Is "Use this password for System Administrator" a good idea?

Is the “Use this password for System Administrator” really a good idea to have as the default option during install? I mean I can see the reason to have it, it is very convenient and all, but what kind of impact does it leave on system security? I’m not against completely having it as an option just against having it the default option.

I hear what you are saying. You could say the same about the ‘auto-login’. What idiot would leave that enabled!?

If, as in my case, you are the one and only user, and can be confident about the safety and quality of your password, I guess it might be ok. I would be interested to see a Poll on this - wouldn’t you?

In my opinion i will use different passwords.which i am using.
Its a good idea to keep root aside with all its function.
For example:
If you went outside for a while, but forgot to lock the screen.And somebody trying to install some software.for sure it will install it.
But if root password is different.i think he/she will be not able to do any type of stuff to harm your PC.
This is just an example.example is in OFFICE.
Because i am using opensuse in office.

Moved to soapbox

Andy

Yes it’s stupid but unfortunately noobuntu ideals of “let’s make it more like Windows” seems to have spread to openSUSE and some really retarded design decisions have been made for 11.x series.

deltaflyer44 wrote:
> vendion;1862919 Wrote:
>> Is the “Use this password for System Administrator” really a good idea
>> to have as the default option during install?

REALLY bad design decision to make it so easy to have almost NO
security…

what WERE they thinkin’ (or smokin’)??

i’d take that away, AND i’d not make it so easy for n00bs to sign
into KDE/Gnome etc as root as to put THAT option on the standard sign
in page…

i’m almost sure that a lot of the problems we see here daily are
directly because of those two n00b TRAPS! (well, that and releasing a
Live CD with KDE4.0 that can be installed from…as if THAT is SUSE!!)


see caveat: http://tinyurl.com/6aagco
DenverD (Linux Counter 282315) via NNTP, Thunderbird 2.0.0.14, KDE
3.5.7, SUSE Linux 10.3, 2.6.22.18-0.2-default #1 SMP i686 athlon

vendion wrote:
> Is the “Use this password for System Administrator” really a good idea
> to have as the default option during install? I mean I can see the
> reason to have it, it is very convenient and all, but what kind of
> impact does it leave on system security? I’m not against completely
> having it as an option just against having it the default option.
>
>
When you use that option, does it turn the system towards the way Ubuntu
is configured? I’ve never tried it but that might be what they mean by
that option.

^ nope.

All it does is make the root password the same as user password.

When you use that option, does it turn the system towards the way Ubuntu
is configured? I’ve never tried it but that might be what they mean by
that option.

I have been running Ubuntu in VBox, installed it yesterday, just for fun. The pain with Ub for me is it’s default install method of NOT creating a separate /home
You are asked for a admin password and user password but as I recall it does not do what Suse is currently: “Use this password for System Administrator” - which is checked by default.
I do agree with DenverD’s comments -

what WERE they thinkin’ (or smokin’)??

I’m guessing the thinking is that the person installing and creating the user account at that time is to be the admin (after all they are installing the OS).
Additional users would never want the same password.

If the whole purpose of this option is to make it easy for the noobs then if they do manage to forget their root password, who in the world would ever do that :P, then all they have to do is ask for help in changing it. If someone really wanted to gain access then having two good passwords in place would be better than one. I also don’t know how many people are like me have have one or two people they trust with their user passwords, I also do not use the “Auto-login” but I feel fighting that would be a losing battle, but I would never trust them with root. I would be interested in opening a bug report against the installer to see if this can at least the default action would for this to be disabled as a why of saying it is better to have a separate root password but we won’t stop you from using this.

deltaflyer44: Sorry for posting this is the wrong forum, I though this would be better placed in the Pre-release forum being that is is dealing with the next version of openSUSE. I guess I dropped the ball.

I put a report in on this to the bugzilla and if anyone would like to comment on it or vote for it here is the link https://bugzilla.novell.com/show_bug.cgi?id=420783

On 08/27/2008 69_rs_ss wrote:
> When you use that option, does it turn the system towards the way
> Ubuntu is configured? I’ve never tried it but that might be what they
> mean by that option.

If they didn’t change it for 11.1 no, it only sets the root password, skipping that particular part of the install.
IMHO all those “easy setup” make sense under certain conditions, they shouldn’t be enabled by default though.

Just my 2 ct
Uwe

And the noob will always beat this kind of thing trying to help him.

There is a thread around at this forum about somebody thinking that typing the root password made him superuser. So when he typed the same password for his normal userid he was afraid doing things …

I can understand how he got embarassed at the installation process. And he started thinking. So the whole idea of helping the noob (if that was behind this silly install behaviour) is spoiled by introducing new problems. >:)

No, Ubuntu does it different. It sets up root with an impossible password so it cannot be logged into and then it adds the user into the wheel group so that the user can sudo to root. Presumably this is to make working as root annoying so that users won’t become root often. It’s easy to get around, either give root a real password, or do

sudo su -

and stay as root as long as you need to.

Another (weak) reason I suppose is there is no root password to disclose; being able to sudo is dependent on being in group wheel, so the sudo privilege can be revoked.

I’m no ubuntu expert, only had it installed in a VM for a couple of minutes got rid of it when apt-get threw up when upgrading Firefox to 2.0.0.14, but if I remember correctly the password for sudo was the users password. So if the attacker knew the users password, if the user is in the wheel group, then there is nothing protecting the system which goes back to the need/want to have a strong separate root password.

Correct, when you are in group wheel, the password wanted is the user’s password. Of course the same could be said about the OpenSUSE shortcut, but then there would be the uncertainty of whether the user opted for the same password or not. Nonetheless the user’s password would be one of the first things a cracker would try.

However, I regard a break-in even as a user as game over and a win to the cracker since there are usually several unpatched local vulnerabilities that can be leveraged. And even if they don’t become root, they can do a lot of damage already: boobytrap your files, send out tons of spam from your machine, etc.

So I do think a separate password for root is a good idea, but in the whole scheme of things, just another small barrier. But then every bit helps.

Yea that is true, but that every little but is something that I like. The damage that can be done with user permissions is limited, but the damage that can be done as root is endless. I don’t think I’m saying this right but “One Small Stone Causes Big Ripples” :slight_smile:

Just a few musings:
I suppose that I fit that rather derogatory term “nOOb” and I’m puzzled. If one’s user password and the root password are the same one is still asked to enter the root password before you can do something that needs that level of access. So how does one do that by accident.
Secondly you all seem to assume that Linux is only used by technophiles like yourselves, but surely the vast majority of users only want a computer for what it does - accessing the web, playing games, word processing etc. and aren’t in the least interested in how it works.
I am the only one in my household that is using SUSE, and one password suits me fine.
And yes, it is easy to forget a password one doesn’t use for weeks at a time; and most average users would hardly ever need root privileges.
I would like to see Linux in more general use by the wider community so nOObesb are important.
And finally, if you want a different root password, do you really need the system to tell you to do it?

From my short dealings of Ubuntu yes, if the user password and, in this case, root password are the same you will still be asked for the root password. The problem is if someone attacks your computer and gets a hold of your user password then reusing that same password is not very smart because I’m sure the attacker would try that. Of course even a separate strong root password won’t stop them, but it will slow them down giving you a change of catching them.

Secondly you all seem to assume that Linux is only used by technophiles like yourselves, but surely the vast majority of users only want a computer for what it does - accessing the web, playing games, word processing etc. and aren’t in the least interested in how it works.
I am the only one in my household that is using SUSE, and one password suits me fine.
That is purely up to you, there is nothing stopping you from setting your system the way you want. Even in the older version of SUSE you could reuse your user password as root, there just wasn’t an option in the installed that allowed it (which is what this thread is about).

And yes, it is easy to forget a password one doesn’t use for weeks at a time; and most average users would hardly ever need root privileges.

I don’t go root but once a month, if nothing goes wrong, just to update KDE and my ATI drivers on my laptop and I never had a problem forgetting my root password then again not everyone is like me and everyday thinks: “Is my root password strong enough and do I need to change it in the next release?”, “What is the meaning of life?”, “What IS the real question to the ultimate answer? (aka what can be added/multiplied to make 42)”. Also if anyone does forget their root password all they have to do is ask, here, mailing list, IRC, etc, it can be changed if need be.

I would like to see Linux in more general use by the wider community so nOObesb are important.
And finally, if you want a different root password, do you really need the system to tell you to do it?
Linux is slowly becoming more user friendly if you question it look at it now compared to several years back. In this push to become more user friendly the things that help make it more secure should not be pushed aside and or forgotten. A separate root password is nothing but a good thing, even if you share your user account with some friends, like me, two people other than me know me user passwords, but no one but me knows my root password and if I learn other wise then they may not live long.:wink:

In short, I don’t want to get rid of the ability to use the user password as the root password just make it so the new “feature” in the installation process does not default to it.

Another vote in strong favour of the idea here.

It encourages the user to use and to remember a strong password.

The danger with a casual user having a separate password for root is that occasional use of root (as is desirable and is the case on a properly configured system) could lead to forgetting said root password, or, almost as bad, writing it down so it won’t be forgotten. Over time, this leads to weaker passwords.

Before anyone says something is stupid, has anyone done any relevant research? I’d be happily proven wrong, but not by anecdotes.