I did a fresh install of Linux Mint 18.1 and created a single user named "jack" with PASSWORD1 as the password. Later, I changed the password (using the "Users and Groups" graphical dialog) to PASSWORD2. Both logging in and using sudo
now require PASSWORD2, as expected.
However, PASSWORD1 is still the password for the account root
. I can tell because su -
and su - root
reject PASSWORD2 but accept PASSWORD1.
Isn't this a security flaw? Why did the root account silently copy my user password in the first place? If I knew my password was compromised and changed it, I wouldn't think to check that the root account was still using the compromised password.
In fact, I thought the root account was disabled on Linux Mint by default. See this question for instance: https://superuser.com/questions/323317/why-does-linux-ubuntu-mint-lack-a-root-account
Any reason not to disable the root account using sudo passwd -l root
? Why wasn't this done by default?
Edits
@terdon I am fairly sure that I never ran sudo passwd
or even plain passwd
on this operating system.
@Mark I checked and the only thing that comes back doesn't look relevant.
jack@gamma /var/log $ ls auth.log*
auth.log auth.log.1 auth.log.2.gz auth.log.3.gz auth.log.4.gz
jack@gamma /var/log $ zgrep passwd auth.log*
auth.log.2.gz:Mar 9 17:56:07 gamma mdm[1695]: pam_succeed_if(mdm:auth): requirement "user ingroup nopasswdlogin" not met by user "jack"
jack@gamma /var/log $ zgrep "password changed" auth.log*
# nothing returned
Edit:
I have filed a bug report with Linux Mint
https://bugs.launchpad.net/linuxmint/+bug/1675575
Now that @Roger Lipscombe has confirmed this issue, I am going to add a bounty to the question.
Best Answer
Mint 17.3
This looks like a deliberate decision in Linux Mint. I just freshly installed Mint 17.3 on a VM, and the root account has a password set in
/etc/shadow
. After changing my user password,su -
accepts my previous user password.I can't (yet) explain why though.
Mint 18.3
I've just done a fresh install of Mint 18.3, and I don't have a password set for my root account.
sudo grep root /etc/shadow
shows!
in the password field, which means that the account is locked.