Professional Web Applications Themes

Changing root's password - Linux / Unix Administration

I just noticed on a new Linux system that we got at work that if you try and change root's password as root, it does not ask you for root's current password before allowing the new one to be entered. I thought this might be something with Linux until I realized that our Solaris servers are the same way. Is there a reason for this? It seems terribly unsecure. Of course people should be either only logged in as root when necessary or locking their workstations, but still. -Ken...

  1. #1

    Default Changing root's password

    I just noticed on a new Linux system that we got at work that if you
    try and change root's password as root, it does not ask you for root's
    current password before allowing the new one to be entered. I thought
    this might be something with Linux until I realized that our Solaris
    servers are the same way. Is there a reason for this? It seems
    terribly unsecure. Of course people should be either only logged in
    as root when necessary or locking their workstations, but still.


    -Ken


    Ken Guest

  2. #2

    Default Re: Changing root's password

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Ken wrote: 

    As root is already all-powerful, it's difficult to prevent him from
    making direct modifications on the password database (/etc/passwd,
    /etc/shadow, or the more sophisticated password management systems like
    PAM).

    Basically, if you have gained root access, then there's no effective
    block against root's updating the password, and thus it is redundant and
    unnecessary to validate root's current password.


    - --

    Lew Pitcher, IT Consultant, Enterprise Data Systems
    Enterprise Technology Solutions, TD Bank Financial Group

    (Opinions expressed here are my own, not my employer's)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (MingW32)

    iD8DBQFBf/OGagVFX4UWr64RAtsvAJ9hqyGek6CF7TzmX2m6W4GpKAdmBQCf YAtg
    wGegLX1fq9x6oHe5eqClkmY=
    =ouAm
    -----END PGP SIGNATURE-----
    Lew Guest

  3. #3

    Default Re: Changing root's password

    On Wed, 27 Oct 2004 19:00:01 +0000 (UTC), Ken <org> wrote: 

    I'm not sure how it would be insecure if, to be root, you need the password
    already.
     

    Think of the failure modes, though. In order for this to be a problem,
    a sysadmin would have to log in as root and walk away from an unsecured
    screen. If they do that, changing of root passwords is the _least_ of
    their problems.

    sudo is a good way to grant root access without giving out root passwords,
    but that wasn't your question.

    Dave Hinz

    Dave Guest

Similar Threads

  1. Changing web root in OS X
    By Design Composition in forum Coldfusion Server Administration
    Replies: 1
    Last Post: May 4th, 06:03 PM
  2. Changing Web root
    By Keira* in forum Coldfusion - Getting Started
    Replies: 0
    Last Post: August 11th, 06:22 AM
  3. Unix root password
    By mrounds in forum Linux / Unix Administration
    Replies: 1
    Last Post: January 30th, 03:04 AM
  4. How to reset root password?
    By Marc Lefebvre in forum AIX
    Replies: 9
    Last Post: September 12th, 12:35 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139