On 6/26/2015 6:12 AM, Matthijs Wensveen wrote:
From the standpoint of remote access, don't think there is a significant difference.On 06/26/2015 01:55 PM, Nick T. wrote:Not the case. Even in rescue mode I needed to supply the root login. I could use init=/bin/sh but I couln't find anything in the logs in /var/log, so I'm guessing systemd and journalctl keeps the journal in some other place (probably some binary format hidden in a database or something).On 06/26/2015 12:55 PM, tomas@tuxteam.de wrote:well and good until you find yourself in the situation this very thread is about: your root filesystem is broken and you can only log in as root. Then you need your root password.Ubuntu and debian can boot into recovery mode from the grub menu, from there it asks for the root password IF there is one, if not it just gives you a root shell.- NickI'm now back to having a root password, which allows me to use emergency mode. I'm unsure if having a root password (and an enabled root account) is better or worse, security-wise. If an attacker has access to the grub menu, you're probably screwed anyhow.
From the standpoint of physical access to the machine, I would go on the assumption that if someone has the time to boot into recovery mode and mess with the system, they have time to boot from optical or flash disk and mess with the system, so unless you have gone into the bios/uefi and set passwords, it's not going to make
that much difference.If they have time to do that, maybe they have time to take the hard drive out and attach it to another machine, again sudo versus root, no difference, and bios/uefi passwords don't come into play either in that case.
That leaves you with encryption then, if you really need that level of security.
Personally, if I had to start from scratch for some reason, I would skip the root password during install and just use sudo. But since my Debian installation predates that option, I stick with using root.
I am pretty comfortable with the way sudo works in Ubuntu and did not bother creating a root password there. Normally if I have to do something from the command line one of 'sudo -H 'some command'', or 'sudo su' meets my needs or the gtk/kde frontends for sudo if I have to start something with a GUI.
Later, Seeker