Any safe way to change "root" password in EasyOS Buster?

[Stogie]

.
Hey all. I recently read Barry saying that in EasyOS 3.0, entering a password at first boot not only encrypts the user filesystem, but that also becomes the root password instead of "woofwoof" that everyone knows.

Well, I'm running Buster (I think 2.4) and I opted not to enter a password when I first booted (it's a desktop PC that never leaves my house so physical security isn't a problem and not encrypting makes it far easier to recover my files if Easy ever gets screwed up and won't boot). However I like the potential security benefits of changing root's password away from the generic "woofwoof".

With root as "woofwoof", if I run a browser as "spot", what's to prevent rogue code from simply doing a "sudo" (or similar privilege-escalation technique) with the KNOWN password "woofwoof"? Probably unlikely, but still unsettling.

Can I change root's password without screwing things up? Can I use the standard Linux method (the "passwd" command, I think it is), or will that mess up EasyOS somehow (e.g. does the boot-up process have a hardcoded "woofwoof" assumption, or any other implications?)

Thanks!
.

[Stogie]

.
Also, because I'm new on this forum, if Barry is reading this, you've done amazing things and I stand in awe. Puppy was/is great and EasyOS is just amazing, it has SO MANY THINGS I've always WANTED in an OS, but could never get. You've made it VERY EASY for me to walk away from Windows (and the forced-updates sack of bloated spyware it's become) once and for all, EASILY! Bravo and keep up the good work, you're truly a one-man army!

One suggestion though - consider keeping the Debian version (currently Buster) going with periodic updates, etc. OE may be more cutting edge, smaller, more "fun", etc. but while tinkerers and geeks may love that, there are other users like me who just want a very stable, reliable system with huge repositories of trusted software. If it's a bit larger, a bit slower, not "cutting edge", less "tinkering-fun", etc. we won't notice or care. We don't like constant changes, and we love and need stability. Debian Buster embodies that!

Thanks Barry!
.

[williams2]

if I run a browser as "spot", what's to prevent rogue code from simply doing a "sudo" (or similar privilege-escalation technique) with the KNOWN password "woofwoof"?

sudo never asks for root's password, in any linux distro.

sudo always asks for the user's password.
the root password will not work (unless the root password is the same as the user's password.)

Also, sudo runs an executable as if the owner of the executable is running it. If you use sudo to execute something that is owned by spot, it would run as if spot ran it. sudo does not automatically run as if you are root, unless the executable happens to be owned by root.

Again, sudo never asks for root's password, unless you are root.
sudo always asks for the user's password.

[Stogie]

sudo never asks for root's password, in any linux distro.
sudo always asks for the user's password.

Okay, well I'm not sure what the "spot" user's password is, but it's probably widely-known. So the same problem remains.

Also, sudo runs an executable as if the owner of the executable is running it. If you use sudo to execute something that is owned by spot, it would run as if spot ran it. sudo does not automatically run as if you are root, unless the executable happens to be owned by root.

Well, I checked and it appears root owns "rm". So couldn't nefarious code running as "spot", if it knew the "spot" password, do a sudo run of the rm command with options to recursively delete entire directory trees of stuff anywhere on the system, since rm is owned by root, therefore has root power to delete anything?

I'm not a Linux expert, especially with permissions and such. These are just some security concerns. I'd like to be sure that stuff running as "spot" (e.g. evil code in spot-run Firefox or Seamonkey) can't get privileges that spot doesn't have.
.

[williams2]

I don't know about EasyOS, in Puppy the unprivileged user spot has no password set by default.
To use sudo, you first need to set a password.

Even then, Puppy's spot can not use sudo, even if the passwords are set and you know them.

For one thing, the suid bit is not set on su

Also, sudo is not configured to allow spot to use sudo.

In Puppy, unprivileged user spot can not become root, and can not run any executable as root.
Unlike many distros where you can become root by typing sudo su, no password necessary.

EasyOS may be different.

[Stogie]

.
williams2, thanks for the info and insights. Of course we know that EasyOS is very similar to, and was to a large extent built upon, Puppy and its way of doing things, so it's likely "spot" has the same restrictions in EasyOS. Not sure though.

Maybe Barry, or someone with equivalently-deep knowledge of "spot"'s abilities, can set us straight.

Thanks again. It's nice to be on a Linux forum with helpful, polite people instead of nasty insecure people who are insulting to newcomers.
.

[williams2]

you can try it yourself, rather than taking anyone's word for it.

Code: Select all

# whoami
root
# su spot
$ su
su: must be suid to work properly
$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
Sorry, try again.
Password: 
Sorry, try again.
Password: 
sudo: 3 incorrect password attempts
$ whoami
spot
$ exit
exit
# whoami
root
# 

[BarryK]

Well, I'm running Buster (I think 2.4) and I opted not to enter a password when I first booted (it's a desktop PC that never leaves my house so physical security isn't a problem and not encrypting makes it far easier to recover my files if Easy ever gets screwed up and won't boot). However I like the potential security benefits of changing root's password away from the generic "woofwoof".

There is no problem with accessing the encrypted folders from another EasyOS. Bootup a working EasyOS, any version, with the same password as for the broken EasyOS, and then plugin the broken usb-stick, or mount the broken partition, and the encrypted folders will be accessible.

I recommend booting with a password. I have just the one password for every EasyOS installation. Makes it easy to remember, plus that above-mentioned advantage that can access the folders in other EasyOSs.

[Stogie]

There is no problem with accessing the encrypted folders from another EasyOS. Bootup a working EasyOS, any version, with the same password as for the broken EasyOS, and then plugin the broken usb-stick, or mount the broken partition, and the encrypted folders will be accessible.

I recommend booting with a password. I have just the one password for every EasyOS installation. Makes it easy to remember, plus that above-mentioned advantage that can access the folders in other EasyOSs.

Oh, awesome! I didn't know this. That's fantastic from a usability standpoint. It eliminates the only downside to such encryption schemes (difficulty or impossibility of recovering user data from a no-longer-bootable device).

Thanks Barry, I had no idea! Now I like EasyOS even more.

williams2, interestingly when I tried your example, "sudo su" didn't give me the "usual lecture" text and a password prompt, instead I got this:

Code: Select all

# whoami
root
# su spot
# whoami
spot
# su
su: must be suid to work properly
# sudo su
sudo: unable to initialize PAM: No such file or directory
# 

Not sure what that means, but hey, it didn't work, and that's what we want when spot tries to get more privileges!

If anybody knows what the PAM message means, and why I get it while williams2 does not, feel free to enlighten me/us. Thanks!
.

.

[williams2]

PAM is software that other software (like sudo) can make use of to help with password authentication.

PAM = Privileged Access Management
or maybe
PAM = Pluggable Authentication Modules

In EasyOS, sudo seems to use PAM as a dependency, and either sudo and/or PAM is not configured to work together, or maybe PAM is not installed at all.

In BionicPup64, I can do this:

Code: Select all

# sudo -u root ls /bin/busy*
/bin/busybox
# 
# sudo -u spot ls /bin/busy*
/bin/busybox
# su spot
$ sudo -u spot ls /bin/busy*
spot is not in the sudoers file.  This incident will be reported.
$ sudo -u root ls /bin/busy*

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
Sorry, try again.
Password: 
Sorry, try again.
Password: 
sudo: 3 incorrect password attempts
$

Basically, unprivileged users in Puppy, and probably EasyOS, are not as privileged as users are in other distros. In Puppy, spot is not set up to be able to use su or sudo. AFAIK, spot can not become root, or use sudo to execute commands with root privileges.

In some other distros, unprivileged users can become root just by typing sudo su

Do you have a dir /etc/pam.d/ ? I think that is what sudo is looking for.

[Stogie]

Basically, unprivileged users in Puppy, and probably EasyOS, are not as privileged as users are in other distros. In Puppy, spot is not set up to be able to use su or sudo. AFAIK, spot can not become root, or use sudo to execute commands with root privileges

Good! I just want to use EasyOS as a simple single-user desktop system, the way it and Puppy are designed to be used. I do stuff as "root" and can do whatever I want. However when I run Internet-facing programs (like Firefox) or other higher-risk programs as "spot", I want "spot" to be as crippled as possible. So if "spot" can't use su or sudo, that's a good thing! I don't want it having any abilities beyond what those higher-risk programs need to function properly. Its limited abilities will never be a problem for me, because I do stuff as "root".

In some other distros, unprivileged users can become root just by typing sudo su

Scary and laughable. Why bother to have a user-based security system at all, when anyone can become root anytime by typing 7 well-known characters and pressing ENTER?

Do you have a dir /etc/pam.d/ ? I think that is what sudo is looking for.

Yes, I sure do:

Code: Select all

# 
# ls -alFd /etc/pam.d
drwxr-xr-x 2 root root 93 Aug 23  2020 /etc/pam.d/
# 
# ls -alF /etc/pam.d
total 10
drwxr-xr-x   2 root root   93 Aug 23  2020 ./
drwxr-xr-x 106 root root 4096 Oct  6 09:40 ../
-rw-r--r--   1 root root   69 Apr 25  2020 cups
-rw-r--r--   1 root root  520 Feb 14  2019 other
-rw-r--r--   1 root root  270 Jan 15  2019 polkit-1
-rw-r--r--   1 root root   84 Mar 30  2019 samba
-rw-r--r--   1 root root 2133 Jan 31  2020 sshd
-rw-r--r--   1 root root   95 Feb  2  2020 sudo
# 
# cat /etc/pam.d/sudo
#%PAM-1.0

@include common-auth
@include common-account
@include common-session-noninteractive
# 

I wish I knew more about Linux's guts to understand what's going on with stuff like this!
.