The Lessons Hardest Learned

A few tips for those seeking advice and those offering it.

A short time ago, I was on my favorite IRC channel when a friend of mine (we'll call him Joe) asked me to help him install Java and Flash on his system. We had worked through a few Linux problems before, and I was willing to help.

Together, we got Java enabled. I then helped him get Flash downloaded, and we began the instructions to untar and install Flash. Right about then, someone else popped into the channel and began to help us out as well. This new participant (let's call him Frank) was a person I have long recognized as having far more Linux skills than I, so his advice was welcomed.

A few commands into the session, our guru, Frank, typed out this command: passwd -l root. This was meant, of course, to be a joke.

Joe dutifully typed in the command and echoed back a very chilling word in IRC, success. At the time, Frank and I both assumed that Joe was returning the kidding, and we thought nothing else about it.

The horror of this fiasco sank in about 20 minutes later when we asked Joe to su so he could copy a file. He told us that his system would not accept root's password, so Frank led Joe through a series of commands to ascertain some information about Joe's system. Evidently, Joe had set up his user account with root privileges. A while later I wandered off, unable to contribute any further to the recovery efforts.

There is a three-fold purpose to this story. For newcomers to Linux, some cardinal rules should be elaborated upon. For the experts of the world, a few nuggets of wisdom can be gleaned here as well. First of all, root and user accounts should be kept separate for a reason. Root is all powerful and is meant to be used in certain situations only. Had Joe's user account not been root privileged, the passwd command would have failed and this would be just another funny story. Root can do anything it wants to your system, and if you aren't sure exactly what the results of your actions will be, then neither root nor you should be doing those actions.

My experience has been that Windows power-users have the hardest time overcoming the belief that their user account should be able to do anything it wants. After all, to run Windows, you need that kind of access, right? Please avoid the temptation to elevate your user account's privileges. I personally learned this the hard way. I had a root-level user account on my first install. I had to reinstall Linux after doing a chmod -R 777 accidently while in the / directory.

The second purpose of this story is to reinforce that no matter how well you know someone, no matter how much you trust your resource--whatever or whomever that may be--never simply do as your told. Take the opportunity to learn more about Linux by checking the man pages on the commands you are given. Make doubly sure to research each of the options in that command. I'm sure Joe would have questioned Frank more closely after a quick passwd --help. Often, command --help displays a summary of the command and its options, and issuing the command man command typically yields even more information.

Finally, never make the mistake of assuming that the person you are helping has a certain level of knowledge. Frank was innocently playing around and inadvertently caused harm to Joe's system. I, too, assumed that Joe knew better. I was equally culpable (and if you read this, Joe, I am very sorry about this), in that I didn't call attention to the joke. True, Joe had been using Linux for some time now, but Frank and I should not have been messing around like that. We were there to help and, instead, had the opposite effect.

Always take the time to explain what the commands you are giving out should do. Similarly, encourage the new Linux user to check the man pages and make sure they know what the expected output should be. Always strive to help; after all, we're a community.

Now that I've finished relating this tale, I'm going to go off and find out what happened to Joe's system. And apologize.

Epilogue: Frank called Joe on the telephone and helped Joe manually edit the root password back to what it was. System saved!

Special thanks to Joe and Frank for allowing me to relate this tale.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: The Lessons Hardest Learned

Anonymous's picture

I appreciate your posting this. It is a hard thing to admit.

As someone who has been both an newbie and an expert, the idea that people helping me would be making side jokes that look like assistance is deeply disturbing.

If you consent to help someone, even on a casual basis like this, you are ethically bound to be honest, accurate, and helpful. If you are dishonest about your level of knowledge, or the seriouslness of their problem, you're not helping, though they may think you are. If your advice is inaccurate (as in the joke above), they may be harmed through your misspeaking. If you are not helpful (as in the joke above), again you are wasting their time and patience, and would be better off encouraging them to ask someone else.

Remember that offering to help creates a trust relationship. Take that trust seriously, it is given in all seriousness.

Re: The Lessons Hardest Learned

Anonymous's picture

This is why when you want to play a joke on newbies, make sure it is non-destructive.

$cat /dev/urandom > /dev/dsp

Or, if you are a newbie to linux hang out in irc channels where you know there are (or might be) ops that keep people in line if they start sugguesting dangrous commands. #linuxhelp on irc.openprojects.net is like that, there are always people there to kick the jerks out. There are even helpfull people there too. ;)

By there very nature, new linux users don't know the power of some commands. They don't even know how to check what things do yet. I just wish there was a really good GUI man frontend that sat on these new desktop distros; that asked new users to take a look around at what they can do.

$man /sbin/* /bin/*

Qubes

Note: even with a deleted root password, everything was not lost. Linux allows you to boot into "single" user mode and fix things up. It's just more trouble then most newbies want to deal with.

Re: The Lessons Hardest Learned

Terry's picture

WOW! You've got some very, very large balls for telling this story. I'm sure you expected to get some grief for telling it too, but I'm glad you did. It needed to be told.

I've spent a large part of the last ten years performing various support roles, from DOS to Windoze to vertical software markets, and across several states. The one universal joke is "ok sir/maam, now type - format space c:". Of course, in all that time, no one I've ever heard of has actually told a customer to do this.

Some pople are making comments that software shouldn't allow you to hurt yourself and such...

What a load of *****! If you're going to help someone, you don't help them to hurt themself.

If your helping someone, you have to assume a lower knowledge level. Why else are they seeking your help?

Peace,

Terry.

Re: The Lessons Hardest Learned

Anonymous's picture

The lesson to learn here is that software should not let users do things quite this silly. The passwd command should not let you lock the root account - it makes no sense to have the root account unloggable into, but accessible only to someone logged in as root.

Gerv

Re: The Lessons Hardest Learned

Anonymous's picture

The passwd command should not let you lock the root account - it makes no sense to have the root account unloggable into, but accessible only to someone logged in as root.

Sure it makes sense. This guy had a root-level account already - why would you need the actual official 'root' in addition to that?
Or what if you only want to get in via ssh from a trusted host / trusted account? Then you don't need a password on the account. It might be a stretch, but someone could want that for root. Point being, tools shouldn't have arbitrary restrictions.

Re: The Lessons Hardest Learned

Anonymous's picture

Amen. As a professional sysadmin, I am accustomed to working with a ``locked'' root account. I'll explain:

The authorized syadmins here are given sudo command access to root privilege. Its logging of root privileged actions is important when figuring out what has changed on a system to explain new unwanted behavior it might exhibit.

The root account is not completely locked: our (competent) manager gave us an encrypted password string, and we installed that string in all the system /etc/shadow files (using sudo). So we don't know the root password. Now, if a system were to crash and be unable to fsck a filesystem, for instance, and demand the root password to boot, we can still recover it by retrieving it from a sealed envelope kept by the secretary,after which the root password gets changed again. Or boot from an install CD. Or from the network. Given those last two options, it would also be reasonable to operate with the root account locked completely, but the point is: tools should do what they are told; policy comes from people.

Or would you have rm -r refuse to operate in the root directory? In /etc? In /usr? In /home? In $HOME? Where would it stop?

Re: The Lessons Hardest Learned

Anonymous's picture

good on you Ron Glad it worked out.

ernie

Re: The Lessons Hardest Learned

Anonymous's picture

If his account had root privileges, why not just get him to type passwd -u root?

Re: The Lessons Hardest Learned

Anonymous's picture

My guess:

First, was the joke.

Now, I'll wager that it's because the guru assumed that the username did not have root-privileges and assumed that the SUCCESS message was also a joke. (Since any non-root username should return an error, right?)

So, as far as he knows, the joke passed and was forgotten. A few minutes later, the 'su' command comes doesn't work.

Collective ?huh? from everybody involved.

So, the guru tries to figure out what happened. He's now realized that he now can't assume anything about the user or his sytem, so he asks if the user knew about the joke.

Guru: When I told you to type 'passwd -l root' were there any errors? (Not wanting to alarm the poor newbie prematurely)

Newbie: Um... Let's see... scroll back... Nope, it didn't give me any errors at all.

Groan... Guru's stomach churns... Why would such a change be allowed?!? It should never happen if a regular user... Oh!

Guru: By some chance, does the account you're using have admin priviliges?

Newbie: Yup.

Guru: OK, try this: 'passwd -u root'

Newbie: Um... OK.

Guru: Now 'su' and put in the root password when it asks.

Newbie: OK, now I have a # instead of a $. Does that mean anything?

You have no idea...

Re: The Lessons Hardest Learned

Anonymous's picture

I thought this was an excellent article and encourage everyone to learn Linux and not just do what you are told.

And on that note, how does one manually edit the root password? Just curious and wanting to learn, but I am sure that it can be found by doing a little research.

Re: The Lessons Hardest Learned

Anonymous's picture

Use a floppy distro like Tom's Root Boot and then mount your root drive and manually edit the /etc/shadow file to remove the root password (leaves it blank so you can give it a password again). If you are unsure about where the password is locayed there are man pages and several good tutorials on the net. I also have a copy of this floopy with me all the time - you never know when you'll need it (even to fix windows problems!).

Re: The Lessons Hardest Learned

Anonymous's picture

Use a floppy distro like Tom's Root Boot and then mount your root drive and manually edit the /etc/shadow file to remove the root password (leaves it blank so you can give it a password again).

No need to edit the shadow file - just put an empty password field in the passwd file. Better yet - after mounting the root partition (on, say, /mnt), execute "chroot /mnt /bin/passwd".

Re: The Lessons Hardest Learned

Anonymous's picture

One way: reboot in single-user mode.

Re: The Lessons Hardest Learned

Anonymous's picture

Ummmm ... I can see why and how this happened, but one question nags at me; what was so funny about telling him to lock his root account in the first place? As a joke, irrespective of its unintended destructive consequences, I just don't see how it's humourous.

It's like telling a Windows newbie to erase a bunch of system files and then reboot. Sure, he should know better than to fall for it, but I'm not sure why it's so hilarious to begin with.

Did not expect him to have root

Anonymous's picture

On a properly set up UNIX system, that command should not have worked. Had the system been set up normally no damage would have been done.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix