为什么Ubuntu有一个禁用的root帐户？

问题描述

Ubuntu禁用”security reasons”的root登录。然而，在我看来它根本没有帮助安全。

如果入侵者设法获取Ubuntu的登录密码，那么他也有super-user密码，因为它与登录密码相同。

但是，如果需要root密码，那么只需登录就不会对入侵者造成太大帮助 – 这是不对的？

所以基本上，我想知道的是：为什么Ubuntu选择禁用root密码？安全原因是什么？

请不要根据你”think”的原因回答 – 我正在寻找官方消息的答案，或者与他们联系。

最佳解决方法

Mitch在评论中发布了一个很好的链接：Why is it bad to login as root?和Debian网站具有their wiki中列出的主要优点：

Why sudo?

Using sudo is better (safer) than opening a session as root for a number of reasons, including:

• Nobody needs to know the root password (sudo prompts for the current user’s password). Extra privileges can be granted to individual users temporarily, and then taken away without the need for a password change.

• It’s easy to run only the commands that require special privileges via sudo; the rest of the time, you work as an unprivileged user, which reduces the damage that mistakes can cause.

• Auditing/logging: when a sudo command is executed, the original username and the command are logged.

For the reasons above, switching to root using sudo -i (or sudo su) is usually deprecated because it cancels the above features.

关于Ubuntu our wiki列出了优点和缺点：

Benefits of using sudo

There are a number of benefits to Ubuntu leaving root logins disabled by default, including:

• The installer has fewer questions to ask. Users don’t have to remember an extra password for occasional use (i.e. the root password). If they did, they’d be likely to forget it (or record it unsafely, allowing anyone to easily crack into their system).

• It avoids the “I can do anything” interactive login by default. You will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.

• sudo adds a log entry of the command(s) run (in /var/log/auth.log). If you mess up, you can go back and see what commands were run.

• On a server, every cracker trying to brute-force their way in will know it has an account named root and will try that first. What they don’t know is what the usernames of your other users are. Since the root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.

• Allows easy transfer for admin rights by adding and removing users from groups. When you use a single root password, the only way to de-authorize users is to change the root password.

• sudo can be setup with a much more fine-grained security policy. The root account password does not need to be shared with everybody who needs to perform some type of administrative task(s) on the system (see the previous bullet).

• The authentication automatically expires after a short time (which can be set to as little as desired or 0); so if you walk away from the terminal after running commands as root using sudo, you will not be leaving a root terminal open indefinitely.

Downsides of using sudo

Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:

• Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents. You could also pass the whole command to a shell process run under sudo to have the file written to with root permissions, such as sudo sh -c "ls > /root/somefile".

• In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled root password is needed here. The local user account should have its $HOME on a local disk, not on NFS (or any other networked filesystem), and a .profile/.bashrc that doesn’t reference any files on NFS mounts. This is usually the case for root, but if adding a non-root rescue account, you will have to take these precautions manually. However the advantage of using a local user with sudo is that commands can be easily tracked, as mentioned in the benefits above.

我们一直都有它(从第一版开始)。

Oldest reference I found谈到有”sudo”的4.10

SHUTTLEWORTH LAUNCHES DEBIAN-BASED UBUNTU LINUX

… The Debian-based Ubuntu Linux includes Gnome 2.8, kernel 2.6.8.1, OpenOffice.org 1.1.2 and comes with a text-based, but easy, installation procedure. Ubuntu has disabled the root user preferring to use sudo much like Mac OSX does …

次佳解决方法

我相信on the help page所写的内容足够清晰且足够客观。

Ubuntu is “for everyone”，虽然如果你足够好，你不需要root权限就可以损坏你的计算机，同时你根本不需要它(而且你知道如何轻松启用它)。所以问题不在于”good enough”，但对于其他所有人来说，这可能来自另一个计算领域的Linux，第一个影响是Ubuntu(我们很多)。

如果您不是专家并且不确切知道root是什么以及如何正确处理它，您既不需要也不需要启用它(例如，冒险使用它进行图形登录)。学习如何安全地做事情然后继续前进到更难和更危险的道路要好得多，而不是直接用艰难的方式开始然后损坏您的安装/工作站，感到沮丧并且可能无法恢复完全正常工作系统。一般来说，预防要比治愈好得多。

参考资料

• Why does Ubuntu have a disabled root account?