Happy New Year to everyone. This new year Kali Linux releasing a new update Kali 2020.1. For many years Kali has inherited the default root user policy from BackTrack. To manage the evaluation of Kali tools and policies Kali developers are decided to change this default root user system and move Kali to a "traditional default non-root user". This change will be part of the 2020.1 release, That may come in in the end of this January or in the first of February. We can see the changes in the weekly images starting now.
In the old days May, 2006 there was BackTrack. In it's original form, BackTrack (Versions 1-4) was a Slackware based live distro intended to be ran from a CDROM or USB.
In this model there was no real update mechanism, just bunch of pentesting tools was there in the /pentest/ directory, that we could use as a part of assessments. It was the early days, so things were not very realistic, we were just happy things worked. A lot of those tools back then either required root access to run or ran better when ran as root. This BackTrack distro would be ran from a CD, never be updated, and had many tools that needed root access to run, it was a simple decision to have a "Everything as root" security model. It made complete sense for the time.
As time went by however, there were a number of changes. All of us that were around back then sort of remember things a little differently but on the board strokes people were installing BackTrack on bare metal so the developers think there should be an update mechanism. Especially after around Defcon and they noticed that many people were using a version of BackTrack that was vulnerable to a certain exploit which came out a few weeks prior. That moved to basing BackTrack 5 off of Ubuntu instead of Slackware live (Feb-2011). Then as more time went by they were so busy fighting with Ubuntu then they decided to move on to something else. Then we got Kali, an official Debian derivative.
The move to be a Debian derivative brought with a whole host of advantages.
Debian has a well earned reputation for being one of the most stable Linux distros out there. Debian-Testing is the development branch of the next version of Debian, and realistically is still more stable than many mainstream Linux distros.
While we don’t encourage people to run Kali as their day to day operating system, over the last few years more and more users have started to do so (even if they are not using it to do penetration testing full time), including some members of the Kali development team. When people do so, they obviously don’t run as default root user. With this usage over time, there is the obvious conclusion that default root user is no longer necessary and Kali will be better off moving to a more traditional security model.
Lets have a quick sidebar and review how some tools require root. For this, we will pick on nmap.
Nmap is hands down the most popular portscanner in use today, and one of the most popular tools used on Kali. When ran by a non-root user doing a standard scan, nmap will default to running what is known as a connect scan (
This aspect of security tools requiring root level permissions traditionally has not been uncommon. Running as a root user by default makes it easier to use these tools.
One of the, possibly surprising, conclusions we came to while looking at this issue is the number of tools that require root access has dropped over the years. This has made this default root policy less useful, bringing us to the point now where we are going to make this change.
On the opposite direction, over the years a number of applications and services have been configured to forbid their usage as the
Dropping this default root policy will thus simplify maintenance of Kali and will avoid problems for end-users.
The History of Default root User System
In the old days May, 2006 there was BackTrack. In it's original form, BackTrack (Versions 1-4) was a Slackware based live distro intended to be ran from a CDROM or USB.
In this model there was no real update mechanism, just bunch of pentesting tools was there in the /pentest/ directory, that we could use as a part of assessments. It was the early days, so things were not very realistic, we were just happy things worked. A lot of those tools back then either required root access to run or ran better when ran as root. This BackTrack distro would be ran from a CD, never be updated, and had many tools that needed root access to run, it was a simple decision to have a "Everything as root" security model. It made complete sense for the time.
As time went by however, there were a number of changes. All of us that were around back then sort of remember things a little differently but on the board strokes people were installing BackTrack on bare metal so the developers think there should be an update mechanism. Especially after around Defcon and they noticed that many people were using a version of BackTrack that was vulnerable to a certain exploit which came out a few weeks prior. That moved to basing BackTrack 5 off of Ubuntu instead of Slackware live (Feb-2011). Then as more time went by they were so busy fighting with Ubuntu then they decided to move on to something else. Then we got Kali, an official Debian derivative.
Modern Kali
The move to be a Debian derivative brought with a whole host of advantages.
Debian has a well earned reputation for being one of the most stable Linux distros out there. Debian-Testing is the development branch of the next version of Debian, and realistically is still more stable than many mainstream Linux distros.
While we don’t encourage people to run Kali as their day to day operating system, over the last few years more and more users have started to do so (even if they are not using it to do penetration testing full time), including some members of the Kali development team. When people do so, they obviously don’t run as default root user. With this usage over time, there is the obvious conclusion that default root user is no longer necessary and Kali will be better off moving to a more traditional security model.
Why Some Tools Require Root Access
Lets have a quick sidebar and review how some tools require root. For this, we will pick on nmap.
Nmap is hands down the most popular portscanner in use today, and one of the most popular tools used on Kali. When ran by a non-root user doing a standard scan, nmap will default to running what is known as a connect scan (
-sT).
In this sort of scan, a full TCP three way handshake is conducted to
identify if a given port is open or not. However, when ran as a root
user nmap takes advantage of the additional privileges to utilize raw sockets and will conduct a syn scan (-sS), a far more popular scan type. This syn scan is not possible unless ran as root.This aspect of security tools requiring root level permissions traditionally has not been uncommon. Running as a root user by default makes it easier to use these tools.
One of the, possibly surprising, conclusions we came to while looking at this issue is the number of tools that require root access has dropped over the years. This has made this default root policy less useful, bringing us to the point now where we are going to make this change.
Many Applications Require Non Root Accounts
On the opposite direction, over the years a number of applications and services have been configured to forbid their usage as the
root
user. This has become either a maintenance burden for us (when we opted
to patch out the check or reconfigure the service) or a nuisance for
users that could not use their application (with chrome/chromium being a well known case).Dropping this default root policy will thus simplify maintenance of Kali and will avoid problems for end-users.
Kali Non-Root User Implementation
There are a number of changes you can expect to see as part of this change.- Kali in live mode will be running as user
kalipasswordkali. No moreroot/toor. (Get ready to set up your IDS filters, as we are sure this user/pass combo will be being scanned for by bots everywhere soon). - On install, Kali will prompt you to create a non-root user that will have administrative privileges (due to its addition to the
sudogroup). This is the same process as other Linux distros you may be familiar with. - Tools that we identify as needing root access, as well as common
administrative functions such as starting/stopping services, will
interactively ask for administrative privileges (at least when started
from the Kali menu). If you really don’t care about security, and if you
preferred the old model, you can install kali-grant-root and run
password-less root rights using following command:
All-in-all, we don’t expect this will be a major change for most users.
It is possible that some tools or administrative functions will be
missed in our review, when that happens we would ask that you create a bug report so it can be tracked and corrected.
All that said, we are still not encouraging people to use Kali as their day to day operating system. More than anything else, this is because we don’t test for that usage pattern and we don’t want the influx of bug reports that would come with it. However, for those of you that are familiar with Kali and want to run it as your day to day platform, this change should help you out a lot. For the rest of you, this should give you a better security model to operate under while you are doing assessments.
As we mentioned at the start, this change is currently available in the daily builds and will be in the next weekly build. Feel free to download and test early, as we would like to have as many potential issues shaken lose before release as possible. The more active users on this the better.
Going Forward
All that said, we are still not encouraging people to use Kali as their day to day operating system. More than anything else, this is because we don’t test for that usage pattern and we don’t want the influx of bug reports that would come with it. However, for those of you that are familiar with Kali and want to run it as your day to day platform, this change should help you out a lot. For the rest of you, this should give you a better security model to operate under while you are doing assessments.
As we mentioned at the start, this change is currently available in the daily builds and will be in the next weekly build. Feel free to download and test early, as we would like to have as many potential issues shaken lose before release as possible. The more active users on this the better.
Kali Linux Default Non-Root User in Kali 2020.1 Update
Reviewed by Kali Linux
on
January 01, 2020
Rating:
Reviewed by Kali Linux
on
January 01, 2020
Rating:
No comments: