On Wed, 9 Apr 2025 10:50:54 +0100
James Freer <jrjfreer@gmail.com> wrote:

Hi members

I've just done my install of Debian 12 Live XFCE version. Been a user
of Xubuntu for 15 years and thought i would change. Tried some of the derivatives and chose Debian to go with.

I would be grateful if someone could explain why admin root user is
not set to default. I have always had user login and password and then
root for for other tasks like Aptitude updates. [I am a fan of
Aptitude although most folk seem to prefer Apt].

Also not sure where to set root admin user. I suppose it doesn't
matter if one is using Debian on a home PC like myself rather than a
server but i'd just like to know.

From your experience, you would qualify to use Expert Install, and if
you had, you would have been asked to set a root password, and asked
whether you wanted to create other users.

There will certainly be a root user. It cannot have a password since
you were not asked to set one, and I believe it is not enabled for
login. There is no default root password, and it is a matter of Debian
policy to disable root login for non-expert installations.

The user you did create should have sudo permissions, so you should be
able to do sudo passwd root in a terminal and be allowed to set the
root password, which should enable the root account for login.

I'm saying 'should', as it is many years since I did a non-expert
installation and I haven't done this myself. Let us know if it doesn't
work, and always use Expert Install in future. It's usually a good idea
to use the netinstall image, as that allows you to install only what
you need, as long as you have an Internet connection.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

James Freer <jrjfreer@gmail.com> wrote:

Hi members

I've just done my install of Debian 12 Live XFCE version. Been a user
of Xubuntu for 15 years and thought i would change. Tried some of the derivatives and chose Debian to go with.

I would be grateful if someone could explain why admin root user is
not set to default. I have always had user login and password and then
root for for other tasks like Aptitude updates. [I am a fan of
Aptitude although most folk seem to prefer Apt].

Also not sure where to set root admin user. I suppose it doesn't
matter if one is using Debian on a home PC like myself rather than a
server but i'd just like to know.

thanks
james

Have you read https://wiki.debian.org/Root ? It explains the answers to
many questions. Come back if you're still having problems after reading
it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

James Freer <jrjfreer@gmail.com> writes:

I would be grateful if someone could explain why admin root user is
not set to default. I have always had user login and password and then
root for for other tasks like Aptitude updates. [I am a fan of
Aptitude although most folk seem to prefer Apt].

Also not sure where to set root admin user. I suppose it doesn't
matter if one is using Debian on a home PC like myself rather than a
server but i'd just like to know.

I am not sure if I understand what you mean by "admin root set to
default". Debian installer creates the traditional root user and you can
just log in as root, if you know the password.

However, propably the most common method for performing administrative
tasks (but nothing else) as root is to install sudo, then create a
regular user and add that user to the "sudo" group. Often, this user is employed for daily operations as well, but the more secure approach is
to establish a separate user specifically for admin tasks. It's a good
idea to also make the user a member of groups "adm" and
"systemd-journal" to avoid full root privileges when just reading logs.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 09, 2025 at 10:50:54 +0100, James Freer wrote:

I've just done my install of Debian 12 Live XFCE version.

I really don't understand why so many people do this. Why would you
install using a "Live" medium instead of the real installer?

Anyway, the Live version doesn't set a root password, and doesn't
give you the chance to set one during installation. It just assumes
you will want to use sudo for everything. But don't worry about that --
once you boot into the installed system, you can do whatever you want
to it, including setting a root password.

Just become root via sudo, and then run "passwd root". So, either of
these:

sudo passwd root

sudo -i
passwd root

The second one may be more convenient if you want to run several
commands as root instead of just one. E.g. you might want to install
a whole bunch of packages using apt or apt-get, and already being in
a root shell will make that slightly more convenient.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 09, 2025 at 13:44:14 +0100, James Freer wrote:

b] 'Sudo' - i thought came in with ubuntu (and some other
derivatives). Many distros use 'su -' for admin rights and i thought
Debian was one of those. Sudo i thought was introduced as a level of
safety for newbie users so they could only carry out one operation at
a time. If i wanted to do a series of operations i'd choose 'sudo su'
which allowed that and as i understood was the equivalent to 'su -'.

From what you have said it seems Debian has now included sudo. It may

be that the Calamares installer has decided this setup and it is
better to use the netinst iso.

If you install using the regular Debian installer, you will be
given the opportunity to enter a root password, or to leave it blank.

If you give a root password, then that will be set for the root account,
and sudo won't automatically be installed. (But you may choose to
install it later.)

If you leave the root password blank, then no password will be assigned
for the root account (meaning it's not possible to login directly as
root, even on the console, and single user mode won't work). If you
choose this route, then sudo will be installed automatically, and the
non-root user account that you create during installation will be added
to the sudo group, so that it can use the sudo command.

I'm guessing the Live installer just assumes you want the second route,
instead of asking. I've never used it, so I'm not certain.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 09, 2025 at 09:34:08AM -0400, Jeffrey Walton wrote:

[...]

Disabling root logins by default is especially important when a
network attacker can use the login, like via SSH.

To achieve this...

The network attacker
is usually your #1 threat, and you don't want to give the network
attacker an opportunity to obtain root merely by guessing a weak
password over the internet. (There are other things you should also do
for SSH, like disabling passwords and enabling public key
authentication).

...disabling root logins over SSH should suffice. I think those
are orthogonal.

Don't get me wrong: I, at some point, dropped root password,
but more for convenience than for anything else.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ/Z7SAAKCRAFyCz1etHa Rrk5AJ90g1ky/iNvd6lDjWm09MMz0HfgRACfYfra6GsN+7+kL6bzm9nWBOtG4PM=
=4BfO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Greg Wooledge (HE12025-04-09):

I really don't understand why so many people do this. Why would you
install using a "Live" medium instead of the real installer?

Because the real installer does not give the fine control I want and has
a crappy user interface.

I always install my Debians with GRML and debootstrap. That lets me (1)
setup the volumes exactly the way I want, (2) install from my
comfortable computer, (3) copy-paste install commands.

I consider the whole concept of installer as done by Debian completely misguided. Installing a system should involve:

(1) a live system;

(2) a tool ease creating volumes and file systems and mounting them;

(3) a large archive with the base system, not a boatload of tiny
packages that will take forever to unpack;

(4) a tool to configure from the outside a system that is not running.

There is no necessity that an installer be a monolithic monster with all
four parts tied together. Monolithic monsters that do everything usually
end up doing everything mediocrely. See GitLab for an example.

Of course, this is not the answer of somebody who uses a live system
with XFCE.

The second one may be more convenient if you want to run several
commands as root instead of just one.

Not true: with a root shell, you need to be extra careful at all time.
With sudo in front of the privileged commands, you only need to be
extra careful when you type sudo.

Regards,

--
Nicolas George

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 9 Apr 2025 13:44:14 +0100
James Freer <jrjfreer@gmail.com> wrote:

b] 'Sudo' - i thought came in with ubuntu (and some other
derivatives). Many distros use 'su -' for admin rights and i thought
Debian was one of those. Sudo i thought was introduced as a level of
safety for newbie users so they could only carry out one operation at
a time. If i wanted to do a series of operations i'd choose 'sudo su'
which allowed that and as i understood was the equivalent to 'su -'.

From what you have said it seems Debian has now included sudo. It
may

be that the Calamares installer has decided this setup and it is
better to use the netinst iso.

Sudo goes back a long way, and was only included in a default Debian installation in the last few versions, but it was always available.
Several times I have needed to install it, along with mc, as the first
tasks in a new stable installation.

It's really useful in a multi-user system, where individual users or
groups of users can be allowed to do some specific tasks using their
own passwords, or even with no password. Su is all or nothing: either
the user is given the root password or he isn't, and if he has it, he
can do anything. OK for a single owner/user, not so good for a business.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 09, 2025 at 09:34:08 -0400, Jeffrey Walton wrote:

Disabling root logins by default is especially important when a
network attacker can use the login, like via SSH. The network attacker
is usually your #1 threat,

There may be systems where this is true; for example, a public web
server.

On the vast majority of desktop systems, however, the #1 threat is
probably one of these:

* Malicious code executed within a web browser by an ad, or a web page,
or something the user clicks in a spam email.

* Social engineering attacks in which the user is tricked into giving
information to a malicious party (phishing email, etc.).

<https://xkcd.com/1200/> is pertinent here. An infiltration of the
root account is bad, but mostly because of what it lets the attacker
do *afterward*. They may install a key logger, or packet sniffer, or
something along those lines, which gives them the user's personal
data or secret credentials, which they can then use for their actual
attack, which might be identity theft, regular old theft, etc.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)