Safely Use Root Commands
This page gives tips on using sudo
/ root (privileged) commands safely. The root account is a special user account in Unix-based operating systems that has complete access to all files and commands on a system. It is typically used only for system administration tasks that require unrestricted access.
Introduction[edit]
Learn why 'root' is important, what it is used for, and how to use sudo
/ root (privileged) commands safely.
Rationale for Protecting the Root Account[edit]
What is the point on a typical single user Linux desktop computer of separating privileged administrator account (called root
account) and limited user accounts (such as for example user user
)?
It is assumed that most desktop computer users are single user computers. I.e. computers being used by only one person. Rather it is assumed that most users are only using a single login user account which will be referred to as user user
.
Quote xkcd authorization:
If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.
Quote user discussion:
Most people will consider their home directory as more important than root dirs
Once a malicious program has access to my home folder, I don't care if it also has access to the admin content
This is true for most users using single user computers, using only one user account and no virtual machines. As a counter measure this is why this documentation recommends compartmentalization, that is, running different activities in different virtual machines or even on different hardware.
The rationale of prevention of root compromise has the following goals: [1]
- Protect the host operating system: If using virtual machine (VM): It is much less likely that malware will break out of a virtual machine if it does not have root access within the VM. [2]
- Protection from rootkits: Root access allow malware to install rootkits, which can be very difficult to detect and remove.
- Protect the virtualizer: It is harder to attack the virtualizer without root access. (Applies only when using virtual machines.)
- Protect the hardware: A compromised host operating system might result in malware infecting the hardware, i.e. malware could install a persistent hardware backdoor (such as in BIOS or other firmware) surviving even re-installation of the host operating system. In many cases, root access is required before hardware can be attacked. [3]
- Protect against compromised non-root users: it is harder for potentially compromised non-root users (such as
www-data
) to access useruser
or other parts of the system. This is important when considering that even single-user systems have many system-level user accounts. - Sandboxing: Sandboxing applications can prevent applications getting exploited by attackers [4] or limit the severity of the exploit since if sandboxing is successfully, malware will be trapped inside the sandbox. Sandboxing is a lot harder, less efficient or even impossible when applications are running as root. See also AppArmor,
apparmor.d
(Full System AppArmor Profile) and sandbox-app-launcher.
Kicksecure implements various security hardening to Enforce Strong Linux User Account Isolation.
Once proposal user-sysmaint-split - Multiple Boot Modes for Better Security has been implemented there will be a strong guidance for users to better separate their limited (everyday use) account (user
) and administrative account (sysmaint
). This would result in a robust Prevention of Malware Sniffing the Root Password.
Default Passwords[edit]
The default passwords for Kicksecure are:
The default root account is locked (or should be locked). [6] This is a purposeful security feature -- see below for further details.
Users can change or set a password for security reasons if this is useful in their case based on this Information.
Running with Root Access[edit]
Run with Administrative Rights[edit]
To run an application with root rights.
1 Use a privilege elevation utility to run commands as root.
Note: Replace command
with the actual command.
- command line interface (CLI): sudo command
- graphical user interface (GUI): See Graphical Applications with Root Rights.
2 Password entry.
If a password has been configured, the utility will prompt for it.
User Password versus Root Password[edit]
Tools such as sudo and lxsudo prompt for the user's password. This is different from the root password.
Security and Best Practices[edit]
General Security Advice[edit]
Commands that require root permissions should be run individually using sudo
. In all cases:
- Do not login as root.
- Do not run
sudo su
.
Inappropriate Use of Root Rights[edit]
Do not think of root as a shortcut to fix issues.
Inappropriate Use of Root Rights:
- Can cause additional non-security related issues. [7] Related is also later chapter Graphical Applications with Root Rights.
- Risks harmful code being run as root.
Graphical Applications and Root Rights[edit]
1 Do not run graphical user interface (GUI) with sudo
!
It is discouraged to run graphical user interface (GUI) applications with sudo gui-application
.
- Never login as
root
as explained above. - This includes, never use
sudo su
and then start GUI applications.
Doing so would be an Inappropriate Use of Root Rights. That would fail in many cases and is a limitation inherited from Debian. If this action is attempted, error messages like those below will appear. [8]
No protocol specified
cannot connect to X server :0
2 If there is a legitimate reason to start GUI applications with root rights, use lxsudo
instead. [9] Syntax:
lxsudo application-name
For example to start the partition manager gparted
by default with root rights.
lxsudo gparted
3 To edit files which can only be edited with root rights. Use the following syntax.
Note: Replace /path/to/file/name
with the actual path to the file.
Open file /path/to/file/name
in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
sudoedit /path/to/file/name
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /path/to/file/name
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /path/to/file/name
For example:
Open file /etc/default/keyboard
in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
sudoedit /etc/default/keyboard
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/default/keyboard
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/default/keyboard
Polkit PolicyKit pkexec for GUI applications[edit]
Use of Polkit (formerly PolicyKit) (pkexec
) might also be appropriate for running GUI applications with root rights. Usually such applications should have desktop shortcuts or wrappers which make use of pkexec
. There are no (or rare) known cases where users need to run pkexec
on the command line.
Wayland[edit]
Running GUI applications as root (lxsudo
, sudo --set-home
, pkexec
will be more difficult once Kicksecure has been ported from X11 to Wayland. This is because Wayland requires applications to access $XDG_RUNTIME_DIR/$WAYLAND_SOCKET
to open GUI windows. [11] You may run into this when using Other Desktop Environments using Wayland.
The following command should work to run Wayland applications as root in most instances. Replace application-name
as appropriate:
sudo XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR application-name
Root Account Management[edit]
Enable Root Account[edit]
For security reasons the root account is locked and expired by default in Kicksecure 15.0.0.3.6
and above. For most users there should be no need to use the root account. If it must be enabled for some reason, run the following commands.
(Kicksecure for Qubes: Kicksecure Template)
If you can use sudo
, you can skip the following box.
If you cannot use sudo
:
- Kicksecure: Boot into recovery mode.
- Kicksecure-Qubes: Open a Qubes Root Console.
1 Unexpire the root account.
sudo chage --expiredate -1 root
2 Set a root password.
According to the Change Password instructions. Note: These instructions are for the user user
account. Replace user user
with root
.
Disable Root Account[edit]
Earlier versions of Kicksecure (version numbers lower than 15.0.0.3.6
) come with the root account enabled by default. Most users should disable it by running the following commands.
(Kicksecure-Qubes: Kicksecure Template).
Lock the account.
sudo passwd --lock root
In the future, use sudo
instead when it is necessary.
Avoid Root Login[edit]
Should the user login as root
? No. See footnote for rationale. [13]
Kicksecure is an Implementation of the Securing Debian Manual. This chapter has been inspired by: Securing Debian Manual, chapter Using su
Troubleshooting[edit]
Permissions Fix[edit]
After inappropriate use of root rights, attempt to fix:
Open a terminal.
If you are using Kicksecure inside Qubes, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Kicksecure App Qube (commonly named kicksecure)
→ Xfce Terminal
If you are using a graphical Kicksecure with Xfce, run.
Start Menu
→ Xfce Terminal
Run the following command to reset permissions of user user
's home folder /home/user
back to owner user
and group user
.
sudo chown --recursive user:user /home/user
Reset User Account Password[edit]
The following steps can be used in case the password has been forgotten and needs to be reset.
1 Launch a root terminal.
- Kicksecure: Boot into recovery mode.
- Kicksecure-Qubes: Open a Qubes Root Console.
2 Notes.
- This process will be similar to the change password wiki chapter which is recommended to read as it contains instructions / links on how to change and test the keyboard layout.
- This is unspecific to Kicksecure. It should be a very similar process on Debian or most other Linux distributions. It can also be resolved as per Self Support First Policy.
3 Set a new password.
Run the following command.
sudo passwd user
4 Reboot.
sudo reboot
5 Done.
The process of password reset has been completed.
Unlock User Account: Excessive Wrong Password Entry Attempts[edit]
The following steps can be used in case the user entered the wrong password too many times, which resulted in the user account being automatically locked. (This is related to security feature Bruteforcing Linux User Account Passwords Protection.)
1 Launch a terminal that can run commands as root.
If you cannot login anymore, see the bullet points below:
- Kicksecure: Boot into recovery mode.
- Kicksecure-Qubes: Open a Qubes Root Console.
2 Run the following command.
Note: Replace user
with the actual name of the user that you wish to unlock.
sudo faillock --user user --reset
3 Done.
Unlocking of user account has been completed.
Console Unlock[edit]
1 Launch a root terminal.
- Kicksecure: Boot into recovery mode.
- Kicksecure-Qubes: Open a Qubes Root Console.
2 Run the following command.
Note: Replace user
with the Linux user account name which should be allowed to login on the login console.
sudo adduser user console
Advanced Users[edit]
Prevent Malware from Sniffing the Root Password[edit]
Rationale for Separate sysmaint Account[edit]
If Linux user account user
is compromised, malware can easily steal the administrative ("sudo
") password. [14] Therefore it is more secure (rationale) to perform administrative actions such as running sudo
from a separate sysmaint
account that is less likely to get compromised, since this reduces the chances of malware sniffing the password to escalate to administrative ("root") access.
The basic concept is a separation of the following users:
- user
user
: Perform everyday actions such as running web browsers. - user
sysmaint
: Perform system maintenance administrative actions such as installing additional packages.
Questions and answers:
- Is running applications such as browser under user
sysmaint
less secure? Yes, that defeats this concept. - Is running applications such as browser under user
user
more secure? Yes, because it becomes harder for malware to perform privilege escalation attacks to gain to administrative ("root") access. - What is so bad about malware escalating to administrative? See rationale.
- Why use user
sysmaint
and not simply theroot
user? See Avoid Root Login.
This process is currently for advanced users only since it is quite cumbersome, i.e. has bad usability. The usability of this will be improved once proposal user-sysmaint-split - Multiple Boot Modes for Better Security has been implemented.
Overview of Steps[edit]
To more securely perform administrative tasks that require root access, see the following overview steps below. Detailed technical steps are available further below.
- Prerequisite knowledge: how to switch to a different virtual console, usage of the SysRq key and login spoofing.
- These instructions are ideally applied after installing the host / VM when it is still considered free of malware.
- Create a new user account
sysmaint
. - Add it to the group
sudo
. - Login as user
sysmaint
. - Remove user
user
from groupsudo
. - Only then perform administrative tasks according to the instructions below.
Detailed Steps[edit]
This setup only needs to be completed once.
1 Platform specific notice:
- Kicksecure: No special notice.
- (Kicksecure-Qubes: Kicksecure Template)
2 Create a new user account sysmaint
.
sudo adduser sysmaint
3 Add user sysmaint
to group sudo
and console
.
sudo adduser sysmaint sudo
Allow login into login console.
sudo adduser sysmaint console
4 Perform the following steps securely using sudo
. Use one of the methods below.
Non-GUI Environment Method
- Advantage: can keep current user session(s) and/or graphical session (X Window System) running.
- Disadvantages: cannot use graphical session during administrative tasks [15] and requires SysRq, which is disabled by default in Kicksecure for security reasons.
1 Enable SysRq.
2 Make sure keyboard gets disconnected from X Window System to defeat login spoofing. (unraw
) [16]
SysRq + w
(Press Alt + SysRq + w
)
3 Switch to another virtual console.
(Press Alt + Crtl + F2
) [17]
4 Press Secure Access Key also to defeat login spoofing.
SysRq + k
(Press Alt + SysRq + k
)
5 Login as user sysmaint
from that non-graphical environment (virtual console). [18]
6 Perform any necessary administrative tasks.
7 Remove user user
from group sudo
.
Note: This only needs to be performed once.
sudo delgroup user sudo
8 Logout user sysmaint
.
logout
9 Switch back to previous virtual console.
X Window System runs in:
- most Linux distributions: virtual console
7
(PressAlt + Crtl + F7
) - Qubes: virtual console
1
(PressAlt + Crtl + F1
)
10 Re-login if needed and continue usual work as user user
.
Logout Method
- Advantage: can use graphical session (X Window System) during administrative tasks using privileged user
sysmaint
. - Disadvantage: cannot keep graphical session of unprivileged user
user
running. In other words, simplified, all applications run under useruser
will be terminated [19] and requires SysRq, which is disabled by default in Kicksecure for security reasons.
1 Terminate all running applications in current graphical (X) session.
2 Log out.
start menu -> log out
3 Make sure keyboard gets disconnected from X Window System to defeat login spoofing. (unraw
) [16]
SysRq + w
(Press Alt + SysRq + w
)
4 Press Secure Access Key also to defeat login spoofing.
SysRq + k
(Press Alt + SysRq + k
)
5 Login as user sysmaint
.
6 Perform any necessary administrative tasks.
7 Remove user user
from group sudo
.
Note: This step only needs to be performed once.
sudo delgroup user sudo
8 Logout user sysmaint
.
9 Re-login as user user
.
10 Continue usual work as user user
.
Power-off and Power-on Cycle Method
- Advantages: Use graphical session during administrative tasks. No need for complicated user of SysRq.
- Disadvantages: Cannot keep graphical session of unprivileged user
user
running. In other words, simplified, all applications run under useruser
will be terminated.
1 Power off.
Shutdown the system. Really power off. Not shutdown. Why? To defeat login spoofing.
2 Power on.
3 Do not login as user user
.
4 Login as user sysmaint
.
5 Perform any necessary administrative tasks.
6 Remove user user
from group sudo
.
Note: This step only needs to be performed once.
7 Power off.
8 Continue usual work as user user
.
Substitute User (su) Command[edit]
The majority of users do not need to utilize the su
command. [20].
In Kicksecure, by default:
- group
sudo
membership is required to usesu
. [21] - User
user
is a member of groupsudo
. (This might change in a later release.)
To permit the su
command from user user
, complete the following steps.
(Kicksecure-Qubes: perform these steps in Kicksecure Template.)
2 Add user user
to group root
.
sudo adduser user root
Set suid. Note: It is okay if the second command fails.
sudo permission-hardener disable /bin/su sudo permission-hardener disable /usr/bin/su
sudo mkdir -p /etc/permission-hardener.d
Open file /etc/permission-hardener.d/20_user.conf
in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
sudoedit /etc/permission-hardener.d/20_user.conf
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/permission-hardener.d/20_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/permission-hardener.d/20_user.conf
Add.
/bin/su exactwhitelist /usr/bin/su exactwhitelist
5 Save.
6 Done.
Steps to permit su
command from user user
are complete.
Root Login[edit]
Root login within a virtual console will be disabled by default after upgrades. [23] [24]
To enable login from a virtual console, first apply the Enable Root Account instructions further above, then complete the steps below.
1 To allow root login, /etc/securetty
must be configured. [25]
Open file $(realpath /etc/securetty)
in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
sudoedit $(realpath /etc/securetty)
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit $(realpath /etc/securetty)
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit $(realpath /etc/securetty)
2 Add the following content.
Note: Add one or more tty depending on your circumstances; see file /etc/securetty.security-misc-orig
.
tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10
hvc0
3 Save the file.
Recovery Mode[edit]
Root login is possible using recovery mode. [26]
When the root account is disabled, passwordless root login using recovery mode is possible; see below for the security impact.
Passwordless Recovery Mode Security Discussion[edit]
This is only relevant on the host and not inside virtual machines.
Passwordless recovery mode is allowed because a locked root password would break the rescue and emergency shell. Therefore the security-misc package enables a passwordless rescue and emergency shell. This is the same solution that Debian will likely adapt for Debian installer. [27]
With passwordless root login, using recovery mode is allowed (through use of the security-misc package) on the host. To prevent adverse security effects posed by lesser adversaries with physical access to the machine, set up BIOS password protection, bootloader grub password protection and/or full disk encryption.
Qubes Root Console[edit]
The following will open a root console inside a Qubes VM.
1 Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q")
→ System Tools
→ Xfce Terminal
2 Run the following command.
Replace vm-name
with the name of the actual VM where you want to open a root console.
qvm-run -u root vm-name xfce4-terminal
3 Done.
A Qubes root console will now be available.
Qubes Passwordless Root Access Setup[edit]
The following can be used to set up passwordless root access for specific Qubes VMs.
1 Open a Qubes Root Console.
2 Temporary passwordless root access until reboot.
Run the following command.
echo "user ALL=(ALL:ALL) NOPASSWD:ALL" | EDITOR=tee visudo -f /etc/sudoers.d/nopassword >/dev/null
3 Permanent passwordless root access after reboot.
Run the following command.
echo 'echo "user ALL=(ALL:ALL) NOPASSWD:ALL" | EDITOR=tee visudo -f /etc/sudoers.d/nopassword >/dev/null' | tee -a /rw/config/rc.local >/dev/null
4 Make Qubes VM specific startup script /rw/config/rc.local
executable.
chmod +x /rw/config/rc.local
5 Done.
NOTE: In 17.2.3.8 and above this can be simplified to 1 command.
passwordless-root
dsudo - default password sudo[edit]
dsudo
is a Kicksecure specific feature. [28]
As long as still using the default password (not having changed sudo password), commands can be run as root without entering a password. This is useful for users having issues with changing the keyboard layout and for testing VMs.
Instead of using
sudo
use
dsudo
passwordless-root[edit]
TODO: document
After Role-Based Boot Modes (user versus sysmaint) has been implemented, some users may want to get back to traditional way of allowing user user
to use sudo
.
Next version of Kicksecure will come with /usr/bin/passwordless-root
. A tool to easily set up passwordless sudo
for user user
.
Platform specific:
- Non-Qubes: The computer user must boot into
sysmaint
mode first. - Qubes: The computer user needs to open a Qubes Root Console.
passwordless-root
can simplify Qubes Passwordless Root Access Setup
Execution of passwordless-root
requires root.
passwordless-root
Definitions[edit]
Rooted[edit]
What does it mean to be "rooted"? The word "rooted" in the context of computer security, smartphones, and root isolation is used in different ways.
A device can get "rooted" by at least two different entities:
- A) user: Intentional rooting by the user grants them full administrative rights and is typically carried out to overcome restrictions imposed by the manufacturer or operating system (e.g., to uninstall bloatware or customize the OS).
- B) malware: Malware-induced rooting occurs when malicious software exploits vulnerabilities to gain privileged access without user consent, often for nefarious purposes such as installing malicious programs, gaining deeper access to sensitive data, malware persistence.
Linux desktop operating system (Debian, Fedora, Kicksecure, Whonix, and most others) specific example:
- Definition: If
sudo
is configured to allow useruser
to run commands without a password, the machine can be considered rooted by the user. - In technical terms: File
/etc/sudoers.d/user-passwordless
contains contentuser ALL=(ALL:ALL) NOPASSWD:ALL
. - Implications: This means the user will be able to run
sudo some-command
to execute a command with administrative ("root") rights without a password. The user could even runsudo su
to switch to userroot
.
Qubes specific example: If package qubes-core-agent-passwordless-root
gets installed, then the VM has been rooted by the user. The implications are the same as above. On the other hand, if the user opens a Qubes Root Console, the VM should not be considered rooted.
Malware specific example: If a web server (such as nginx
running under a limited Linux account user nginx
) gets compromised, the malware could attempt to root the device (synonym of saying "root the operating system"). This is also often called local privilege escalation (LPE), which refers to exploiting vulnerabilities, misconfigurations, or using other techniques to escalate permissions from a regular user to a higher privilege level, typically the "root" user.
Android specific example: If the user manages to get an Android Root Management Tool such as SuperSU, Magisk, or Superuser by ChainsDD to be functional, then the device is typically considered "rooted by the user". On the other hand, if a compromised or malicious app accomplishes LPE, then the device can be considered "rooted by malware".
Unclear definitions: What if on a Linux desktop distribution, user user
can gain root rights after using sudo
and entering a password? Typically, for Linux desktop distributions this is not considered "rooted". The word "rooted" is mostly used on mobile operating systems Android and iOS.
Difference in Terminology:
- Desktop Linux: The concept of "rooting" is not usually applied to traditional Linux desktops. Instead, users elevate privileges with
sudo
, which is considered a normal administrative function. The term "rooted" implies a fundamental change in the system's security model that is not present when using standard privilege escalation likesudo
. - Mobile OS (Android/iOS): "Rooting" or "jailbreaking" signifies that the device’s default restrictions are bypassed, giving the user continuous and unrestricted access to system files and functions.
Malicious Root Management Tools: Are an Android / iOS specific issue. Some websites say, that for example KingRoot for Android is malware. [29] This issue does not exist for Linux desktop distributions. Tools such as su
, sudo
, doas
are Open Source, Freedom Software and generally not considered malware. The existence of malicious root management tools and other issues (documented on Mobile Devices Privacy and Security, Administrative Rights) are among reasons why rooting is often discouraged for mobile devices. However, a blanket recommendation to avoid rooting in all cases for all use cases cannot be deduced from that.
Related:
sudoless[edit]
Different people have used the term "sudoless" for very different meanings.
- 2015: ivandokov/sudoless: means passwordless
sudo
. The ability of a specific Linux user account name such as "user
" to runsudo
without a password. - 2021: How to run Docker commands without sudo on a Synology NAS: A quick guide to enable sudoless docker commands.
- 2022: a Kicksecure user forum post: used "sudoless" as a synonym for "passwordless".
- 2023: TechRebuplic: How to enable Podman sudo-less container management
- 2024: secureblue: used "sudoless" in context of removal of
sudo
,su
andpkexec
. (Related: Comparison of secureblue with Kicksecure and Development Notes, chapter sudoless.)
The term "sudoless" can therefore be confusing, should either be avoided or clarified when used.
See Also[edit]
Development[edit]
- Kicksecure code: Restrict access to the root account.
- https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/68
- https://forums.whonix.org/t/should-lesser-adversaries-with-physical-access-be-part-of-the-threat-model-of-whonix-whonix-host-kicksecure/7997
Attribution[edit]
Kicksecure is an Implementation of the Securing Debian Manual. This chapter has been inspired by: Securing Debian Manual, chapter Using sudo
Footnotes[edit]
- ↑ Also see: Permissions.
- ↑ https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301316132
- ↑ For example flash utilities for Linux require root access. In theory, it's conceivable of software bugs in firmware or hardware resulting in hardware compromise without prior root compromise. No such examples happening in the wild were known to the author at time of writing.
- ↑ An exploit or payload might require a function which is unavailable inside the sandbox.
- ↑ Rationale for Change from Default Password changeme to Empty Default Password
- ↑
In new builds of Kicksecure version
15.0.0.3.6
. Earlier Kicksecure builds did not lock the root account by default and should be locked. - ↑
- Applications supposed to be run as user but run as root might create root owned files. These file permissions error can lead to additional issues.
- Inter process communications such as with dbus might be broken.
- ↑
- ↑
- Reason primarily: not breaking the system, reliability. Non-reason: security.
- https://askubuntu.com/questions/270006/why-should-users-never-use-normal-sudo-to-start-graphical-applications
- In past there was
gksudo
,kdesudo
. Nowadays with more and more applications using PolicyKit or polkit, these applications are no longer available as of Debianbuster
.lxsudo
is an alternative.
- ↑
sudo
with-H
/--set-home
would also be OK. Syntax: sudo -H application-name Or. sudo --set-home application-name For example to start the partition managergparted
by default with root rights. sudo -H gparted Or. sudo --set-home gparted - ↑ https://unix.stackexchange.com/a/423287/535873
- ↑ No longer expiring the root account since this broke adduser, see: https://forums.whonix.org/t/restrict-root-access/7658/59 (To prevent SSH login, see: Linux Locking An Account. This might prevent other login methods but this requires further investigation.) sudo chage --expiredate 0 root
- ↑
Why not login as root? This is for reasons of history, legacy.
Even during the times of X11,
root
login was frowned upon. Therefore for strong user isolation, logging in asroot
user is to be avoided. In an ideal world, the extrasysmaint
user would be unnecessary and people could simply use theroot
user. Or even better, all references toroot
would be removed and replaced withsysmaint
. However, this kind of education and convincing among many upstream projects for the purpose of Dev/Strong Linux User Account Isolation is totally unrealistic for organisational reasons, which are elaborated on the Linux User Experience versus Commercial Operating Systems page. - ↑
Any graphical application can see what is typed in another graphical application, for any user.
Quote Joanna Rutkowska, security researcher, founder and advisor (formerly architecture, security, and development) of Qubes OS:
One application can sniff or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one, etc.
If an application is compromised with an exploit due to a security vulnerability, it can be used as malware by the attacker. Once/if the application is not effectively confined by a mandatory access control (MAC) framework like AppArmor or firejail, it can compromise the user account where it is running and then proceed from there.
See also sudo password sniffing for technical details.
- ↑ Unless perhaps advanced users manage to run a different X server on a different virtual console. This might not be possible, secure. Depends on if the exclusive lock of X can be suspended while using an X server in a different virtual console. This has not been researched.
- ↑ 16.0 16.1 This step might be unnecessary. Not researched yet.
- ↑
Pressing
Alt + Crtl + F7
results intty2
. This is to make these instructions compatible with most Linux distributions as well as Qubes.- Most Linux distributions login CLI virtual consoles on
tty1
(Alt + Crtl + F1
) by default and X Window System ontty7
(Alt + Crtl + F7
). - Qubes X Window System by default runs on
tty1
. (Alt + Crtl + F1
)
tty2
(Alt + Crtl + F2
) will be for most users an unused virtual console which can be used for the purpose of this chapter. - Most Linux distributions login CLI virtual consoles on
- ↑
An X Window System non-root user cannot sniff keystrokes of different (non-)root users utilizing a different virtual console (
tty
). - ↑
Non-simplified: applications run by user
user
in a different virtual console or run through systemd (user) services can be left running. - ↑
su
is sometimes incorrectly referred to as the superuser command. It allows:... a change to a login session's owner (i.e., the user who originally created that session by logging on to the system) without the owner having to first log out of that session.
Although su can be used to change the ownership of a session to any user, it is most commonly employed to change the ownership from an ordinary user to the root (i.e., administrative) user, thereby providing access to all parts of and all commands on the computer or system.
By comparison,
sudo
makes it possible to execute system commands without the root password. - ↑ Implemented in package security-misc.
- ↑ sudo chmod 4755 /bin/su sudo chmod 4755 /usr/bin/su
- ↑ security-misc
/etc/securetty
is empty by default. - ↑ When trying to login as root in a virtual console it will reply:
Without previously asking for a password. This is not the worst case for usability and is better than asking for password and then failing.Login incorrect.
- ↑
sudoedit
will not follow symlinks, thereforerealpath
is used. - ↑ https://forums.whonix.org/t/restrict-root-access/7658/46
- ↑
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
- /etc/systemd/system/emergency.service.d/override.conf
- /etc/systemd/system/rescue.service.d/override.conf
- ↑ https://forums.whonix.org/t/dsudo-default-password-sudo/8766
- ↑ https://ivonblog.com/en-us/posts/kingroot-is-a-malware/
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!