Debian 6 (squeeze) -- No GDM root login allowed!

[JoLLyRoGer]

Let me start off with this:

The first person who puffs up their chest and gives me a lecture about limited user accounts/security/using sudo/etc... is gonna get Ronald's Pimp Hand as pictured over there in my Avatar! I get it OK? (I don't smoke either, but I like to know I have the option to do so)

-- moving on...

So apparently Debian has tightened up security a bit and no longer allows direct root login which means a lot of sudo-ing and chasing down permissions settings, etc. to get things set up and working how I want them. It's time consuming - I don't want to play that game.

I tried launching a shell, su-ing to root and running gdmsetup with elevated privileges where I "Should" have the option to allow Administrator logins, but alas - no such dice with this distro.

So... that means there must be some config file I can modify to get what I want and what I want in my ability to log in directly as root given back.

Just wondering if anyone else had run up against this one and figured out a work-around yet?. (Or else it's gonna be back to Lenny or Etch).

Nothinman? Anyone?...

Thanks in Advance,
-JR

 

[Nothinman]

Sorry no idea, because I've never looked because you shouldn't even consider logging into X as root...

 

[JoLLyRoGer]

LOL!! *SMACK!* goes the pimp hand!
-Who's Next?..


Just couldn't resist huh?

Seriously though - this is related to my Asterisk thread yesterday. I need to be able to run what I need to run as root while I'm getting it all set up. There are tons of dependency packages to install, source code to compile, MySQL stuff to configure, folder and ownership permissions to manipulate all over the place. init scrips to edit and I need unbridled access to the lower level directories.

It's all just much more convenient and less cleanup to perform later on if I can just go in as root from the beginning, get done what I need to do and get out... I've got enough trouble just getting a pair of E1 cards to register correctly without throwing permissions games into the mix with it.

I work in an IA related field so I full well understand the philosophical underpinnings of why going in as root is "risky". It's a risk I'm willing to accept in this case....

Thanks anyhow.

-JR

 

[Crusty]

Don't use GDM? Just manually start up an X session from a root shell.

 

[Modelworks]

This is the reason I don't use mainstream distributions unless I have too. Too many people decide what you should and should not do with the OS. I seriously suggest learning how to install linux from scratch with gentoo or archlinux or one of the other core installs and tweaking it to your liking.

The root login thing annoys me as much as the "don't put a file server on the same machine that host a firewall, the world will end !" crowd. If it is a mission critical system I can understand the precautions, but no need for all the hype when it is someone on a home network protecting the family vacation photos.

 

[bettlebrox]

sudo su -

Then you are running a shell as root and can issues all the commands with having to use sudo till you exit the shell.

Or try the following, make a backup copy of the file /etc/gdm/custom.conf, then edit the original, and add the following line under the [Security] section (it's probably case sensitive):

AllowRoot=true

See all the options here (if your using GDM 2.14):
http://projects.gnome.org/gdm/docs/2.14/configuration.html

Also, there's very good reason's that you shouldn't run as root, but I'm not going to go into it as you'll probably find all that out by yourself.

 

[you2]

Unlike windows; i never had a need to run as root on unix and been a unix user since 1986. Can't really answer the op question with regards to gdm; but as suggested if you really want to run as root just login and run X directly. Anyways sudo bash also works adequately (for me).

 

[Nothinman]

This is the reason I don't use mainstream distributions unless I have too. Too many people decide what you should and should not do with the OS. I seriously suggest learning how to install linux from scratch with gentoo or archlinux or one of the other core installs and tweaking it to your liking.

The root login thing annoys me as much as the "don't put a file server on the same machine that host a firewall, the world will end !" crowd. If it is a mission critical system I can understand the precautions, but no need for all the hype when it is someone on a home network protecting the family vacation photos.

It has nothing to do with the distribution, if you compiled GDM yourself it would default to the same thing because logging into X as root is stupid. And I wouldn't recommend building their own system from source unless it's purely a learning experience. The extra work required is simply a waste of time. The package maintainers in Debian, Ubuntu, etc dedicate a significant portion of their time to watching development of their packages so they're much more qualified to build, package and setup the defaults than I am these days. One person could probably do a decent job for a handful of packages, but not a whole distribution. And on top of that Gentoo is just a bad option in general, its package manager doesn't even do basic things like check dependencies on removal.

Putting multiple roles on the same box isn't as bad as that, but it's still much safer not to do so, especially if one of those roles is firewall. You could go through the added steps of making sure things like Samba are only bound to the internal NIC, but it's simpler and safer to just not do it.

Unlike windows; i never had a need to run as root on unix and been a unix user since 1986. Can't really answer the op question with regards to gdm; but as suggested if you really want to run as root just login and run X directly. Anyways sudo bash also works adequately (for me).

Exactly. I don't think I've ever run into an issue where su/sudo while logged in as a normal user wasn't sufficient.

 

[Modelworks]

It has nothing to do with the distribution, if you compiled GDM yourself it would default to the same thing because logging into X as root is stupid.

What is stupid about it ? I have used computers for over 20 years without the OS holding my hand making sure I don't do something wrong. If someone can't handle understanding what they are doing then maybe they shouldn't use root access, but those of us that do will continue to use root whenever and wherever.

If I compile anything myself it does what I want it to do because I set it that way before compiling in the source.

And I wouldn't recommend building their own system from source unless it's purely a learning experience. The extra work required is simply a waste of time. The package maintainers in Debian, Ubuntu, etc dedicate a significant portion of their time to watching development of their packages so they're much more qualified to build, package and setup the defaults than I am these days. One person could probably do a decent job for a handful of packages, but not a whole distribution.

Not a waste at all. The point of building your own is to get away from distributions, not to just download the source of a distribution and build it yourself when the compiled version is the same thing. And yes people do build complete linux setups all by themselves. The problem with distributions is people using them have no idea what is going on underneath. They want to just click and let the OS do everything and when it breaks scream at the distribution developers.

And on top of that Gentoo is just a bad option in general, its package manager doesn't even do basic things like check dependencies on removal.

It isn't supposed to do everything for you, that is the whole point. If I install gentoo core I know what dependencies I need for anything I add. That is one of the problems with linux now. People are shoving so much crap into it that nobody can tell what is required without something to keep up with all the bloat. It is becoming worse than windows at software installs

Putting multiple roles on the same box isn't as bad as that, but it's still much safer not to do so, especially if one of those roles is firewall. You could go through the added steps of making sure things like Samba are only bound to the internal NIC, but it's simpler and safer to just not do it.

It is done thousands of times every day when someone uses a router. The software is linux and the only difference is that the person who set up the software was careful to make sure he had all the bases covered. Yet when someone wants to do the same thing with a pc install people get vocal.

 

[Nothinman]

What is stupid about it ? I have used computers for over 20 years without the OS holding my hand making sure I don't do something wrong. If someone can't handle understanding what they are doing then maybe they shouldn't use root access, but those of us that do will continue to use root whenever and wherever.

If I compile anything myself it does what I want it to do because I set it that way before compiling in the source.

And after 20 years you should understand the intelligence behind running anything with the least amount of privileges necessary. Even if you blindly trust everything you run, I sure don't, accidents happen. People make mistakes, typos, click the wrong menu entry, etc and limiting the fallout from those mistakes is a good idea. And then there's just huge monstrous pieces of code that have a history of problems, like every web browser in existence. Running them as root is just asking for trouble.

Keeping a terminal open with a root shell and/or shortcuts that call gksu are more than convenient enough for almost all cases where you might need root.

Not a waste at all. The point of building your own is to get away from distributions, not to just download the source of a distribution and build it yourself when the compiled version is the same thing. And yes people do build complete linux setups all by themselves. The problem with distributions is people using them have no idea what is going on underneath. They want to just click and let the OS do everything and when it breaks scream at the distribution developers.

Getting away from distributions mostly means you're ignoring the thousands of man hours of work that others have done for no good reason. Most of the time the compiled version isn't exactly the same thing. Package maintainers put a lot of work into integrating packages into their distribution. I believe Debian was the first distribution with a coherent, well supported universal menu system in their distribution.

I know some people go out of their way to build their own software for various reasons, but most of them amount to NIH syndrome and just waste their own time. I don't see what benefit I could have from compiling ls myself or letting the Debian autobuilders handle it and have me get notified when there's an update. Do you comb every package's website every few days to see if they've put up a new release too?

It isn't supposed to do everything for you, that is the whole point. If I install gentoo core I know what dependencies I need for anything I add. That is one of the problems with linux now. People are shoving so much crap into it that nobody can tell what is required without something to keep up with all the bloat. It is becoming worse than windows at software installs

It is supposed to do as much as possible for me. I'm lazy and I want to actually use my computer, not spend the whole day maintaining it and building updated packages for myself. Just because I can do it, doesn't mean I should have to.

As for Gentoo, the fact that you can remove a package and break your entire system without so much as a warning is a huge gaping hole and immediately removes the distribution from my consideration.

It is done thousands of times every day when someone uses a router. The software is linux and the only difference is that the person who set up the software was careful to make sure he had all the bases covered. Yet when someone wants to do the same thing with a pc install people get vocal.

People get vocal because chances are that person won't be careful and will likely open himself up to being exploited. Security is hard, doing it right isn't something most people are willing to do.

 

[agsware]

Hi, JoLLyRoGer
the new gdm3 do not allow you to login as root
than you have to remove the gdm3 and switch to gdm
in the root terminal doing
apt-get remove gdm3
at the box prompt you have to select gdm as manager for X
reboot
now login as normal user than go to
Administration>accessibility>security (I mean is this, i running in other language) then allow root access (as the old method)
... all done.
Bye.

 

[rasczak]

why would you logon as root?

open a term, sudo to root and leave it at that until logoff. simple enough.

 

[netlaw]

To JoLLyRoGer:
The answer to your question was given in german forum http://debianforum.de/forum/viewtopic.php?f=2&t=121199#p772330. What worked for me was editing /etc/pam.d/gdm3 and throwing out (commenting) the line with ... user != root ... Then you can login as root.

To all others:
A simple question deserves a simple answer (if you know one).

 

[Nothinman]

To JoLLyRoGer:
The answer to your question was given in german forum http://debianforum.de/forum/viewtopic.php?f=2&t=121199#p772330. What worked for me was editing /etc/pam.d/gdm3 and throwing out (commenting) the line with ... user != root ... Then you can login as root.

To all others:
A simple question deserves a simple answer (if you know one).

Yes and the simple answer is "don't do that".

 

[ArisVer]

I seriously suggest learning how to install linux from scratch with gentoo or archlinux or one of the other core installs and tweaking it to your liking.

I installed the base system in Debian once and then manually installed the desktop and some applications. It can be done, it is time consuming, and you have to know which packages to install which is confusing if you are a beginner. The normal install for a home user is much easier.

 

[Nothinman]

I installed the base system in Debian once and then manually installed the desktop and some applications. It can be done, it is time consuming, and you have to know which packages to install which is confusing if you are a beginner. The normal install for a home user is much easier.

Debian has desktop tasks that handle most of the work for you, if you want Gnome you can just select the Desktop Environment box and it'll grab that. If you want something else you'll have to install that metapackage like kde-standard.

 

[ArisVer]

open a term, sudo to root and leave it at that until logoff. simple enough.

As a beginner it was the best choice that i found. Does it have any security concerns doing that?

 

[Nothinman]

As a beginner it was the best choice that i found. Does it have any security concerns doing that?

Mostly just typos by you and anyone walking by having a root shell on the machine if you don't lock it.

 

[PurpleRabbit]

Hi, I have the same problems but I am not advanced enough, and reading the above posts I have been left wondering :

1: I want to move one downloaded file (Alsa driver) to /usr/src to unzip and install. Even logged in as root in the terminal it wont let me, and dragging and dropping is a no no.
I am in the process of `Googling` to find the answer ( thats how I found this page) but any replies would be appreciated.

2: In Vista when you are logged in as a normal user and you want to do something like amend the Wifi settings, Vista security prompts you that you need Admin access. It then throws up a access screen for you to type in the Admin password..... Instead of Linux saying "you do not have permission" (or words to that effect) and just leaving you their, wouldnt it be a good idea to have a similar prompt from Linux? I wonder if it is possible to write a script to do this? or does it have to be a kernel thing?

Also Jollyroger are you the famous (or infamous) author of the legendary "Cookbook"

 

[Nothinman]

1. That makes no sense, if you're really root then you can do whatever you want.

2. It does, it's called gksu and should just happen as long as the distribution you're using includes it by default.

 

[PurpleRabbit]

I have been trying in vain to sort out my permissions, when I first installed Debian 6 Squeeze I noticed that there was no "root" account in the login page, so I created one using the manage users option (BLUSH). I created an account called root with a name called roo. (DOUBLE BLUSH) For some tasks this conflicted with the real root account (Accessing my second drives & moving and installing programs). I have deleted this account now.

I do not intend to follow the above advice about setting up a "root" account, but for infos sake please could you tell me the following, in manage users you can set the user account administrator, I have done this for my main account, (the one where I browse, try to program, script & learn about Debian and Linux, do letters etc) is this a security risk or should I only browse the web using an account set to "desktop user".

 

[Nothinman]

I have been trying in vain to sort out my permissions, when I first installed Debian 6 Squeeze I noticed that there was no "root" account in the login page, so I created one using the manage users option (BLUSH). I created an account called root with a name called roo. (DOUBLE BLUSH) For some tasks this conflicted with the real root account (Accessing my second drives & moving and installing programs). I have deleted this account now.

I do not intend to follow the above advice about setting up a "root" account, but for infos sake please could you tell me the following, in manage users you can set the user account administrator, I have done this for my main account, (the one where I browse, try to program, script & learn about Debian and Linux, do letters etc) is this a security risk or should I only browse the web using an account set to "desktop user".

There is always a root account, it just might not have a password. I always run the installer in expert mode so I can't remember if it lets you set a password for root in the standard installer mode by default or not, but even if not all you need to do is run 'sudo -s' as your user and then 'passwd root' to set one after the base system is installed.

You should do the absolute minimum in Linux as root, there is virtually no reason to log into X, browse the web or anything else as root. Updating packages, changing system-wide configurations, etc require root but that's about it. Programming and scripting should absolutely not be done as root unless you're writing a tool that requires root to run and even then just testing/running the program should be done as root, writing/developing and compiling should all be done as a standard user. This isn't Windows and you shouldn't be treating it as such.

But if your account is an admin account in that it's allowed to run programs via sudo, that's fine. Because anytime something wants root access it'll ask for your password.

 

[PurpleRabbit]

Thank you for the information, I can now understand, and that logging in as the root user in the log in screen is asking for trouble, I think that the way Debian has set this up is very clever. Credit to you and all the developers.