Why does AWS's Ubuntu AMI come with an “ubuntu” user instead of just allowing root login? [duplicate]











up vote
0
down vote

favorite













This question already has an answer here:




  • Why does Ubuntu have a disabled root account?

    2 answers




AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.



This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.



My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".



Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?










share|improve this question















marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.















  • This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the ubuntu user can use sudo without entering a password (because that user does not have a password)
    – kbuilds
    Nov 29 at 22:16






  • 1




    Then do a passwd on that user...
    – Fabby
    Nov 29 at 22:26










  • @Fabby You would have to both passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
    – kbuilds
    Nov 29 at 22:29












  • This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
    – kbuilds
    Nov 30 at 3:11










  • You might find this related post informative: serverfault.com/questions/580881/…
    – Elder Geek
    2 days ago















up vote
0
down vote

favorite













This question already has an answer here:




  • Why does Ubuntu have a disabled root account?

    2 answers




AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.



This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.



My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".



Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?










share|improve this question















marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.















  • This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the ubuntu user can use sudo without entering a password (because that user does not have a password)
    – kbuilds
    Nov 29 at 22:16






  • 1




    Then do a passwd on that user...
    – Fabby
    Nov 29 at 22:26










  • @Fabby You would have to both passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
    – kbuilds
    Nov 29 at 22:29












  • This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
    – kbuilds
    Nov 30 at 3:11










  • You might find this related post informative: serverfault.com/questions/580881/…
    – Elder Geek
    2 days ago













up vote
0
down vote

favorite









up vote
0
down vote

favorite












This question already has an answer here:




  • Why does Ubuntu have a disabled root account?

    2 answers




AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.



This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.



My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".



Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?










share|improve this question
















This question already has an answer here:




  • Why does Ubuntu have a disabled root account?

    2 answers




AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.



This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.



My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".



Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?





This question already has an answer here:




  • Why does Ubuntu have a disabled root account?

    2 answers








sudo amazon-ec2 aws






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 30 at 1:03

























asked Nov 28 at 4:35









kbuilds

6132613




6132613




marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.






marked as duplicate by muru, Elder Geek, karel, Fabby, user68186 Nov 30 at 1:14


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the ubuntu user can use sudo without entering a password (because that user does not have a password)
    – kbuilds
    Nov 29 at 22:16






  • 1




    Then do a passwd on that user...
    – Fabby
    Nov 29 at 22:26










  • @Fabby You would have to both passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
    – kbuilds
    Nov 29 at 22:29












  • This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
    – kbuilds
    Nov 30 at 3:11










  • You might find this related post informative: serverfault.com/questions/580881/…
    – Elder Geek
    2 days ago


















  • This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the ubuntu user can use sudo without entering a password (because that user does not have a password)
    – kbuilds
    Nov 29 at 22:16






  • 1




    Then do a passwd on that user...
    – Fabby
    Nov 29 at 22:26










  • @Fabby You would have to both passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
    – kbuilds
    Nov 29 at 22:29












  • This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
    – kbuilds
    Nov 30 at 3:11










  • You might find this related post informative: serverfault.com/questions/580881/…
    – Elder Geek
    2 days ago
















This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the ubuntu user can use sudo without entering a password (because that user does not have a password)
– kbuilds
Nov 29 at 22:16




This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the ubuntu user can use sudo without entering a password (because that user does not have a password)
– kbuilds
Nov 29 at 22:16




1




1




Then do a passwd on that user...
– Fabby
Nov 29 at 22:26




Then do a passwd on that user...
– Fabby
Nov 29 at 22:26












@Fabby You would have to both passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
– kbuilds
Nov 29 at 22:29






@Fabby You would have to both passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself?
– kbuilds
Nov 29 at 22:29














This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11




This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer.
– kbuilds
Nov 30 at 3:11












You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
2 days ago




You might find this related post informative: serverfault.com/questions/580881/…
– Elder Geek
2 days ago










1 Answer
1






active

oldest

votes

















up vote
1
down vote













I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.



The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.



The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.



It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.



Full context of the discussion:



enter image description here



enter image description here






share|improve this answer























  • When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
    – Thomas Ward
    6 hours ago










  • Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
    – kbuilds
    4 hours ago


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote













I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.



The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.



The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.



It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.



Full context of the discussion:



enter image description here



enter image description here






share|improve this answer























  • When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
    – Thomas Ward
    6 hours ago










  • Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
    – kbuilds
    4 hours ago















up vote
1
down vote













I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.



The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.



The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.



It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.



Full context of the discussion:



enter image description here



enter image description here






share|improve this answer























  • When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
    – Thomas Ward
    6 hours ago










  • Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
    – kbuilds
    4 hours ago













up vote
1
down vote










up vote
1
down vote









I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.



The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.



The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.



It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.



Full context of the discussion:



enter image description here



enter image description here






share|improve this answer














I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.



The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.



The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.



It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.



Full context of the discussion:



enter image description here



enter image description here







share|improve this answer














share|improve this answer



share|improve this answer








edited 6 hours ago









Thomas Ward

43k23119169




43k23119169










answered Nov 29 at 23:25









kbuilds

6132613




6132613












  • When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
    – Thomas Ward
    6 hours ago










  • Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
    – kbuilds
    4 hours ago


















  • When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
    – Thomas Ward
    6 hours ago










  • Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
    – kbuilds
    4 hours ago
















When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward
6 hours ago




When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions.
– Thomas Ward
6 hours ago












Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
4 hours ago




Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :(
– kbuilds
4 hours ago



Popular posts from this blog

數位音樂下載

When can things happen in Etherscan, such as the picture below?

格利澤436b