Comments on: How to: break into a Linux user account in seconds

By: Roberto

Roberto — Fri, 23 Dec 2011 08:27:24 +0000

That’s because Ubuntu is a friendly operating system that offers a “recovery mode” for people who made a bad mistake on root, and need to fix it.

You can always run a distro that uses a different Linux kernel, one that is made without “recovery mode” or “single-user mode”. Then, if you encrypt your files, no one can get at them. (but of course they can still erase them by installing another OS)

By: r3dux

r3dux — Wed, 14 Sep 2011 07:18:15 +0000

Honeypots FTW =P

By: Reilly

Reilly — Wed, 14 Sep 2011 06:57:08 +0000

security is an illusion theres always a back door its just a matter of seeing it the best way imo is to just give them access to a part of your box then spy them a while then hit them with a bunch of viruses lol

By: How to: Ensure your Linux account passwords are strongly hashed | r3dux.org

How to: Ensure your Linux account passwords are strongly hashed | r3dux.org — Tue, 26 Jul 2011 23:46:18 +0000

[...] Linux account passwords are strongly hashed r3dux | July 27, 2011While reading around on how to break into Linux accounts the other day I stumbled across the interesting tidbit of information that the password hashes [...]

By: r3dux

r3dux — Sun, 24 Jul 2011 22:26:57 +0000

I've got to agree with you there - even though in distros like Ubuntu the root account is more or less disabled for use (i.e. although you can still su to root using su -s), it should definitely have a password set. But reading further says that by giving the root user no password means it can't be brute-forced, and instead you have to know a combination of username and their password, which it's claimed is harder to know. Sources: http://www.ubuntux.org/how-to-change-the-root-password-in-ubuntu, http://ubuntulinuxtipstricks.blogspot.com/2009/08/root-password-rumour.html BUT, if you can just drop into a recovery shell as root you can list all users using less /etc/shadow, or you could even create a user from the root shell! So that doesn't work... IMHO, the root account MUST have a password to prevent physical ownership meaning the box allows anyone with a modicum of knowledge instant access to everything. So even if the name of the account ('root') is known, there's still a SHA-512 password which needs to be deciphered before access is granted, and with a sufficiently strong password, that should be very, very hard to do.

By: igama

igama — Sun, 24 Jul 2011 16:25:41 +0000

If you setup the root user with a password, that won’t be possible. Once you enter Root mode, you will be asked the root password to continue

I think It is a security flaw not asking users to give the root / Administrator user a password during installation…