Ubuntu won't let me log on as root
in [UK Linux]
|
From: Malcolm Lee on 21 Jun 2010 17:38 On Mon, 21 Jun 2010 20:31:59 +0000, Martin Gregorie wrote: > On Mon, 21 Jun 2010 09:56:56 +0100, Malcolm Lee wrote: > >> On Sun, 20 Jun 2010 11:24:48 +0000, Martin Gregorie wrote: >>> >>> [snip] >>> >>> While I'm on the subject, does anybody know if its possible to revert >>> to the traditional text box entry for the user name rather than using >>> the dumb pick-list? Apart from anything else, the pick list reduces >>> security by telling a miscreant what the user names are: IOW instead >>> of having to guess both username and login, the cracker only needs to >>> guess the password. >> >> I don't use Fedora but I do use GDM so the following should work: >> >> Root login >> ---------- >> >> In /etc/gdm/custom.conf (or wherever Fedora puts it) >> >> Under [security] >> >> add or edit >> >> AllowRoot=true >> >> >> Pick List >> --------- >> >> Execute the following (all one line) >> >> sudo -u gdm gconftool-2 --set --type boolean >> /apps/gdm/simple-greeter/disable_user_list true >> >> > On Fedora this command: > > gconftool-2 --set /apps/gdm-simple-greeter/disable_user_list --type bool > true > > set the value as I wanted when run as root: > > # gconftool-2 -a /apps/gdm-simple-greeter > disable_start_buttons = true > > However, I can't figure out how to get this value noticed. Logging out > did no good and nor did: > > gconftool --shutdown / gconftool-2 --spawn > > or a complete system restart - the same old screen with its login names > menu appears. Obviously I'm still missing something. The -u gdm is important. You need to alter the greeter value for the user that gdm runs as (on my system thats gdm!) rather than root (unless obviosly gdm is running as root). If you get the gdm login screen up and then log in to a console and do: ps auxw | grep greeter You should see which user it is. Assuming it's gdm, then redo your gconftool command with -u gdm. You can also look at the config file directly - Look at /etc/passwd for gdm. On my system it's gdm:x:120:501:Gnome Display Manager:/var/lib/gdm:/sbin/nologin So gdm's "home" directory is /var/lib/gdm. If you do cat /var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml (adjusting for Fedora if need be) then I get ---------------------------------------------------------------------------- <?xml version="1.0"?> <gconf> <entry name="disable_user_list" mtime="1276951731" type="bool" value="true"/> <entry name="recent-layouts" mtime="1276951283" type="list" ltype="string"> <li type="string"> <stringvalue>gb</stringvalue> </li> </entry> <entry name="recent-languages" mtime="1276951283" type="list" ltype="string"> <li type="string"> <stringvalue>en_GB.utf8</stringvalue> </li> </entry> </gconf> ---------------------------------------------------------------------------- Malcolm
From: Chris Davies on 21 Jun 2010 18:09 On 20/06/10 12:24, Martin Gregorie wrote: > Does anybody know how to make the current Fedora graphical login > screen accept a root login? > While I'm on the subject, does anybody know if its possible to revert > to the traditional text box entry for the user name rather than using > the dumb pick-list? > [It's a] Gnome login screen. On Debian the files are /usr/share/gdm/defaults.conf (installation defaults) and /etc/gdm/gdm.conf (per-system overrides). Even if Fedora is different this will hopefully give you some pointers to the sort of filenames for which you should be searching. The files are split into sections, each starting with a [square bracketed] title (like the infamous WIN.INI file of old). If you have both files, only customise gdm.conf. The necessary adaptations are as follows: [security] AllowRoot=true [greeter] Browser=false Chris
From: Tom Anderson on 21 Jun 2010 19:08 On Mon, 21 Jun 2010, Martin Gregorie wrote: > On Mon, 21 Jun 2010 16:08:14 +0100, chris wrote: > >> I don't see how that would help. Once a cracker is sat in front of your >> machine, the lack of a pick-list is not going to hinder them one bit. > > Guessing two items is always harder than one, the more so if the user > name isn't something obvious like the owner's first name and the > password has at least alphanumerics and camel case with the latter not > corresponding to normal usage. If they're at in front of your computer, all they have to guess is where the screws are. tom -- The term Nihilartikel for a fictitious entry originated at the German Wikipedia but was later identified as a hoax. -- Wikipedia
From: Martin Gregorie on 21 Jun 2010 19:54 On Mon, 21 Jun 2010 22:38:51 +0100, Malcolm Lee wrote: > On Mon, 21 Jun 2010 20:31:59 +0000, Martin Gregorie wrote: > >> On Mon, 21 Jun 2010 09:56:56 +0100, Malcolm Lee wrote: >> >>> On Sun, 20 Jun 2010 11:24:48 +0000, Martin Gregorie wrote: >>>> >>>> [snip] >>>> >>>> While I'm on the subject, does anybody know if its possible to revert >>>> to the traditional text box entry for the user name rather than using >>>> the dumb pick-list? Apart from anything else, the pick list reduces >>>> security by telling a miscreant what the user names are: IOW instead >>>> of having to guess both username and login, the cracker only needs to >>>> guess the password. >>> >>> I don't use Fedora but I do use GDM so the following should work: >>> >>> Root login >>> ---------- >>> >>> In /etc/gdm/custom.conf (or wherever Fedora puts it) >>> >>> Under [security] >>> >>> add or edit >>> >>> AllowRoot=true >>> >>> >>> Pick List >>> --------- >>> >>> Execute the following (all one line) >>> >>> sudo -u gdm gconftool-2 --set --type boolean >>> /apps/gdm/simple-greeter/disable_user_list true >>> >>> >> On Fedora this command: >> >> gconftool-2 --set /apps/gdm-simple-greeter/disable_user_list --type >> bool true >> >> set the value as I wanted when run as root: >> >> # gconftool-2 -a /apps/gdm-simple-greeter >> disable_start_buttons = true >> >> However, I can't figure out how to get this value noticed. Logging out >> did no good and nor did: >> >> gconftool --shutdown / gconftool-2 --spawn >> >> or a complete system restart - the same old screen with its login names >> menu appears. Obviously I'm still missing something. > > The -u gdm is important. > > You need to alter the greeter value for the user that gdm runs as (on > my system thats gdm!) rather than root (unless obviosly gdm is running > as root). If you get the gdm login screen up and then log in to a > console and do: > > ps auxw | grep greeter > > You should see which user it is. Assuming it's gdm, then redo your > gconftool command with -u gdm. > > You can also look at the config file directly - > > Look at /etc/passwd for gdm. On my system it's > > gdm:x:120:501:Gnome Display Manager:/var/lib/gdm:/sbin/nologin > > So gdm's "home" directory is /var/lib/gdm. If you do > > cat /var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml > > (adjusting for Fedora if need be) then I get > > ---------------------------------------------------------------------------- > <?xml version="1.0"?> > <gconf> > <entry name="disable_user_list" mtime="1276951731" type="bool" > value="true"/> > <entry name="recent-layouts" mtime="1276951283" type="list" > ltype="string"> > <li type="string"> > <stringvalue>gb</stringvalue> > </li> > </entry> > <entry name="recent-languages" mtime="1276951283" type="list" > ltype="string"> > <li type="string"> > <stringvalue>en_GB.utf8</stringvalue> > </li> > </entry> > </gconf> > ---------------------------------------------------------------------------- > > Something is going on that I'll need to figure out tomorrow: Running the update under gdm apparently worked (and -a under gdm shows the value) but its not in that file and -a doesn't show the recent- layouts and recent-languages values that are in the file. Thanks. -- martin@ | Martin Gregorie gregorie. | Essex, UK org |
From: Martin Gregorie on 21 Jun 2010 20:04
On Tue, 22 Jun 2010 00:08:50 +0100, Tom Anderson wrote: > On Mon, 21 Jun 2010, Martin Gregorie wrote: > >> On Mon, 21 Jun 2010 16:08:14 +0100, chris wrote: >> >>> I don't see how that would help. Once a cracker is sat in front of >>> your machine, the lack of a pick-list is not going to hinder them one >>> bit. >> >> Guessing two items is always harder than one, the more so if the user >> name isn't something obvious like the owner's first name and the >> password has at least alphanumerics and camel case with the latter not >> corresponding to normal usage. > > If they're at in front of your computer, all they have to guess is where > the screws are. > As I said elsewhere, if they're just after hardware that's true enough, but if they want to read the data on your disk they either have to know some passwords or walk off with the disk, which does tend to leave traces. If you've any sense anything sensitive, such as passwords, account details, etc. will be encrypted, so getting those details won't be a doddle. -- martin@ | Martin Gregorie gregorie. | Essex, UK org | |