Can I use same password for the root account and the regular account?

[sasho]

I first started using Ubuntu and I liked the sudo facility because I didn't need to remember two passwords, so when I installed Debian I wrote the same password for the limited and the root account. Is this very bad for security? I mean can a program started from my regular account immediately become root or something?

[nopycckn]

You would still have to enter your root password using sudo ... They are separate accounts/separate account passwords.

[sasho]

I don't use sudo, because I'm not in the sudoers file. But when I use su, I just type the same password. Is this worse security than what I get in Ubuntu?

[coopstah13]

you can set up sudo on debian, I think if it isn't installed already, you can just install it with

Code:

apt-get install sudo

, then if you edit the sudoers file, you could add the line like

Code:

<username>    ALL=(ALL) ALL

where you replace <username> with your username. After sudo works for your user, you could just set the root password to something random, and use sudo only. You could always reset the root password with

Code:

sudo passwd root

as long as you don't forget YOUR password, you would be fine.

[bigtomrodney]

You would still have to enter your root password using sudo ... They are separate accounts/separate account passwords.

It is possible to setup sudo so that it requires the root password but the default behaviour is to require the user's password. Last time I used openSUSE it preferred the root password but the downside to that is you have to distribute the root password to all of your admins, making it impossible to track who did what and also leaves you without control of the root account.

The default of requiring the user's password is much better as users need to be in the sudoers file or at least a member of a group setup for this purpose. I like the Ubuntu approach of locking the root account similar to coopstah's suggestion. You can use this command to lock root

Code:

sudo passwd -l root

Note that's a lowercase L rather than a one (1).

[sasho]

I think I should clarify my question, since most of the replies tell me how to set up sudo on Debian: I'm not asking how to use sudo, even on Ubuntu I typed "sudo bash" anyway, and it's for a desktop computer which only I will use.

My question is - is this a bad practice? I'm wondering if it enables privilege escalation (any more than sudo in Ubuntu does)? If it's not I'll keep it that way.

Thanks.

[nopycckn]

I'm sure what you're specifically talking about:
su -
they would just be the same password for different accounts. So it wouldn't make any difference, other than them being the same. You would still be using the root password when you need to be root - so you're still going through the same procedure ... I'm very sure it wouldn't add any privileges to your normal account.
There's obvious agreement that it's not the best or safest way to do things, though.

[meton_magis]

It is a reduction in security to only have 1 password, but I don't believe it reduces it by any more then using a regular account who has full sudo access (not restricted to specific commands,) since you are just on your personal desktop.

I still would not suggest you do it. The number one reason why I hate ubuntu and any other distro that locks the root account and uses sudo, is because it is insecure. You have to crack 1 password, instead of 2 for root access.

Sudo was created for server use, where many people will have different roles requiring root permisions, so you can seperate given powers, and log all commands run. For a desktop, it is completely useless, and an unnecissary security risk IMO.

I'm sure someone will argue with me of how you can change sudo to do this or that, but why would I spend time configuring sudo to do the exact same thing as `su - -c "command"`

[nopycckn]

I've thought the same thing about 1 password vs. 2 using Ubuntu. I know sudo is preferred, but having only 1 password ... I don't understand. Why would having 2 passwords and using sudo not be better?

[bigtomrodney]

Because, as I mentioned sudo logs any commands you run with it. It seems like going out of your way to have the benefits of sudo without actually using it.

I'd also recommend if you are using sudo to stick to using it for commands that need it rather than running bash as root. It's good practice to be aware of the commands that need root access and consciously grant it each time. Take the following as an example

Code:

sudo bash
ls
DTE=$(date +%Y%m%d)
mkdir amarok.$DTE
cd amarok.$DTE
git svn init svn://anonsvn.kde.org/home/kde/trunk/extragear/multimedia/amarok amarok
cd ./amarok
git svn fetch -rREVISION
./configure
make
make install
./amarok

The above commands will download the development build of Amarok, compile it, install it so that all system users can use it and then execute it. This operation is for the benefit of the whole system, but Of all of those commands only make install needs to be root. Asides from being a good exercise and general good practice it also avoids accidents with the rm command. I find that most operations only require one or two instances of actual root permission so it's good to be aware of this. Remember, you don't usually need root privilege to change directory!