Raspberry Pi OS update beefs up security

Re: Linux and security

Nope. People have bitched loudly about this for a while.

Apparently you've been so far up the Windows hole you haven't been listening.

Given the standard ISO does not have SSH enabled it would work exactly like current standard headless setups: either you just copying one youve set up with a new user or your booting the standard install ISO on something with keyboard and screen before sending it of headless into the world like a rich politician.

How does that work on headless setups ?

Reportedly (haven't tried it myself yet) very well, you will have to create a small file named userconf or userconf.txt in the boot partition of the SD card with a single line of text, consisting of username:encrypted- password – so your desired username, followed immediately by a colon, followed immediately by an encrypted representation of the password you want to use. The Raspberry Pi Imager tool will do that automagically for you.

And audio.

I've just trashed my microSD setting up a new install so cant check this without wandering next door and I cant be bothered but are these not set to local access only? You cant log into them unless you are on the machine or you have set them to be externally accessible?

Alas you expose your lack of UNIX knowledge here. Most of those accounts cannot log in at all.

Of course, I can see you are using a UNIX knock-off, AKA Linux, as evidenced by the horror show of systemd. But on a true UNIX-derived OS, FreeBSD, here is an example:

root /bin/csh

daemon /usr/sbin/nologin

operator /usr/sbin/nologin

bin /usr/sbin/nologin

tty /usr/sbin/nologin

kmem /usr/sbin/nologin

games /usr/sbin/nologin

news /usr/sbin/nologin

man /usr/sbin/nologin

sshd /usr/sbin/nologin

smmsp /usr/sbin/nologin

mailnull /usr/sbin/nologin

bind /usr/sbin/nologin

unbound /usr/sbin/nologin

proxy /usr/sbin/nologin

_pflogd /usr/sbin/nologin

_dhcp /usr/sbin/nologin

uucp /usr/local/libexec/uucp/uucico

pop /usr/sbin/nologin

auditdistd /usr/sbin/nologin

www /usr/sbin/nologin

ntpd /usr/sbin/nologin

_ypldap /usr/sbin/nologin

hast /usr/sbin/nologin

tests /usr/sbin/nologin

nobody /usr/sbin/nologin

These aren't "users" in the logging in sense.

Do you really think it's a good idea for all system processes to run with root privileges, even when not required? -- or even one process being able to modify another processes data? (This is a common failure where people often run many different service as user "nobody")

These (and others) are the separate unix accounts used to practice privilege separation.

They are not available to login to in any way

Find a local CoderDojo and take a gun.

I got 3 from Mouser... took about 4 weeks instead of their quoted 3-6 months. I didn't need 'em badly so I didn't care when they got here. That's probably key.

If you want the 8Gb model, place your order back in December last year and expect one to land around the end of November this year, like I did. YMMV, like that delivery date almost certainly will.

Try Mythic Beasts.

Re: TITSUP

You can create a user named "pi", the installer just tells you that it's not a good idea.

Re: Is root the same as Administrator?

root is UID 0

User account names start at 1000 and increment as new ones are added. System accounts start from 1 and increment from there.

If you are logged in, depending on the "hardness" of the OS install, you can just

cat /etc/passwd

to see the list. (FreeBSD here. Linux, esp. SystemD based ones, might be different)

Re: Is root the same as Administrator?

@David12

Yes, you are right. They are both labels to an underlying ID. As you stated on Windows, Administrator has the relative ID (RID) of 500 (0x1F4 as you stated) and this can't be changed. There's also the administrators group (544). Here's the full list of Windows SID's and RID's

There are reserved ranges in Windows, so typically user ID's start at 1000. As you stated security tools take advantage of this information, i.e. to find the real name of the admin account, others just use the well known SID's and RID's.

For extra fun, rename administrator, then create a new account called administrator, with no permissions and set it to be disabled. This will prevent account lockout on the real administrator account and it makes it easy via the logs to see any attempted login by unexpected parties. The new administrator account will have a RID of >1000.

Finally, there are tools that can display the mapping of users to SID's, there are even powershell cmdlets that give this info, so its always possible to see the mapping.

Its the same on Linux, root is user ID (UID) 0 and Group ID (GID)=0. The mappings can be found in /etc/passwd and /etc/group

Linux/Unix also has the same layout of special ID ranges and users start at 1000.

Apologies for the Wikipedia article but I couldn't easily find a list of the linux reserved ranges, other than a systemd article . Both init and systemd have the same sort of approach.

There are similarities on reserved ranges for special purposes (0-99).

The same sort of attacks are possible on Linux for the same reasons.

Given Unix came first and all OS's need to map friendly names to underlying data structures that are generally based around INT's, its easy to see why all OS's (Linux, Windows, etc) share a lot of common approaches in this regard.

Like Windows, you *can* rename root, but the level of OS understanding needs to be higher, since some 3rd party tools and scripts check the text, not the ID. This means that generally only larger organisations or those with increase risk profiles and who understand the impacts actually do it.

Re: Is root the same as Administrator?

While it is true that all Linux systems have the root/UID=0 account, in most cases now you can't actually log in to that account (you need to setup a password for it if you want to enable it).

Generally most distributions now have some user created at installation that has 'sudo' rights and that allows exactly the same permissions as root, but you have to know/guess the sudo accounts and their passwords. That is where the Rasbian version was dumb as it had no-password sudo on the 'pi' account and easy to log in if exposed to the internet, etc.

Also many systems disable SSH as root, so even if you have a root account enabled, you first have to SSH in as someone else (username & password/key) and then 'su' to root to use it.

If you worry about easy to guess passwords allowing that chain of attack, then you can set SSH to only allow key-pair login, so you have to have added the desired user's public key(s) in to the account's .ssh/authorized_keys file first. That effectively blocks brute-force SSH login, but is someone's machine is compromised they can then use the key to get in, so it is wise to limit login accounts so at least a password is needed to actually do much of note, or to have a password added to the SSH key (which breaks automatic login for checking/backup where key-exchange is usually used for no interaction).