Raspbian default user security

Incidentally as far as I can figure out all Raspbian installs default to a password of “root” for root user so it’s a good idea to change this as a security precaution (and presumably everyone changes the default password for the Pi user as well)

pi@Heimdall:~ $ sudo passwd root
New password:
Retype new password:
passwd: password updated successfully

I don’t believe that is an accurate statement.

https://www.raspberrypi.org/forums/viewtopic.php?t=191720#p1202838

actually that’s even worse if root has NO Password set especially given that it is an account that is allowed to login.

pi@Heimdall:~ $ sudo cat /etc/passwd | grep root
root:x:0:0:root:/root:/bin/bash

I’ve already changed mine as a precaution anyways given I thought it was root:root . Maybe someone who hasnt could try logging in to their Raspbian install using eiuther root:root or root and no password

No, an account without a password can not log in.

https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html

The x means the account uses shadow and you’ll see in the shadow entry that the account is disabled.

what a fsked up way of doing it ;o)

NB I do agree that logging in directly as root is never a good idea, but neither is not having a a password set at all :smiley:

BTW IIRC /etc/shadow doesn’t actually have an option to disable a login as it’s related purely to the password (including expiry time).

To prevent logins the account should be set to /usr/sbin/nolgin in /etc/passwd (as pihole is)

pi@Heimdall:~ $ sudo cat /etc/passwd | grep pihole
pihole:x:999:995::/home/pihole:/usr/sbin/nologin

not set up to use /bin/bash (which root is)

/etc/shadow field 2

Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.

I’ll take your word for it that it was setup like that as I don’t have the unedited version :slight_smile:

BTW I still say that it would also be a good idea in that case to set it in /etc/passwd as “nologin”

Setting the shell to /nologin prevents the account from being used in an interactive terminal session. root needs to have a shell so you can use the account in a shell session. You can not log in to the root account on Raspbian. The security implications of deploying a massive number of internet connected devices with a known root account and password would be insane.

nearly as insane as deploying a massive number of internet connected devices where the default UN & PW is hard coded with permissions set to allow to run sudo and relying on users to actually change the password after install rather than forcing them to pick a password during install…

;o)

Or you just disable SSH and make them manually enable it after they know the implications of said actions.

which is an annoyance (and although all the deadhead install guides tell you how to enable it easily it’s still mad that the user is prompted to create a password for the “Pi” user at first install.

I’ve moved this to a new topic as it’s not relevant to the original posters question.

1 Like

This is a fair point, but one best discussed on a Linux/Raspbian forum. Pi-Hole simply runs on top of the OS.

1 Like

It’s just the way it went :smiley: