System Reports: Set the root password is never resolved

[Harry-W-Haines-III]

Issue is solid repeatable. Mint Cinnamon 4.4.3, mintreport 1.1.2 Even though the root password is set, the System Reporter indicates it has not been set.

harry@radio-desk:~$ su Password: root@radio-desk:/home/harry# id uid=0(root) gid=0(root) groups=0(root) root@radio-desk:/home/harry#

Checked this on two different computers, same issue. Another person mentioned this in the Mint Blogs: https://blog.linuxmint.com/?p=3820#comment-152209

Just a thought on this: grep root /etc/passwd

[clefebvre]

It can't check without admin superpowers.. and it doesn't have them.

[Harry-W-Haines-III]

grep root /etc/passwd root:x:0:0:root:/root:/bin/bash

I thought if root:x showed up, then it was set. That is a way I had heard to do it without admin superpowers.

On Fri, Dec 6, 2019 at 9:06 AM Clement Lefebvre notifications@github.com wrote:

It can't check without admin superpowers.. and it doesn't have them.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/linuxmint/mint19.3-beta/issues/19?email_source=notifications&email_token=AK34WEP4XE3O65C6QM7OCCLQXJMAFA5CNFSM4JWUJ2Q2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGEFXNQ#issuecomment-562584502, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK34WEOSG4D7U77SSBKCNA3QXJMAFANCNFSM4JWUJ2QQ .

[smurphos]

@clefebvre I was thinking about this....

Could you set a root cronjob to run at user login to run something like

getent shadow root | grep "root:!" and create a file with conditional content based on the output that mintreport can check to decide whether to display the warning or not.

Edit to add - this seems to work reliably to write the root password status to a file in /tmp/ at startup...

set to run via sudo crontab -e

@reboot /usr/local/bin/check_root_password.sh

#!/bin/sh
PASSWORD=$(getent shadow root | grep "root:!")
if [ -z "$PASSWORD" ]; then
  echo "true" > /tmp/root_password_set
else
  echo "false" > /tmp/root_password_set
fi

Alternatively

#!/bin/sh
PASSWORD=$(passwd -S root | grep -w "P")
if [ -z "$PASSWORD" ]; then
  echo "false" > /tmp/root_password_set
else
  echo "true" > /tmp/root_password_set
fi

[gm10]

@clefebvre Why do you want people to set root passwords, anyway? I just makes the inevitable "forgot my password" threads more complicated plus creates a false sense of security. You don't even need to boot another operating system to bypass it, as mintreport claims, you just need to edit your GRUB command line to boot to a (passwordless) root shell.

IMHO this mintreport "feature" should be junked ASAP, it's a lose-lose feature, no advantage at all.

[Harry-W-Haines-III]

My apologies on this one. Did not mean to cause such a stir. I run a post install script on Mint that asks at the very end to set the root password and setup a printer. I couldn't understand at first why it kept saying the root password wasn't set and kept following the directions listed to do it. So I thought it was a legitimate bug. Perhaps it could have been worded as a reminder and if its already been done, just to dismiss it.

[smurphos]

No need to apologise Harry - I think your bug report is perfectly merited. If the warning shows up whether or not a root password is set it's guaranteed to cause a lot of users confusion.

[gm10]

I entirely agree.

[clefebvre]

I just want to inform people. I don't need them to set a root password, that's up to them.

Look, whether there's a password or not, anyone in front of the computer can get in anyway. That doesn't mean it's not important for people to think about this though.. the way it is right now, anyone can get in, without any knowledge of Linux, just using what's there in the boot menu.

That's typical security for you anyway... it's NEVER completely secure, it's just as secure as the time you spend securing it vs the time someone will spend trying to get in. Set a password and it makes it just a tad harder for noobs to get in. It's worth something right?

I don't know... look at people's reaction when they read that and realize what it means. Most people do want to put a password, that means the info is relevant to them. Ideally we'd have a complete security guide.. but that's a nice read anyway.

As for people forgetting their password... well, they can still get in anyway.. it's just a little harder that's all.

It really boils down to who's in their office around them.. and how likely are they to forget their own password.. we did set that password for them for years btw, and they had no clue about it, so that's definitely better than it used to be.

[clefebvre]

I almost forgot, the "ignore" button was replaced with an "I agree" button, to convey the fact that we're just interested in informing the user here and that no action is actually required.

[gm10]

Sure, the way you worded it and nag them with the icon, of course they will want to add one, without really understanding that it changes nothing. That was my point really. In reality you just need to have GRUB init a shell instead and you're in, anyway - even without the complication of having to remount rw as you do with a recovery shell. Or boot from an USB, which is the more likely scenario for "noobs" trying to get in, because let's be serious, they're not going to know what to do on a shell either way.

And if you're in an office where you need to defend against colleagues rebooting your computer to hack into it then you've got much bigger problems at hand. You did mention encryption.

Anyway, I said my piece that I think you're trying to fix a non-existent problem, let's leave it at that.

Regarding your implementation and that "I agree" button, you could also just add it to the welcome screen to avoid the confusion the notification is going to cause even with the button, but I guess it is too late in the game for that.

Merry Xmas. ;)