I have a different colour scheme in my root CLI session from my normal user session, in addition to the change of prompt character, so I am clearly reminded of where I am.

Bug#1117664: lightdm: Per default it is possible to login as user root graphically

I totally get that. It was just the term "security risk" that was throwing me off. Perhaps a better term might be "noob fat-finger risk"

I myself run my machines normally the exact same way as you do, I work in the user account, and when I need to mod system files I use "open folder as root" or "edit file as root". If i'm working in terminal I su-to-root, I don't use sudo at all.

I have to admit, I have fat-fingered an install myself back in the day.

Agreed, that seems sensible.

The only time I ever log into the desktop as root is if I can't do it as user, and I want to narrow down the problem.

Here is my answer: I am on Daedalus with Lightdm/Cinnamon. I log in as user, the root account exists and has a password. I do not use sudo except for Veracrypt.

For root access I can either call up graphical programs like gparted where root access is granted by policykit, start a root terminal, or perform file copy/paste activities in Nemo via "Open as admin" if required. I do get along with these features very well. These features support everything I ever needed to do with root privilegues. Running root on the desktop is not required in my opinion.

BTW: everything started because a beginner in the German Debian forum complained about not being able to easily work as root despite the access being possible, something with LXDE and Lightdm.

The naive standard user who logs in as root has all possibilities to damage and wreck his system. Maybe "security" is not a perfect term for these risks. Well, somebody with deep knowledge and experience will easily get a long with root on the desktop. Me too.

In the IRC chat somebody said that root on the desktop isn't forbidden, just discouraged.

In my opinion lightdm shouldn't allow root access per default. It should be locked, and the experienced user may open this gate.

PS: other DMs like sddm and gdm inhibit root login.

And now ... 
A side-note to a side-note.  ; ^ )

I have a Devuan Daedalus VM I can run (for experimental / testing purposes) on my Devuan Daedalus box.
It is the bog-standard image from the download repository and I can log in (via SLiM) as root:

# whoami
root
# 
# uname -a
Linux daedalus 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux
# 

My box works the same way.
I have no issue with that, just have to take the necessary precautions.

That said, I have never (ever) needed to do it.
I have specific sudoers entries for all-things I allow as sudo.

Best,

A.

I consider a graphical root login as a security risk.

May I ask why? Just curious what the reasoning is for that.

Myself I would be very upset if I couldn't login as root on my own system on my own machine, that would be a deal-breaker for sure.

I don't normally run a root session, but I do like it to be available. I actually go to great lengths in Vuu-do to recreate the same experience in the root account that the user account has, nothing more jarring than logging in to a root account and having nothing but a blank screen.

It's still funny that I have one Daedalus machine that I use daily as my my main desktop-computer that does not show the problem. It was installed with the first iso and maintained from then on. (As always Devuan, OpenRC, lighdm, cinnamon)
I'm not going to research why. I have very strong passwords - and a very conscious way to use IT.

Based on a web research and a chat on the Devuan Developers IRC, I have identified two possible fixes.

1.) Add a line to /etc/pam.d/lightdm

auth required pam_succeed_if.so user != root quiet

2.) Set up a group that is allowed to login:

# groupadd dmlogin
# usermod -aG dmlogin urmel # urmel is a dummy. Replace with real usernames. Repeat for all other users that shall be permitted

Change /etc/pam.d/lightdm and add:

auth required pam_succeed_if.so user ingroup dmlogin

In both cases trying to login as root returns "wrong password".

Raised the topic in the German Debian forum too: https://debianforum.de/forum/viewtopic.php?t=192885

I have here:

[UserList]
minimum-uid=500
hidden-users=nobody nobody4 noaccess
hidden-shells=/bin/false /usr/sbin/nologin /sbin/nologin

Edit: Just saw:

# NOTE: If you have AccountsService installed on your system, then LightDM will
# use this instead and these settings will be ignored

Does this AccountsService relate to PAM?

The section:
[UserList]
minimum-uid=500

may help a lot. The root user is UID 0, GID 0.
So you couldn't find a root login entry in the login window.
I hope this helps. Greetings!