Admin is Root

It’s that time again. Yet another security researcher has discovered and “disclosed” that in Untangle “admins” have administrator privileges. In Untangle, and in general English, “admin” is abbreviation for “administrator.” If an admin creates a new set of admin credentials (a username/password) and provides those credentials to a person, then that person now has administrator access. This level of access is also called “root” or “superuser” in some cases. In Untangle, and indeed in most tech products, admin/administrator/root/superuser are just different words to describe the same thing.

This means as admin (root) you have the power to:

  • Read/Modify any setting
  • Restore/Backup all settings
  • Create more administrators
  • Delete/Modify/Create any file
  • Run any command
  • Install any software
  • Anything!

If that seems like a lot of access ,that is because it is! With admin access, you can literally do anything: you own the device.
You can nuke the software entirely or delete critical components. You can analyze and modify the software running on the device. You can install new software. You can even do things that we at Untangle think you should not do.

If everything you’ve read up until this point seemed somewhat obvious, we would agree.

However, based on a public “disclosure” that admins have administrator access, it is clear some do not agree.

I suspect there are two reasons behind this:

1. Users don’t understand that “admin” is short for “administrator.”
In the past we added very explicit statements to the documentation to ensure it was clear:

Administrators have full administrator/root access to the Untangle server.
Additional administrator accounts are also administrators. They also have full administrator/root access.

In hindsight, This is not sufficient since reading the documentation is not mandatory and is often only consulted only as a last resort. As such, we’ve added a very explicit warning in the UI when creating “Admin Accounts” that these new accounts are administrator/root/superuser accounts. Hopefully, this will clear up any confusion and prevent users from accidentally creating admin accounts and accidentally giving others administrator access.

2. Users simply don’t agree that “admin” should have “root” access. They believe these should be two different privilege levels.

I suspect this more likely the case since the people generally disclosing that “administrators have administrator access” are not dumb. Unfortunately, instead of stating that they disagree with our design and using another product, they instead choose to claim it as a security flaw.

Why is root access important?

There are some consumer and small business products where the administrator of the software or device does not have root access. iPhones (and many Android phones) are a very common case. In these cases, the administrator or owner of the phone does not have true root access to the device.

The process of “rooting” or “jailbreaking” your device is shorthand for gaining root access through some exploit or flaw in the system. Unfortunately, rooting many modern phones is not possible anymore. Bootloaders have been locked and root exploits have been fixed.

We strongly disagree with this approach.

Not having root access on your iPhone or Android phone or iPad is currently a mild inconvenience. For example, You can’t remove that Verizon NFL or Amazon Music app that comes pre-installed. You can’t install an ad blocker. You can’t tether to your PC because they want to be able to charge more for that functionality. While annoying, these things won’t ultimately kill you, and you’ll still probably be happy with your shiny new phone.

However, root access is important not just because it allows you fix these mild inconveniences; root access is important because it represents your digital liberties.

Without root access, you lose the ability to determine (as the owner of the device) what is and is not acceptable. There is no transparency in how the product works. You have no ability to inspect how it works. You can only do what the provider defines as appropriate behavior.

Don’t want data shared about your daily activities? You have no right to really see what information is being shared, nor change it even if you did.
Don’t want your carrier to have access to your device? You have no right to verify what your carrier does and does not have access to.
Don’t want government organizations to have access by proxy to your phone and data through your carrier? Too bad.

Sadly, this battle on smartphones is all but lost in the United States. Very few modern smartphones are rootable, especially on the main carriers like Verizon, AT&T, etc. They go the extra mile with locked down bootloaders and special firmware to ensure users can’t gain root access.

However, the battle is just beginning on consumer Wi-Fi routers. A new age of home routers is being produced. The Google OnHub home router is very locked down and very difficult to root. The bootloader is locked and the new firmware must be signed by Google. With recent FCC comments, many vendors like TP-Link, ASUS, and Buffalo are starting to lockdown their firmware so that routers can only run “official” (company distributed) firmware images. All these actions are taken with good intent (restricting access to unapproved radio frequencies); however, the end result is the erosion of your digital liberties.

Like many rights we have in society, we may not exercise our rights very often, but that does not mean they are not important. Untangle is open source at its core, and we believe in many open source principles. We believe that, even though you install our software on your server, you still own the server and should have ultimate say in how the server operates. There should be transparency into what and how the server operates, and root access to the device is an essential part of that.

—Dirk