them. Slowing them down is possible, but nothing is "completely secure".0xSheepdog– 0xSheepdog2017-03-31 13:44:50 +00:00Commented Mar 31, 2017 at 13:44
-
anyone having physical access can change root password, is there a way to [prevent] this : yes, either don't let them have physical access, or don't use computers.ron– ron2017-03-31 14:20:20 +00:00Commented Mar 31, 2017 at 14:20
-
5@0xSheepdog What the original poster obviously means is why can anybody with physical access to the machine change the root password without even knowing the root password.Johan Myréen– Johan Myréen2017-03-31 16:47:10 +00:00Commented Mar 31, 2017 at 16:47
-
2Anyone having access to the physical machine... can simply remove the [unencrypted] hard drives and take them, copy all the data off using a different computer, then possibly return your hard drives without anyone even knowing. This makes anyone having physical access being able to change the root password without knowing it a trivial matter, and the problem lies not with linux allowing this to happen but poor physical security. After that if your physical security and restricted access is not enough, then you need disk encryption as mentioned below.ron– ron2017-03-31 21:21:02 +00:00Commented Mar 31, 2017 at 21:21
|
Show 2 more comments
4 Answers
Because physical tampering is extremely difficult to guard against.
There is always a tradeoff between security and convenience.
Physical access makes software-level protections impossible to enforce.
So, why inconvenience the user? You won't stop a hacker anyway.
- If it's a hacker who has physical access, you won't lock them out just by telling them "sorry, you don't have the password," and
- If it's the legitimate user of the computer, you will make things much harder for them by refusing to let them reset the password.
To protect against this:
Don't allow untrusted people to physically access your computer.
Yes, you can encrypt your disks. But if you routinely allow untrusted people physical access, it's game over anyway.
Linux allows resetting the root if you have root access because there's no way to prevent it nor any reason to prevent it. Root access means that you have the permission to do everything. Everything includes changing the root password. You don't need the root password to change the root password, only to gain access to the root account — and if you have access to the root account in a different way then you can change the root password because, once again, root can do everything.
There's no way to protect against this because it would be a logical impossibility. If you can do everything, you can change the root password. It's obviously possible to give someone limited access that doesn't allow them changing the root password, but then they wouldn't have root access, they'd just have an unprivileged account.
Linux itself does not normally allow gaining root access if you have physical access. That's a feature of the bootloader: it allows someone who has access to the console at boot time to request a special recovery mode, and depending on how this recovery mode works, it might allow root access without authentication. Recovery mode works by instructing Linux to start a different set of programs during startup compared with the normal startup (the normal startup includes a lot of services, including a login prompt); the most “extreme” recovery mode is to add init=/bin/sh to the kernel command line, which instructs Linux to run a root shell on the console and nothing else.
Recovery mode can be disabled, or password-protected. This way someone with console access will not have root access unless they can authenticate. This can be bypassed by changing the BIOS configuration, so in order to be an effective protection, you also need to lock down the BIOS configuration (prevent changing the boot device or changing the BIOS configuration without entering a password).
This is enough protection against someone who can access the keyboard, but not against someone who can physically access the computer itself. They can pull out the hard disk, mount it on another machine and examine and change the files to their leisure. If you want to protect against that, no password check will help you: your software isn't running. You can protect against this by encrypting the hard disk. Then, in order to reboot the system to access it, the attacker would have to know the password for the encryption (or insert the smartcard with the encryption key). The practical downside of this is that someone has to type the encryption password or insert the card: you can't have useful encryption and unattended boot.
answered Apr 1, 2017 at 0:33
Gilles 'SO- stop being evil'
865k205 gold badges1.8k silver badges2.3k bronze badges
-
It might benefit from some well-placed emphasis, though.Wildcard– Wildcard2017-04-01 00:56:32 +00:00Commented Apr 1, 2017 at 0:56
In Linux there is a way to reset the root password; why is this allowed?
That statement isn't correct. This is true of many GNU/Linux distributions, due to a design choice; it is not true of the Linux kernel as such.
You can build a Linux-based device that resists tampering even with physical access. That's the idea behind, oh, an Android phone or tablet.
A desktop or laptop Linux machine can be given a measure of protection against tampering by using an encrypted disk volume for the installation. Each time you boot, you have to give the correct password to mount the root filesystem. (Thus being able to control the boot process, like with custom kernel parameters, won't give you access to the machine).
Encrypt your disks to avoid tampering and overriding of passwords in a chroot. Many (or most) distro installers offer to encrypt disks nowadays.
Clearly, if you lose the disk password, the disk is bricked and there is absolutely nothing you can do.
