Solved Lock root account in a jail

quamenzullo

quamenzullo

I've read somewhere (no reference, unfortunately) that I could use vipw to edit /etc/master.passwd and put an exclamation mark in the root line to prevent root from having a password. Like so:
Rich (BB code): 
root:!:0:0::0:0:Charlie &:/root:/bin/csh

I wonder if I should do this in my jails.

I am not so sure what it means: "not having a password". I hope this is "preventing anyone to su to root" and not "root's password will remain empty". This thread on stack exchange tends to confirm this, but this is a linux tagged topic.

Anyhow, if I execute pw lock root then root's line reads:
Rich (BB code): 
root:*LOCKED*!:0:0::0:0:Charlie &:/root:/bin/csh
And I checked that it doesn't prevent me, from the host, to log in via ezjail-admin console mywebjail.

Questions:
- Is it at all necessary to enter this exclamation mark? Is actually pw lock root the correct (and only/recommended) way to do this?
- Is it improving security to lock root account in a jail? As I guess the answer may be "it depends", I must precise: I have jails that run websites, but there's no direct external access to them, pf only redirects http requests to them, and they answer, that's all (no ssh). The main problem I can think of could come from misconfigured or not updated website's framework that would leave a door open. Plus one jail running a sftp server. Users can access it via ssh but cannot login to a shell, they only get ftp over ssh.
 
Code: 
     A password of `*' indicates that password authentication is disabled for
     that account (logins through other forms of authentication, e.g., using
     ssh(1) keys, will still work).  The field only contains encrypted
     passwords, and `*' can never be the result of encrypting a password.
Please read passwd(5).

Keep in mind that various services and processes are required to run on the root account.

quamenzullo said:
I hope this is "preventing anyone to su to root"
Click to expand...
Only members of the wheel group are allowed to su(1), unless you configure it differently (see pam_group(8)).


quamenzullo said:
And I checked that it doesn't prevent me, from the host, to log in via [BGCOLOR=#dee3e7] ezjail-admin console mywebjail[/BGCOLOR].
Click to expand...
You're technically not logging in.

quamenzullo said:
The main problem I can think of could come from misconfigured or not updated website's framework that would leave a door open.
Click to expand...
If they break in through the web application they would gain access to the www account. Then need to use a local privilege escalation exploit in order to gain root access. They could, theoretically, still get root access, even if the account is locked.
 
Thank you very much for your sharing your insights!

SirDice said:
Keep in mind that various services and processes are required to run on the root account.

[...]
They could, theoretically, still get root access, even if the account is locked.
Click to expand...

To sum up: locking the root account would not bring that much security and maybe induce problems with services requiring the root account?
 
In this case it would add very little security and a whole lot of inconvenience. I would recommend disabling password authentication for that account though. That should prevent su(1) (since you can't enter the password). But you may have added an Achilles' heel if using sudo(8) for example. Remember that most "hacks" nowadays happen due to badly chosen, easily guessed, passwords. With sudo(8) you use your password. Now imagine an attacker brute-forcing its way into your account. Then they have that password. So, not only can they login, they can also run sudo(8) with that same password.

A good thing to do is to put a long and complex password on the root account. Write it down and store it somewhere safe (closed envelope in a safe for example, not on a Post-IT attached to your monitor for obvious reasons). To be used in case of emergencies.
 
Thank you very much!
I think I was confused between the meanings of "locking an account" and "disabling password authentication for an account".

Now I see I do not want to lock root's account. Disabling password authentication for root in my jails seem to be right: won't prevent processes that need root account from running fine; will increase security a little bit. Say an attacker gets access to the jail as www, he will have a harder time to su. The webjails have only a root account and the users required to run softwares, no other account, no sudo, no ssh...
 
Thanks, this helped me for both my jail and system. I found out that disabling the root account introduces a bunch of pain for me that I haven't figured a workaround. So, I will enable the root account, but disable password authentication.
 
You must log in or register to reply here.
Back
Top