Wikipedia:Reference desk/Archives/Computing/2020 September 24
Appearance
Computing desk | ||
---|---|---|
< September 23 | << Aug | September | Oct >> | September 25 > |
Welcome to the Wikipedia Computing Reference Desk Archives |
---|
The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages. |
September 24
[edit]No root account in Fedora 32?
[edit]I recently upgraded from Fedora 26 to Fedora 32. As I have separate partitions for /
, /boot
, /boot/efi
and /home
, all I had to do was tell Fedora to reformat the first three and leave /home
as it is. I have full access to all my old personal files.
But I found out that Fedora never asked me for a root password, only for a personal password. I tried su
both with my personal password and my old root password, neither worked. However I am able to use sudo
for administrative tasks.
What has happened here? Has Fedora abandoned the concept of a separate root account and forced users to use sudo
? JIP | Talk 13:33, 24 September 2020 (UTC)
- I run Fedora version 32 (Server Edition) as a VM under CentOS and there certainly is a root user. IIRC, you have to fiddle a bit to bring it under control, I think the idea is that if you don't know how then you shouldn't do it! Have you tried
sudo passwd root
to set the root password, orsudo bash
to get a shell? Martin of Sheffield (talk) 14:21, 24 September 2020 (UTC)
- There is still a root account but generally sudo is preferred. Modern sshd's are usually configured to not allow logging in as root using a password (you have to use an ssh private key instead). There is a config parameter that lets you enable password login but I'd advise against it for obvious security reasons. 2601:648:8202:96B0:0:0:0:DDAF (talk) 18:55, 24 September 2020 (UTC)
- I don't know how Fedora 32 handles it, but for many distros, the root password is required when booting into rescue mode, and that will really trip you up if you've been using sudo with your user password up until that time. I have no idea what my root password is, but I think it is tucked away in a password manager database. You may want to test rescue mode to see how it behaves. Also,
id root
will tell you about the root account, which undoubtedly exists. Also,sudo -i
is the best way to get an interactive shell as root. Elizium23 (talk) 19:02, 24 September 2020 (UTC)- You learn something new every day! Having been using and running *nix for 25 years you get used to doing things the "old school" way. Martin of Sheffield (talk) 07:58, 25 September 2020 (UTC)
- I don't know how Fedora 32 handles it, but for many distros, the root password is required when booting into rescue mode, and that will really trip you up if you've been using sudo with your user password up until that time. I have no idea what my root password is, but I think it is tucked away in a password manager database. You may want to test rescue mode to see how it behaves. Also,
- root is just the user account with ID 0. As noted, sudo is fancier and makes it easier to do things in a more secure fashion, so it's generally the preferred way of doing things on modern systems, but the only way Fedora could "force" you to use sudo would be to go in and massively rewrite huge parts of the Linux kernel so it somehow forced you to use sudo. sudo runs things as root by default, same as su, so you could just go in and edit /etc/passwd by hand if you wanted, though you should use passwd and friends instead so you can't accidentally mess the file up and bork your system. sudo doesn't ask you for a password if your account is set to not require a password in the sudoers file; you can change that if you want (check sudo's docs). --47.146.63.87 (talk) 20:39, 24 September 2020 (UTC)
- In other distros, for example, Ubuntu, the root account is locked by default, and so yes, you do have to use
sudo
rather thansu
or login. Elizium23 (talk) 20:48, 24 September 2020 (UTC)- The "lock" is just, I believe, generating a random password for root rather than prompting you to set one as part of the installation. I think Fedora does the same thing. This is mainly so people don't set a crappy root password and then get their system pwned by unknowingly running something malicious or exposing sshd with root password login enabled, allowing something to guess the root password and rootkit their system. In "standard Unix", there's just root (the superuser) and everyone else; there isn't a capability-based security model. All privileged files are owned by root, and "sysadmin" programs like sudo, passwd, etc. are setuid so they always run with effective uid 0 regardless of who runs them. The standard install for Fedora, etc. gives your account full root access in sudoers, and sudo doesn't ask for the root password, but your user password (or none at all if you have
NOPASSWD
set). This is how you can run anything as root despite not knowing the root password. I understand not everyone is a programmer so my point might be kind of unclear; there isn't really a way to "shut off" root in a standard Unix system. If you're uid 0, you're root. su is just the real old, blunt-instrument way of opening a root shell, going back to the original good old days of teletypes and long hair and bell-bottom jeans. sudo does everything su does and way more, including, as you note, opening a root shell withsudo -i
. The difference is sudo access is controlled by the sudoers file, while su asks for the root password. --47.146.63.87 (talk) 21:46, 24 September 2020 (UTC)- No, there is actually a method in the
/etc/shadow
file that locks accounts, and the root account is locked by this method. I don't know what password is or is not assigned to it. Elizium23 (talk) 22:05, 24 September 2020 (UTC)- Oh, right, thanks for the reminder. See man 5 shadow; you can lock and unlock accounts with passwd. But yeah, that only affects trying to log in as that user. Just saying this because tone doesn't come across well in text: I didn't mean anything in a hostile manner. Just wanted to describe some things in more detail for anyone interested. --47.146.63.87 (talk) 00:26, 25 September 2020 (UTC)
- I am not certain, but I think this is what Fedora has done. It has set the root password to some random thing I don't know or am even supposed to know, but it has also automatically made me a sudoer, so I can use
sudo
to do administrative tasks with my own password. This kind of makes sense. JIP | Talk 01:28, 25 September 2020 (UTC)- It's probably not set to a random password, but an impossible one. Remember that /etc/passwd doesn't store passwords but hashes, so it would be stored as something which is not a hash of any password (I think usually an asterisk "*" is stored instead of a hash). You could generate a real password hash and change /etc/passwd to reflect it and then possibly you'd be able to login as root, if you can remove other obstructions mentioned. You might have to boot from another system (such as a live CD) to access /etc/passwd w/o a root shell. 93.142.121.167 (talk) 23:01, 26 September 2020 (UTC)
- No, there is actually a method in the
- The "lock" is just, I believe, generating a random password for root rather than prompting you to set one as part of the installation. I think Fedora does the same thing. This is mainly so people don't set a crappy root password and then get their system pwned by unknowingly running something malicious or exposing sshd with root password login enabled, allowing something to guess the root password and rootkit their system. In "standard Unix", there's just root (the superuser) and everyone else; there isn't a capability-based security model. All privileged files are owned by root, and "sysadmin" programs like sudo, passwd, etc. are setuid so they always run with effective uid 0 regardless of who runs them. The standard install for Fedora, etc. gives your account full root access in sudoers, and sudo doesn't ask for the root password, but your user password (or none at all if you have
- In other distros, for example, Ubuntu, the root account is locked by default, and so yes, you do have to use