Actions

Safely Use Root Commands

From Whonix

Rationale[edit]

This wiki entry is intended to make attacks harder by denying root access: [1]

  • Prevent root compromise: these steps help to protect the virtualizer to avoid host compromise, and similarly the hardware to avoid hardware compromise.
  • Protect against compromised non-root users: it is harder for any future, non-root users (such as www-data) to access user user or other parts of the system.
  • Usability: if the advanced advice to Prevent Malware from Sniffing the Root Password is not followed, then users will only require a single, secure root password for the user user account. It is no longer necessary to have two secure passwords for the user user and root accounts. [2]

Default Passwords[edit]

Whonix default admin password is: changeme Whonix default username: user
Whonix default password: changeme

The default root account is locked (or should be locked). [3] This is a purposeful security feature -- see below for further details.

General Security Advice[edit]

Commands that require root permissions should be run individually using sudo. In all cases:

  • Do not login as root.
  • Do not run sudo su.

Graphical Applications with Root Rights[edit]

It is discouraged running GUI (graphical user interface) applications using sudo application.

  • Never login as root as explained above.
  • I.e. never use sudo su and then start GUI applications.

This will fail and is a limitation inherited from Debian. If a user attempts this action, error messages like those below will appear. [4]

No protocol specified
cannot connect to X server :0

As an XFCE user (Non-Qubes-Whonix default) use lxsudo. For example.

Open file /etc/default/keyboard in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please see this link.

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /etc/default/keyboard

If you are using a terminal-only Whonix, run.

sudo nano /etc/default/keyboard

Root Account[edit]

Enable Root Account[edit]

For security reasons the root account is locked and expired by default in newer (upcoming) versions of Whonix ™. For most users there should be no need to use the root account. If it must be enabled for some reason, run the following commands (Qubes-Whonix ™: Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs).

Unexpire the root account.

sudo chage --expiredate -1 root

Set a root password.

sudo passwd

Disable Root Account[edit]

The current Whonix ™ stable release and earlier versions come with the root account by default. Most users should disable it by running the following commands (Qubes-Whonix ™: Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs).

Lock the account.

sudo passwd --lock root

[5]

In the future, use sudo instead when it is necessary.

Unlock User Account: Excessive Wrong Password Entry Attempts[edit]

1. Boot into recovery mode.

2. Run the following command.

sudo pam_tally2 -u user -r --quiet

Advanced Users[edit]

Prevent Malware from Sniffing the Root Password[edit]

Any graphical application can see what is typed in another graphical application, for any user. [6] [7] Therefore it is safer to create a special, new user account that is less likely to have been compromised, since this reduces the chances of malware sniffing the password to gain root access.

To more securely perform administrative tasks that require root access:

  1. These instructions are ideally applied after installing the host / VM when it is still considered free of Malware.
  2. Create a new user account admin.
  3. Add it to the group sudo.
  4. Login as user admin.
  5. Remove user user from group sudo.
  6. Only then perform administrative tasks according to the instructions below.

This setup only needs to be completed once (Qubes-Whonix ™: Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs).

1. Create a new user account admin.

sudo adduser admin

2. Add user admin to group sudo.

sudo addgroup admin sudo

Perform the following steps securely using sudo. Use one of the methods below.

Non-GUI Environment Method[edit]

This method is preferable until the limitation in the next section is documented.

1. Login as user admin from a non-graphical environment (virtual console). [8]

2. Perform any necessary administrative tasks.

3. Remove user user from group sudo.

Note: This only needs to be performed once.

sudo delgroup user sudo

4. Logout user admin and continue usual work as user user.

Logout Method[edit]

1. Login as user admin.

2. Logout user user first, then login as user admin.

Ensure that user user was really logged out and this process was not just simulated. TODO: research and document this procedure.

3. Perform any necessary administrative tasks.

4. Remove user user from group sudo.

Note: This step only needs to be performed once.

sudo delgroup user sudo

5. Logout user admin and continue usual work as user user.

Substitute User (su) Command[edit]

The majority of users do not need to use the su command [9].

To be able to run su from user user, it is necessary to:

(Qubes-Whonix ™: perform these steps in Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs.)

  1. Enable the root account.
  2. Add user user to group root.

sudo adduser user root

Root Login[edit]

Root login within a virtual console will be disabled by default after upgrades. [10] [11]

To be able to login from a virtual console, first apply the Enable Root Account instructions above, then complete the steps below.

1. To allow root login, /etc/securetty needs to be configured.

Open file /etc/securetty in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please see this link.

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /etc/securetty

If you are using a terminal-only Whonix, run.

sudo nano /etc/securetty

2. Add the following content.

Note: Some users might only add one tty, or more depending on their circumstances; see file /etc/securetty.security-misc-orig.

tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10

3. Save the file.

Recovery Mode[edit]

Root login is possible using recovery mode. [12]

When the root account is disabled, passwordless root login using recovery mode is possible; see below for the security impact.

Passwordless Recovery Mode Security Discussion[edit]

This is only relevant on the host and not inside virtual machines.

Passwordless recovery mode is allowed because a locked root password would break the rescue and emergency shell. Therefore the security-misc package enables a passwordless rescue and emergency shell. This is the same solution that Debian will likely adapt for Debian installer. [13]

With passwordless root login, using recovery mode is allowed (through use of the security-misc package) on the host. To prevent adverse security effects posed by lesser adversaries with physical access to the machine, set up BIOS password protection, bootloader grub password protection and/or full disk encryption.

Development[edit]

Footnotes[edit]

  1. Also see: Permissions.
  2. On the flip-side, if the Prevent Malware from Sniffing the Root Password steps are followed, two secure passwords are required for the user user and user admin accounts.
  3. In new builds of Whonix version 15.0.0.3.6. Earlier Whonix builds did not lock the root account by default and should be locked.
  4. No longer expiring the root account since this broke adduser, see: https://forums.whonix.org/t/restrict-root-access/7658/59 (To prevent SSH login, see: Linux Locking An Account. This might prevent other login methods but this requires further investigation.)
    sudo chage --expiredate 0 root
  5. Quote Joanna Rutkowska, security researcher, founder and advisor (formerly architecture, security, and development) of Qubes OS:

    One application can sniff or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one, etc.

  6. If an application is compromised with an exploit due to a security vulnerability, it can be used as malware by the attacker. Once/if the application is not effectively confined by a mandatory access control (MAC) framework like AppArmor or firejail, it can compromise the user account where it is running and then proceed from there.
  7. A GUI non-root user cannot sniff key strokes of different (non-)root users utilizing a virtual console.
  8. su is sometimes incorrectly referred to as the superuser command. It allows:

    ... a change to a login session's owner (i.e., the user who originally created that session by logging on to the system) without the owner having to first log out of that session. Although su can be used to change the ownership of a session to any user, it is most commonly employed to change the ownership from an ordinary user to the root (i.e., administrative) user, thereby providing access to all parts of and all commands on the computer or system.

    By comparison, sudo makes it possible to execute system commands without the root password.
  9. security-misc /etc/securetty is empty by default.
  10. When trying to login as root in a virtual console it will reply:

    Login incorrect.

    Without previously asking for a password. This is not the worst case for usability and is better than asking for password and then failing.
  11. https://forums.whonix.org/t/restrict-root-access/7658/46

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

We are looking for help in managing our social media accounts. Are you interested?


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.