Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Feb 2010 13:58:07 -0500
From:      Bob Johnson <fbsdlists@gmail.com>
To:        Lin Taosheng <taosheng.lin@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: HELP! Is that possible "creating a user named root but acturally not the administrator root"
Message-ID:  <54db43991002111058r1d8d1244mff110ec0b6f69046@mail.gmail.com>
In-Reply-To: <19315.37670.468383.119569@jerusalem.litteratus.org>
References:  <5ffa459b1002102005i6b03c6fcqc1d4a11f590164d4@mail.gmail.com> <19315.37670.468383.119569@jerusalem.litteratus.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2/11/10, Robert Huff <roberthuff@rcn.com> wrote:
>
> Lin Taosheng writes:
>
>>      Is that possible to implementated?
>

Yes, use vipw to edit the password file. Add another username that is
UID zero. The name "toor" is actually already there as an example of
how to do that, but it is disabled because it has a "*" in the
password field. After the new username is tested and you know it
works, use vipw to replace the password field for "root" to an "*".
Then root will still exist, but it will not be possible to log in to
it. You could also delete the entire line for "root", but that gets
farther into unusual territory and increases the chance that you will
break something else by doing so.

> 	For most purposes, what's important is not the account name,
> but the User II.  "Root" is special because it has UID 0.  You can,
> create other accounts with UIS 0 ... but it's usually a Very Bad
> Idea.

I know of no reason that this would be a bad idea. It is in fact
useful in some situations to have more than one admin account, enough
so that about a decade ago some effort was put into making sure it
works properly when you do that in FreeBSD.

> As far as I know, there's no reason you can't rename the "root"
> account and have a non UID 0 account with that name.  On the other
> hand, if you're asking this question there may be a better way to
> accomplish your objective: would you care to share?

Having an account named "root" that is not UID 0 (i.e. not an
administrator), is likely to have unexpected side effects that you
probably won't like. So even though it has theoretical security
advantages (because unlike Windows, you can't remotely query FreeBSD
and ask it the name of its administrator account), it probably isn't a
good idea. A quick search turned up problems when people tried this in
Debian, and I would expect similar issues in FreeBSD. But if you try
it, I'd love to hear the result.

If you are worried about remote logins to the root account, that is
actually disabled by default in FreeBSD. The biggest hazard you face
in that area is that if you configure SSH to use PAM login, the PAM
subsystem can allow remote root logins when you think they are
disabled. You have to be careful to configure SSH (and anything else
that uses PAM) correctly in that situation.

- Bob Johnson



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54db43991002111058r1d8d1244mff110ec0b6f69046>