You are not logged in.
Daedalus with Lightdm and Cinnamon installed from a netinstall: I can login as root on my desktop. Why is this possible? I thought this is a nogo and disabled.
Tested also a VM with Excalibur and Cinnamon, Trixie with LXDE: same picture.
Last edited by rolfie (2025-09-28 16:15:24)
Offline
Been able to do that since I first installed Daedalus in the fall of 2023...always been that way hasn't it?
Don't know why it would be a no-go.
https://sourceforge.net/projects/vuu-do/ New Vuu-do isos uploaded October 2025!
Vuu-do GNU/Linux, minimal Devuan-based Openbox and Mate systems to build on. Also a max version for OB.
Devuan 5 mate-mini iso, pure Devuan, 100% no-vuu-do. Devuan 6 version also available for testing.
Please donate to support Devuan and init freedom! https://devuan.org/os/donate
Offline
Very interesting.
I have Daedalus with Lightdm and Cinnamon, but I'm not able to login as root on the lightdm login-screen.
But, isn't it much more important to disable the ssh-login as root on the machine? These is done so automatically when installing the ssh-server. Check it here: /etc/ssh/sshd_config.
And a last point: have a very secure password for root! Obviously.
So much my 2 cents
Offline
My sshd is configured for no root login.
Now I am looking for the same feature in lightdm. I failed to find something, also in the greeter.
I consider a graphical root login as a security risk.
Offline
The hack is in the file /etc/lightdm/users.conf
The section:
[UserList]
minimum-uid=500
may help a lot. The root user is UID 0, GID 0.
So you couldn't find a root login entry in the login window.
I hope this helps. Greetings!
Offline
Thanks, that line already is present. Seems to be ignored.
I have here:
[UserList]
minimum-uid=500
hidden-users=nobody nobody4 noaccess
hidden-shells=/bin/false /usr/sbin/nologin /sbin/nologin
Edit: Just saw:
# NOTE: If you have AccountsService installed on your system, then LightDM will
# use this instead and these settings will be ignored
Does this AccountsService relate to PAM?
Last edited by rolfie (2025-09-28 17:03:51)
Offline
Thanks for you info.....
but, now I'm lost. Sounds like mystery to me.
Greetings
Offline
Its not limited to Devuan.
Raised the topic in the German Debian forum too: https://debianforum.de/forum/viewtopic.php?t=192885
Last edited by rolfie (2025-09-29 18:23:31)
Offline
Definitely lightdm has a leak. lightdm allows root login. Since I do not use other DM's, I can't speak for their performance.
Based on a web research and a chat on the Devuan Developers IRC, I have identified two possible fixes.
1.) Add a line to /etc/pam.d/lightdm
auth required pam_succeed_if.so user != root quiet
2.) Set up a group that is allowed to login:
# groupadd dmlogin
# usermod -aG dmlogin urmel # urmel is a dummy. Replace with real usernames. Repeat for all other users that shall be permitted
Change /etc/pam.d/lightdm and add:
auth required pam_succeed_if.so user ingroup dmlogin
In both cases trying to login as root returns "wrong password".
Offline
Interesting, thank you, rolfie.
At least there is your solution should the problem be present. Great. Bravo.
It's still funny that I have one Daedalus machine that I use daily as my my main desktop-computer that does not show the problem. It was installed with the first iso and maintained from then on. (As always Devuan, OpenRC, lighdm, cinnamon)
I'm not going to research why. I have very strong passwords - and a very conscious way to use IT.
Offline
I consider a graphical root login as a security risk.
May I ask why? Just curious what the reasoning is for that.
Myself I would be very upset if I couldn't login as root on my own system on my own machine, that would be a deal-breaker for sure.
I don't normally run a root session, but I do like it to be available. I actually go to great lengths in Vuu-do to recreate the same experience in the root account that the user account has, nothing more jarring than logging in to a root account and having nothing but a blank screen.
https://sourceforge.net/projects/vuu-do/ New Vuu-do isos uploaded October 2025!
Vuu-do GNU/Linux, minimal Devuan-based Openbox and Mate systems to build on. Also a max version for OB.
Devuan 5 mate-mini iso, pure Devuan, 100% no-vuu-do. Devuan 6 version also available for testing.
Please donate to support Devuan and init freedom! https://devuan.org/os/donate
Offline
Just a side-note:
I have just yet installed a fresh Devuan (Excalibur RC1, OpenRC, LightDM, Cinnamon) for testing and can confirm your findings, rolfie:
LightDM lets you login as root.
Some Daedalus- and all LinuxMint don't allow this. You only have login-boxes for users (from the users-range UIDs).
Excalibur shows a login asking the username, then the password. As did Gnome and XFCE with their DMs in older times.
Again, I can live with that.
Offline
Hello:
And now ...
A side-note to a side-note. ; ^ )
I have a Devuan Daedalus VM I can run (for experimental / testing purposes) on my Devuan Daedalus box.
It is the bog-standard image from the download repository and I can log in (via SLiM) as root:
# whoami
root
#
# uname -a
Linux daedalus 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux
#
My box works the same way.
I have no issue with that, just have to take the necessary precautions.
That said, I have never (ever) needed to do it.
I have specific sudoers entries for all-things I allow as sudo.
Best,
A.
Last edited by Altoid (2025-10-05 17:18:23)
Offline
@greenjeans: Why do I consider graphical root login as security risk?
Here is my answer: I am on Daedalus with Lightdm/Cinnamon. I log in as user, the root account exists and has a password. I do not use sudo except for Veracrypt.
For root access I can either call up graphical programs like gparted where root access is granted by policykit, start a root terminal, or perform file copy/paste activities in Nemo via "Open as admin" if required. I do get along with these features very well. These features support everything I ever needed to do with root privilegues. Running root on the desktop is not required in my opinion.
BTW: everything started because a beginner in the German Debian forum complained about not being able to easily work as root despite the access being possible, something with LXDE and Lightdm.
The naive standard user who logs in as root has all possibilities to damage and wreck his system. Maybe "security" is not a perfect term for these risks. Well, somebody with deep knowledge and experience will easily get a long with root on the desktop. Me too.
In the IRC chat somebody said that root on the desktop isn't forbidden, just discouraged.
In my opinion lightdm shouldn't allow root access per default. It should be locked, and the experienced user may open this gate.
PS: other DMs like sddm and gdm inhibit root login.
Last edited by rolfie (2025-10-05 17:59:56)
Offline
Suse used to allow root login to desktop. I don't know if it's still the case. The default desktop background for root was a picture of a bomb. Good reminder.
The only time I ever log into the desktop as root is if I can't do it as user, and I want to narrow down the problem.
Offline
Ahh I see, thanks for the explanation @rolfie.
The naive standard user who logs in as root has all possibilities to damage and wreck his system. Maybe "security" is not a perfect term for these risks.
I totally get that. It was just the term "security risk" that was throwing me off. Perhaps a better term might be "noob fat-finger risk"
I myself run my machines normally the exact same way as you do, I work in the user account, and when I need to mod system files I use "open folder as root" or "edit file as root". If i'm working in terminal I su-to-root, I don't use sudo at all.
I have to admit, I have fat-fingered an install myself back in the day.
In my opinion lightdm shouldn't allow root access per default. It should be locked, and the experienced user may open this gate.
Agreed, that seems sensible.
https://sourceforge.net/projects/vuu-do/ New Vuu-do isos uploaded October 2025!
Vuu-do GNU/Linux, minimal Devuan-based Openbox and Mate systems to build on. Also a max version for OB.
Devuan 5 mate-mini iso, pure Devuan, 100% no-vuu-do. Devuan 6 version also available for testing.
Please donate to support Devuan and init freedom! https://devuan.org/os/donate
Offline
I think there is a significant security risk - if there's a vulnerability in some piece of software that gives an attacker access to your session, they don't have to bother with escalating privileges because they're already root. Imagine running a web browser as root and allowing all unknown entities to run javascript as root on your machine. Up until recently, xorg always ran as root. It was changed because it was a security risk.
Offline
I have just raised a bug report against Debian:
Bug#1117664: lightdm: Per default it is possible to login as user root graphically
Offline