8

I'm running Debian in a virtual machine and for convenience I would like to remove the password on root (since it doesn't really matter what happens to this box). Internet hasn't been too helpful on this one, which I suppose is OK because this is not normally something you'd want to do!

I tried passwd -d root, but su won't accept the empty password. I assume there is some sort of PAM policy blocking me, but I haven't been able to find a working solution. Any help appreciated!

(Just to clarify: I don't want to always run as root. I'd like a little bit of accident proofing in case I spaz out and rm -rf /. Just, when I'm ready to run as root, I don't want to be second guessed.)

Edit: I also know about the sudoers hack. I'm just curious to find out what in Debian is blocking this.

Christopher Monsanto
  • 191
  • why don't you just change the root password to * in the /etc/shadow? – Hartmut Oct 10 '12 at 18:31
  • 4
    Don't do this. Just allow yourself to execute commands as root with no password via sudo. That's not a hack, it's standard sudo usage. Having no root password is never a good idea. – Josh Oct 10 '12 at 19:33
  • 3
    I'm not looking for best practices, just a technical solution. I'm curious, therefore this question. – Christopher Monsanto Oct 10 '12 at 20:02
  • 1
    I just had to say that, in part for all the people finding this question from Google or other places. If you're sure you know what you're doing then OK. Just be absolutely sure you understand the consequences. After doing this, the box is essentially completely unprotected. Never do this on a production machine :-) – Josh Oct 11 '12 at 15:06

2 Answers2

15

I totally agree this is a bad thing to do. But it can be done in debian by doing as you have done passwd -d root to clear the password then editing /etc/pam.d/common-auth. Find the pam_unix.so line and add nullok to the end if its not there or change nullok_secure to be just nullok if yours says nullok_secure.

This works on Debian Wheezy (and Squeeze).

tshepang
  • 65,642
didster
  • 819
  • 1
    Let me point out that there is no need to weaken PAM policies. Instead make sure your user is in "sudo" group and run "sudo -i" instead of "su". – oᴉɹǝɥɔ Mar 14 '18 at 19:21
3

Usually there is a distinction between root login and root permissions.

In the first case you are identified by the system as root, meaning that you have literally no limitations, a login done as root is usually much more dangerous than having an user with root permissions because:

  • the user can't be limited to a group or a set of predefined operations/programs
  • all the security systems are basically useless, system logs included, since a root user can just delete or have access to everything
  • if you can't track or trust your logs you probably can't rollback changes or protect data effectively

Having a user on the rampage it's probably never a good idea, also not even an admin really needs an uncontrolled power to do his own things, for this reason many distributions disables the root user right from /etc/shadow and use sudo that gives root permissions without having a root user logged in, also sudo is able to distinguish between several users and confine them in a well defined set of permissions and groups.

There is an interesting discussion here, also I suggest to read something about how the shadow file works.

Community
  • 1
user1717079
  • 485