root Archives • Linux Tips

How To: Protect a file or directory from being deleted or changed by root

The following article is a guest article that will teach you how to protect a file or directory from being deleted or changed – even by root. This is a handy skill to have as you may have files you want to ensure are never changed.

This time, I’m going to do very little editing – but not out of laziness, but because I really don’t seem to need to do much. I really only need to do some formatting changes and we’ll be good.

Note: I forgot to ask the author if they want me to disclose their name. It’s a little late in the day now, as they’re in another time zone entirely, so when they see this they can let me know if they want their name credited/anything linked from it.

Without further ado…

Protect A File Or Directory:

Sometimes we come across files/directories in Linux that we don’t want to be changed. It won’t be long before we realize making a file “read only” through the GUI of our desktop environment doesn’t work the way we want to because the root user is still able to alter that file.

In this article I’m going to show you how to protect ANY file or directory from being deleted or changed even by the root user. For this example I’ll use xorg.conf which is nvidia’s config file.

Files:

In order to make xorg.conf immortal, as I like to call this process, open terminal and type:

sudo chattr +i /etc/X11/xorg.conf

1	sudo chattr +i /etc/X11/xorg.conf

and press enter. To make sure the file has become immutable, which is what the +i stands for, open it as root in your favorite text editor (sudo gedit /etc/X11/xorg.conf). Some text editors will allow you to write new content to the file but they won’t allow you to save the changes because the file is already immutable. Other text editors won’t react to pressing keys and there will be a “read only” string in the title bar next to the file name.

Undoing a file immutable is pretty much the same, with the only difference being that instead of a + you must use a minus symbol:

sudo chattr -i /etc/X11/xorg.conf

1	sudo chattr -i /etc/X11/xorg.conf

Directories:

You can also make a directory immutable or even a set of subdirectories. For this example open your home directory in your favorite file manager, then open terminal and type:

mkdir -p testdir/dir2/

1	mkdir -p testdir/dir2/

Now, here comes a little tricky part that you need to remember for the immutabling of the directories to work: placing a slash after the names tells the shell that dir2 is a directory and not a file. If you type /testdir/dir2, the shell will think dir2 is a file and will return an error.

If you have entered the command correctly, you will see this output:

mkdir: created directory „'testdir'“
mkdir: created directory „'testdir/dir2/'“

1 2	mkdir: created directory „'testdir'“ mkdir: created directory „'testdir/dir2/'“

If you have closed terminal, open it again in your home directory where you just created these two directories and type (exactly the way you see it, with the capital R and V):

sudo chattr -RV +i testdir/

1	sudo chattr -RV +i testdir/

-R stands for “recursive”, meaning it will do the same operation to all subdirectories, including dir2.
-V stands for “verbose” which will display what has been done.

In order to test this, simply select test dir and press Delete to try and delete it. You’ll see an error message which means testdir and the dir2 inside it have both become “immortal” and now nobody can delete them, not even root.

Undoing this is the same command, only instead of +i, you must use -i.

Closure:

And there you have it, a fairly well written article that I didn’t do much to other than some basic formatting. If there’s an error, don’t blame me! Ha! It looks right to me and jives with what I know on the subject, but I did not actually go through and test this. I trust the author to know what they’re talking about.

By the way, if you have a favorite subject and want to write an article, it really is that easy. Up in the upper right, click on the ‘contribute’ and I’ve made it even easier. (Don’t worry if it won’t let you pick a category, it’ll go through – and I still have to pick a category for it anyhow. All that does is save it as a draft for me to work on. It certainly doesn’t publish anything without my intervention. That’d just be silly talk!)

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Prevent SSH Root Login

Today’s article will tell you how, and why you’d want to, disable root login via SSH. It’s actually a brief article and approachable by even a beginner with SSH. If you have SSH enabled, then you may want to make sure to do this.

In some cases, like Ubuntu, the root account is disabled by default. That’s generally a good thing. In that case, this article may be important to you if you’ve enabled root login. This article may also be of interest for those who have changed the port SSH uses. Even if logging in as root is already disabled, it won’t hurt to disable it via SSH. Even if the port has been changed, disabling SSH root login won’t hurt.

So, why would you want to disable root login for SSH? Well, it’s a known account – meaning ‘root’ is pretty standard across the distros. An attacker already has half the information – the name of the account. It’s also an account that has the keys to the kingdom. If you have control of the root account, you have complete control of the system. This is fine if it’s your system and you with the root account, it’s less appreciated when it’s someone else that has control of your devices.

This article is actually pretty easy and is a step I suggest everyone take. What it does is it prevents root login via SSH entirely. It’s a simple step to make your computer more secure by preventing SSH root login. You can still login with other accounts and use sudo, so it’s really not limiting your ability to control the system.

Prevent SSH Root Login:

Like many other articles on this site, this one needs an open terminal. You can open your terminal with your keyboard – just press CTRL + ALT + T and your default terminal should open.

Once you have your terminal open, enter the following command:

sudo nano /etc/ssh/sshd_config

1	sudo nano /etc/ssh/sshd_config

Once that’s open, you’re looking for #PermitRootLogin no. When you find that line, you simply want to remove the # symbol. The end result should look like this:

PermitRootLogin no

1	PermitRootLogin no

In some default configurations, you may see #PermitRootLogin prohibit-password instead. If you uncomment that line, you could still login as root – you just can’t login with a password and would have to use a key like in this article about SSH keys.

In that case, when the line doesn’t exist or is changed, you can just add the line yourself. It won’t hurt anything and will still work. So, just find a blank section in the config file, add a new blank line, and then add the PermitRootLogin no like above.

Once you’re done, you need to save the file. As we’re using nano, you do that by pressing CTRL + X, then Y, and then ENTER. That should save the file with the correct name.

Finally, you will want to reload SSH. That’s easy enough, you reload SSH with the following command:

sudo systemctl reload sshd

1	sudo systemctl reload sshd

That’s it, that’s all you need to do! Once you’ve done that, and you can test it yourself. You shouldn’t be able to login to SSH with the root account, which is a pretty solid security idea. If you can’t login as root, nobody else should be able to login as root.

By the way, if you decide you want to undo this – just go back into the config file and add a # at the start of the line, save it, and restart the sshd daemon.

Closure:

That’s it. Thanks for reading yet another article! This one is pretty quick and easy, plus it will help you increase your server’s security. There really aren’t many reasons to have SSH root login enabled, and disabling it completely removes that attack vector.

How To: Graphically Login as Root in Ubuntu

In this article, I’m going to show you how to graphically login as root in Ubuntu. This is a generally considered a terrible idea and you should not do this. In fact, if you have a good reason for doing this, please leave a comment letting us know what that reason is. Thanks!

A couple of days ago, I told you how to enable root in Ubuntu. In that article, I explained why enabling login as root was a bad idea and unnecessary for most people. I still told you how to do it, just as I’ll tell you how to graphically login as root in Ubuntu and maybe some of the official Ubuntu flavors.

I should remind folks that this is a terrible idea from a security perspective – especially if you don’t have good physical security. However, if you don’t have good physical security then your computer is already easily compromised by anyone with a live USB in their pocket.

NOTE: This is only sure to work for Ubuntu. It looks like it should work from 18.04 to at least 20.10, and will probably continue to work until Ubuntu moves on from GDM3. (GDM3 is Gnome Display Manager 3, a drop-in replacement for GDM.) This may work for other Ubuntu flavors, I haven’t tested. If you do test or know, please leave a comment below. Thanks!

Anyhow, on with the explaining how to graphically login as root. This shouldn’t take too long!

GUI Login As Root:

The first step is to set up the system so that you can login as root. To do that, you should read this article and learn how to enable root login for Ubuntu. Be sure to read the warnings on that page and think carefully before doing this to your own computer.

After enabling root login, the next step is to open your default terminal. You can do that by pressing CTRL + ALT + T.

Now, let’s temporarily make you a superuser. You can do that with:

sudo su

sudo su

Our next step is to tell the aforementioned GDM3 to let us use the root login.

nano /etc/gdm3/custom.conf

1	nano /etc/gdm3/custom.conf

You’re going to arrow down to just below the automatic login configuration text and enter this line:

AllowRoot=true

1	AllowRoot=true

Then, you’ll save the changes by pressing CTRL + X, then Y, and then ENTER. See? Now you’ve edited and saved a file in the terminal with nano. It gets easier the more often you do it!

Next let PAM know:

Your next step is going to be telling PAM (Pluggable Authentication Modules) that logging in as root is okay. That’s pretty easy, and we’ll do it with nano just like above.

nano /etc/pam.d/gdm-password

1	nano /etc/pam.d/gdm-password

Scroll down and look for this line:

auth required pam_succeed_if.so user != root quiet_success

1	auth required pam_succeed_if.so user != root quiet_success

What you’re going to do is ‘comment it out’, by adding the # symbol which means, in this case, ‘ignore this line’. Change that line so that it looks like this:

#auth required pam_succeed_if.so user != root quiet_success

1	#auth required pam_succeed_if.so user != root quiet_success

Now, save it just like you did above. (Press CTRL + X, then Y, and then ENTER.) As you’re still using ‘sudo su’, you can get out of that mode by simply typing:

exit

exit

That’s it, actually! When you next reboot or logout, you can login as root. To do so, you need to click on ‘Not Listed’, type in ‘root’, and then enter your password. It should look pretty much like the following images:

enter the password to proceed — Enter your root password and the press the ENTER button.

Tada! You’ll be logged in as root for no good reason and with almost no benefits! Congratulations! Now, undo it and go back to being a bit more secure. Or not… I don’t mind. It’s your computer. You do what you want!

Please just don’t let your box get owned and turned into something malicious like a spam bot or a node in bot network used to do things like DDoS sites for money. Don’t let your computer make you a bad netizen.

Closure:

And there you have it! You can now login as root in the GUI and use Ubuntu as root. This is, of course, a terrible idea – but you can do it. If you’re ever in a position where this seems like the best solution, be sure to ask around to see if there are better ways to accomplish your goals. If you can login as root, so can’t someone else! Either way, it’s another article in the books!

How To: Enable The Root Account in Ubuntu

This will be a quick and easy article, where I explain how to enable the root account in Ubuntu. It’s easy to enable the root account, but you may not want to. The choice is up to you.

This article really starts here, with a pet peeve. See, Ubuntu doesn’t ship with root enabled by default and it does that for security reasons. If there’s no root account, the root account can’t be compromised. Instead, it relies on sudo for elevating permissions. If you ask at some sites, they’ll give you a lecture instead of telling you how to enable root.

Me? I disagree with that. If you want to know how to enable root, I’ll tell you how to enable root. It’ll likely come with a blurb that tells you why you may want to avoid doing so – but I’ll give you the answer to your question.

About the only time I won’t give you a direct answer is when it’s obvious that you’re asking me to do your homework. I may also not tell people how to do their job. After all, I don’t want incompetence entering the workforce and I don’t want incompetent people staying staying in the field.

I view Linux as not just an OS but also as a bit of a philosophy, a philosophy of constant learning, continued improvement, and a never-ending quest for greater understanding. If someone wants to know how to enable root, I’m damned well going to tell them how to enable root.

Yes, it may lessen their security, and I’ll make sure to tell them that as well. I’ll be sure to tell them why Ubuntu made the choice and what it means if they undo it. It’s their system. If they want to enable root, I will help them do that.

Enable Root in Ubuntu:

Having said all of that above, it’s actually really trivial to enable root in Ubuntu. The first thing you’re going to do is open the terminal. Like always, you can use your keyboard, just press CTRL + ALT + T and your default terminal will open up.

Next, you’ll want to enter the following command:

sudo passwd root

1	sudo passwd root

Now, first it’ll ask for your current user’s password. Enter that. When you enter that, it’ll ask you to set a password for ‘root’. You’ll need to enter that password twice. Once you’re done with that, you’re done with it. That’s literally all it takes.

If you want to test this, you can login as root in TTY. Press CTRL + ALT + F3 and login as root, using the password you just assigned. To get back to your desktop, just press CTRL + ALT + F1 and it should bring you right back. If not, or if you’re not using Ubuntu, you can press and hold the left ALT button and then press the ➝ until you’re back at your desktop.

NOTE: This won’t enable GUI login as root. I’ll explain how to do that in a future article. This only enables the root account and nothing more.

If you do enable root, be aware that that means the root account can be compromised and used. Root has all the permissions. All of ’em… So, if the root account is compromised whoever has done so has complete control of the system. You should be aware of this before you make this change. Only make this change if you know what you’re doing and if you’re prepared for the consequences.

Closure:

And there you have it. You have another article in the books, this one explaining how to enable the root account. Think twice before doing so, but it’s your device and you get to make that decision. Just be aware of the consequences of doing so and you should be all set.