Since Ubuntu disables the root account by default, why not disable root shell access also?

command-line security root

The current defaults for the root account in /etc/passwd is root:x:0:0:root:/root:/bin/bash.

Why not set it to root:x:0:0:root:/root:/usr/sbin/nologin?


Solution 1:

If that were the case, you would only be able to run commands with sudo one at a time, but you would not be able to start a root shell. A root shell is convenient in many cases, e.g. if you are planning to run multiple commands as root in a row.

Specifically, you could not run sudo -i, as AlexP noted. From man sudo:

-i, --login    Run the shell specified by the target user's password database entry as a login shell.

Solution 2:

Besides Alberto Santini's sudo answer, there's another (far better) answer. If root's shell is set to something that is not a shell, booting single user doesn't work. There's recovery in sulogin for things like non-extant shell or completely broken shell, but it will not work if the shell appears to be a valid shell but isn't actually a shell.

You can still sudo directly to get a shell by specifying the shell to sudo so it's not even good protection.

Related

How can I pin a specific document so I can access it easily and frequently?
Unable to compile FFmpeg on Ubuntu 20.04
Retaining bash prompt colors when starting a screen session
"Could not update ICEauthority file" after login (independent of gnome)
Where is Gmail Archive option in Evolution?
How to add disk back to RAID and replace removed
How log commands executed by user
Easiest/best way to only allow certain IP ranges for access
Python Import Error - No module
SoftEther VPN has very slow download, while upload is high
Support with configuring bind9 DNS server for a private network
How to kill a process running under SYSTEM account in the Windows Server?