Re: HELP! Is that possible "creating a user named root but acturally not the administrator root"
On 2/11/10, Jerry McAllister wrote: > On Thu, Feb 11, 2010 at 01:58:07PM -0500, Bob Johnson wrote: > >> On 2/11/10, Robert Huff wrote: >> > >> > Lin Taosheng writes: >> > >> >> Is that possible to implementated? >> > >> >> Yes, use vipw to edit the password file. Add another username that is >> UID zero. The name "toor" is actually already there as an example of >> how to do that, but it is disabled because it has a "*" in the >> password field. After the new username is tested and you know it >> works, use vipw to replace the password field for "root" to an "*". >> Then root will still exist, but it will not be possible to log in to >> it. You could also delete the entire line for "root", but that gets >> farther into unusual territory and increases the chance that you will >> break something else by doing so. > > If I take what the OP said literally, you are answering backwards. > The OP asked if it is possible to name a different account root - eg > one that is not UID 0.You are answering that it is possible to > give an account other than root a UID 0. > > Now, the OP may have meant to ask what you are answering and just > got it mixed up. But, that was not the way the question went. Oops. Rats. When I started my reply I had it right, but by the time I finished I had confused myself. Thanks. Anyway, it's possible, but in practice it probably won't work right, and doesn't do much for security anyway. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: HELP! Is that possible "creating a user named root but acturally not the administrator root"
On Thu, 11 Feb 2010 08:04:00 +, Matthew Seaman wrote: >On 11/02/2010 05:23, Giorgos Keramidas wrote: >>On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff wrote: >>>Lin Taosheng writes: Is that possible to implementated? >>> >>> For most purposes, what's important is not the account name, >>> but the User II. "Root" is special because it has UID 0. You can, >>> create other accounts with UIS 0 ... but it's usually a Very Bad >>> Idea. >>> >>> As far as I know, there's no reason you can't rename the "root" >>> account and have a non UID 0 account with that name. On the other >>> hand, if you're asking this question there may be a better way to >>> accomplish your objective: would you care to share? >> >> The kernel doesn't really care what your user *name* is. See for >> example the 'toor user in '/etc/master.passwd'. > > On the other hand, lots of software expects the superuser account to > be called 'root' because that what it always has been ever since > Thompson and Ritchie et al. first created Unix. Changing the name of > the superuser account, and making root into an unprivileged user will > cause you much wailing and gnashing of teeth. It doesn't really buy > you much in terms of improved security in any case. Far better to > concentrate on making it impossible for the existing root account to > be compromised. This is a good point. One can argue that the specific applications are those that are broken if they do not use a tunable option to switch the name of the 'privileged user'. But that doesn't negate the fact that precisely *this* type of applications exists out there and will break. pgpeEzPfM6FxC.pgp Description: PGP signature
Re: HELP! Is that possible "creating a user named root but acturally not the administrator root"
On Thu, Feb 11, 2010 at 01:58:07PM -0500, Bob Johnson wrote: > On 2/11/10, Robert Huff wrote: > > > > Lin Taosheng writes: > > > >> Is that possible to implementated? > > > > Yes, use vipw to edit the password file. Add another username that is > UID zero. The name "toor" is actually already there as an example of > how to do that, but it is disabled because it has a "*" in the > password field. After the new username is tested and you know it > works, use vipw to replace the password field for "root" to an "*". > Then root will still exist, but it will not be possible to log in to > it. You could also delete the entire line for "root", but that gets > farther into unusual territory and increases the chance that you will > break something else by doing so. If I take what the OP said literally, you are answering backwards. The OP asked if it is possible to name a different account root - eg one that is not UID 0.You are answering that it is possible to give an account other than root a UID 0. Now, the OP may have meant to ask what you are answering and just got it mixed up. But, that was not the way the question went. Anyway, even if it is possible to name a non-UID 0 account root, it is a very bad idea. Too many things assume that the string 'root' refers to the UID 0 account. There may be something that depends on it. On the other side, it is possible to give an account with a different name the UID of 0. This is often done so someone can work at a root level without using the root name - probably in hopes of controlling things more tightly. Maybe it might help a bit. But, the FreeBSD system comes automatically set to you cannot log in over the net with a root (eg a UID 0) account. The recommended way to get to root is to either use the console or to log in as a non-root account using an encrypted path and then su(1) to root or to a root account (eg one with UID 0). jerry > > > For most purposes, what's important is not the account name, > > but the User II. "Root" is special because it has UID 0. You can, > > create other accounts with UIS 0 ... but it's usually a Very Bad > > Idea. > > I know of no reason that this would be a bad idea. It is in fact > useful in some situations to have more than one admin account, enough > so that about a decade ago some effort was put into making sure it > works properly when you do that in FreeBSD. > > > As far as I know, there's no reason you can't rename the "root" > > account and have a non UID 0 account with that name. On the other > > hand, if you're asking this question there may be a better way to > > accomplish your objective: would you care to share? > > Having an account named "root" that is not UID 0 (i.e. not an > administrator), is likely to have unexpected side effects that you > probably won't like. So even though it has theoretical security > advantages (because unlike Windows, you can't remotely query FreeBSD > and ask it the name of its administrator account), it probably isn't a > good idea. A quick search turned up problems when people tried this in > Debian, and I would expect similar issues in FreeBSD. But if you try > it, I'd love to hear the result. > > If you are worried about remote logins to the root account, that is > actually disabled by default in FreeBSD. The biggest hazard you face > in that area is that if you configure SSH to use PAM login, the PAM > subsystem can allow remote root logins when you think they are > disabled. You have to be careful to configure SSH (and anything else > that uses PAM) correctly in that situation. > > - Bob Johnson > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: HELP! Is that possible "creating a user named root but acturally not the administrator root"
On 2/11/10, Robert Huff wrote: > > Lin Taosheng writes: > >> Is that possible to implementated? > Yes, use vipw to edit the password file. Add another username that is UID zero. The name "toor" is actually already there as an example of how to do that, but it is disabled because it has a "*" in the password field. After the new username is tested and you know it works, use vipw to replace the password field for "root" to an "*". Then root will still exist, but it will not be possible to log in to it. You could also delete the entire line for "root", but that gets farther into unusual territory and increases the chance that you will break something else by doing so. > For most purposes, what's important is not the account name, > but the User II. "Root" is special because it has UID 0. You can, > create other accounts with UIS 0 ... but it's usually a Very Bad > Idea. I know of no reason that this would be a bad idea. It is in fact useful in some situations to have more than one admin account, enough so that about a decade ago some effort was put into making sure it works properly when you do that in FreeBSD. > As far as I know, there's no reason you can't rename the "root" > account and have a non UID 0 account with that name. On the other > hand, if you're asking this question there may be a better way to > accomplish your objective: would you care to share? Having an account named "root" that is not UID 0 (i.e. not an administrator), is likely to have unexpected side effects that you probably won't like. So even though it has theoretical security advantages (because unlike Windows, you can't remotely query FreeBSD and ask it the name of its administrator account), it probably isn't a good idea. A quick search turned up problems when people tried this in Debian, and I would expect similar issues in FreeBSD. But if you try it, I'd love to hear the result. If you are worried about remote logins to the root account, that is actually disabled by default in FreeBSD. The biggest hazard you face in that area is that if you configure SSH to use PAM login, the PAM subsystem can allow remote root logins when you think they are disabled. You have to be careful to configure SSH (and anything else that uses PAM) correctly in that situation. - Bob Johnson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: HELP! Is that possible "creating a user named root but acturally not the administrator root"
On 11/02/2010 05:23, Giorgos Keramidas wrote: > On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff wrote: >> Lin Taosheng writes: >>> Is that possible to implementated? >> >> For most purposes, what's important is not the account name, >> but the User II. "Root" is special because it has UID 0. You can, >> create other accounts with UIS 0 ... but it's usually a Very Bad >> Idea. >> >> As far as I know, there's no reason you can't rename the "root" >> account and have a non UID 0 account with that name. On the other >> hand, if you're asking this question there may be a better way to >> accomplish your objective: would you care to share? > > The kernel doesn't really care what your user *name* is. See for > example the 'toor user in '/etc/master.passwd'. On the other hand, lots of software expects the superuser account to be called 'root' because that what it always has been ever since Thompson and Ritchie et al. first created Unix. Changing the name of the superuser account, and making root into an unprivileged user will cause you much wailing and gnashing of teeth. It doesn't really buy you much in terms of improved security in any case. Far better to concentrate on making it impossible for the existing root account to be compromised. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard, Flat 3 Black Earth Consulting Ramsgate Kent, CT11 9PW Free and Open Source Solutions Tel: +44 (0)1843 580647 signature.asc Description: OpenPGP digital signature
Re: HELP! Is that possible "creating a user named root but acturally not the administrator root"
On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff wrote: >Lin Taosheng writes: >> Is that possible to implementated? > > For most purposes, what's important is not the account name, > but the User II. "Root" is special because it has UID 0. You can, > create other accounts with UIS 0 ... but it's usually a Very Bad > Idea. > > As far as I know, there's no reason you can't rename the "root" > account and have a non UID 0 account with that name. On the other > hand, if you're asking this question there may be a better way to > accomplish your objective: would you care to share? The kernel doesn't really care what your user *name* is. See for example the 'toor user in '/etc/master.passwd'. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
HELP! Is that possible "creating a user named root but acturally not the administrator root"
Lin Taosheng writes: > Is that possible to implementated? For most purposes, what's important is not the account name, but the User II. "Root" is special because it has UID 0. You can, create other accounts with UIS 0 ... but it's usually a Very Bad Idea. As far as I know, there's no reason you can't rename the "root" account and have a non UID 0 account with that name. On the other hand, if you're asking this question there may be a better way to accomplish your objective: would you care to share? Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
HELP! Is that possible "creating a user named root but acturally not the administrator root"
Hi all, Is that possible to implementated? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"