Why does AWS's Ubuntu AMI come with an “ubuntu” user instead of just allowing root login? [duplicate]
up vote
0
down vote
favorite
This question already has an answer here:
Why does Ubuntu have a disabled root account?
2 answers
AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.
This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.
My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".
Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?
sudo amazon-ec2 aws
asked Nov 28 at 4:35
kbuilds
6182613
marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
|
show 2 more comments
up vote
0
down vote
favorite
This question already has an answer here:
Why does Ubuntu have a disabled root account?
2 answers
AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.
This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.
My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".
Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?
sudo amazon-ec2 aws
asked Nov 28 at 4:35
kbuilds
6182613
marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that theubuntuuser can use sudo without entering a password (because that user does not have a password)
– kbuilds
Nov 29 at 22:16
1
Then do apasswdon that user...
– Fabby
Nov 29 at 22:26
@Fabby You would have to bothpasswdthat user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
– kbuilds
Nov 29 at 22:29
This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11
You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
Nov 30 at 18:08
|
show 2 more comments
up vote
0
down vote
favorite
up vote
0
down vote
favorite
This question already has an answer here:
Why does Ubuntu have a disabled root account?
2 answers
AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.
This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.
My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".
Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?
sudo amazon-ec2 aws
asked Nov 28 at 4:35
kbuilds
6182613
This question already has an answer here:
Why does Ubuntu have a disabled root account?
2 answers
AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.
This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.
My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".
Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?
This question already has an answer here:
Why does Ubuntu have a disabled root account?
2 answers
sudo amazon-ec2 aws
sudo amazon-ec2 aws
asked Nov 28 at 4:35
kbuilds
6182613
asked Nov 28 at 4:35
kbuilds
6182613
edited Nov 30 at 1:03
asked Nov 28 at 4:35
kbuilds
6182613
asked Nov 28 at 4:35
kbuilds
6182613
asked Nov 28 at 4:35
kbuilds
6182613
6182613
marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that theubuntuuser can use sudo without entering a password (because that user does not have a password)
– kbuilds
Nov 29 at 22:16
1
Then do apasswdon that user...
– Fabby
Nov 29 at 22:26
@Fabby You would have to bothpasswdthat user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
– kbuilds
Nov 29 at 22:29
This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11
You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
Nov 30 at 18:08
|
show 2 more comments
This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that theubuntuuser can use sudo without entering a password (because that user does not have a password)
– kbuilds
Nov 29 at 22:16
1
Then do apasswdon that user...
– Fabby
Nov 29 at 22:26
@Fabby You would have to bothpasswdthat user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
– kbuilds
Nov 29 at 22:29
This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11
You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
Nov 30 at 18:08
This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the
ubuntu user can use sudo without entering a password (because that user does not have a password)– kbuilds
Nov 29 at 22:16
This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the
ubuntu user can use sudo without entering a password (because that user does not have a password)– kbuilds
Nov 29 at 22:16
1
1
Then do a
passwd on that user...– Fabby
Nov 29 at 22:26
Then do a
passwd on that user...– Fabby
Nov 29 at 22:26
@Fabby You would have to both
passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?– kbuilds
Nov 29 at 22:29
@Fabby You would have to both
passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?– kbuilds
Nov 29 at 22:29
This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11
This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11
You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
Nov 30 at 18:08
You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
Nov 30 at 18:08
|
show 2 more comments
1 Answer
1
active
oldest
votes
up vote
1
down vote
I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.
The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.
The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.
It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.
Full context of the discussion:
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
answered Nov 29 at 23:25
kbuilds
6182613
1
When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward♦
Dec 3 at 0:27
Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
Dec 3 at 2:17
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.
The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.
The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.
It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.
Full context of the discussion:
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
answered Nov 29 at 23:25
kbuilds
6182613
1
When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward♦
Dec 3 at 0:27
Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
Dec 3 at 2:17
add a comment |
up vote
1
down vote
I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.
The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.
The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.
It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.
Full context of the discussion:
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
answered Nov 29 at 23:25
kbuilds
6182613
1
When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward♦
Dec 3 at 0:27
Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
Dec 3 at 2:17
add a comment |
up vote
1
down vote
up vote
1
down vote
I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.
The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.
The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.
It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.
Full context of the discussion:
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
answered Nov 29 at 23:25
kbuilds
6182613
I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.
The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.
The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.
It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.
Full context of the discussion:
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
answered Nov 29 at 23:25
kbuilds
6182613
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
edited Dec 3 at 0:30
Thomas Ward♦
43k23119169
43k23119169
answered Nov 29 at 23:25
kbuilds
6182613
answered Nov 29 at 23:25
kbuilds
6182613
answered Nov 29 at 23:25
kbuilds
6182613
6182613
1
When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward♦
Dec 3 at 0:27
Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
Dec 3 at 2:17
add a comment |
1
When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward♦
Dec 3 at 0:27
Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
Dec 3 at 2:17
1
1
When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward♦
Dec 3 at 0:27
When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward♦
Dec 3 at 0:27
Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
Dec 3 at 2:17
Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
Dec 3 at 2:17
add a comment |
This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the
ubuntuuser can use sudo without entering a password (because that user does not have a password)– kbuilds
Nov 29 at 22:16
1
Then do a
passwdon that user...– Fabby
Nov 29 at 22:26
@Fabby You would have to both
passwdthat user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?– kbuilds
Nov 29 at 22:29
This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11
You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
Nov 30 at 18:08