Safety issues with numeric login and sudo passord
#1
I can’t be the only n00b PinePhone-owner who’s not too excited about how my ordinary user can sudo with the PinePhone’s lockscreen PIN-code? This is the case in both Manjaro and Mobian. If one should be the victim of a brute force password attack, even a 16-20 digit numerical password is cracked before you can blink, and the attacker can log in as root with it. Numerical password is also a lot easier to see (few, big buttons) and memorize in a «over the shoulder password attack» than be an alphanumerical one with upprcase, lowercase and special characters.

I have actual enemies skilled in «pentesting» (cracking) who have subjected every aspect of my digital life to targeted attacks, often successfully, so my need for device security probably exceeds the average internet surfer, but even the typical average user with no personal enemies could get hurt by crackers who have the knowledge of this numerical password issue on Mobian and Manjaro. 

I’ve tried several guides found online, for setting privileges and demanding root passwd for sudo, but there aren’t as many n00bs posting these stupid questions about Mobian or ManjaroARM as there are people answering these questions about desktop Ubuntu. Please help! How to fix this on different distros respectively? Removing sudo privileges will permanently lock you out of root on Mobian because the only way to log in as root is sudo -i with the lockscreen PIN code, while on ManjaroARM that might be a solution. Please help!
  Reply
#2
Don't use  phosh! Try Openbox or LXDE.
  • ROCKPro64 v2.1 2GB, 16Gb eMMC for rootfs, SX8200Pro 512GB NVMe for /home, HDMI video & sound, Bluetooth keyboard & mouse. Arch (5.14 kernel, Openbox desktop) for general purpose daily PC.
  • PinePhone BraveHeart now v1.2b 3/32Gb daily driver, dual boot via p-boot with Mobian/f2fs/Phosh on eMMC, Arch/ext4/Phosh on SDcard
  • PinePhone v1.2a 2G/16Gb that needs USB board replaced
  Reply
#3
Can't you remove the user from the sudoers file? Or uninstall sudo?
  Reply
#4
(07-03-2021, 04:00 PM)KC9UDX Wrote: Can't you remove the user from the sudoers file?  Or uninstall sudo?
Not on Mobian, cause it will permanently lock you out of the root account. On Mobian we need to find a way to set a different password for sudo, or set a user account password different from the screen unlock PIN-code. On Manjaro it might be easier to just disable all sudo privileges, but I haven’t had any luck with neither just yet.
  Reply
#5
(07-03-2021, 11:14 PM)Line Wrote:
(07-03-2021, 04:00 PM)KC9UDX Wrote: Can't you remove the user from the sudoers file?  Or uninstall sudo?
Not on Mobian, cause it will permanently lock you out of the root account. On Mobian we need to find a way to set a different password for sudo, or set a user account password different from the screen unlock PIN-code. On Manjaro it might be easier to just disable all sudo privileges, but I haven’t had any luck with neither just yet.
normally debian and fedora uses different password for user and root, meaning both are activated. not in mobian though.

short background info: "sudo" gives temporary root user priviledges with user's password. if root user is activate then "su" gives root user access but you need to give root user's password and not ordinary user's password.

solution might be that you activate root account and you use "su -l" command. how to activate root account ...
Code:
$ sudo su -l
(give user password)
# passwd
(give new password, this will activate root account)

after this you could disable user account in /etc/sudoers (or similar) file. this method may still have serious caveats.

edit: you don't need to edit sudoers file, "deluser mobian sudo" is enough, be careful about that command because typo may mean serious side effects.
  Reply
#6
i decide to create wishlist item and it was sort of saying reported already.

https://gitlab.com/mobian1/issues/-/issues/334
https://source.puri.sm/Librem5/phosh/-/m...quests/801

basically, add keyboard button.
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  modem and login/reset issues dhawk 1 401 06-23-2021, 05:04 PM
Last Post: 33YN2
  New phone - has issues? AndroidMancave 5 1,096 05-04-2021, 11:55 PM
Last Post: rocket2nfinity
  Let's talk about safety of Pinephone megous 35 18,098 03-15-2021, 09:49 AM
Last Post: Alho
  Main board issues Athansor 4 1,457 01-22-2021, 06:29 AM
Last Post: moxx
Question PinePhone power issues Andrewjneumann 3 1,711 12-02-2020, 11:21 AM
Last Post: Andrewjneumann
  Latest PinePhone CE Manjaro - Charging issues: hardware or software? kern707 5 1,927 11-20-2020, 12:09 AM
Last Post: bcnaz
  suggestion the broken screen issues dallytaur 0 624 11-19-2020, 10:27 PM
Last Post: dallytaur
Question UBports CE buggy and cellular issues FOSSagent0 12 4,985 08-17-2020, 11:55 PM
Last Post: SwordfishII
  Issues with volume up button unlink2 1 1,143 05-22-2020, 12:05 PM
Last Post: wibble

Forum Jump:


Users browsing this thread: 1 Guest(s)