Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Aug 2004 02:29:40 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Ara Avvali <Ara@Avvali.COM>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Change root user name? possible?
Message-ID:  <20040825232940.GA2911@gothmog.gr>
In-Reply-To: <200408252303.i7PN3ROa014176@igloo.linux.gr>
References:  <20040825225508.GC2226@gothmog.gr> <200408252303.i7PN3ROa014176@igloo.linux.gr>
next in thread | previous in thread | raw e-mail | index | archive | help 
[-- Outlook mutilation of text and top-posting manually fixed. --]

On 2004-08-25 19:03, Ara Avvali <Ara@Avvali.COM> wrote:
> Giorgos Keramidas [mailto:keramida@ceid.upatras.gr] wrote:
> > On 2004-08-25 18:50, Ara Avvali <Ara@Avvali.COM> wrote:
> > > Sorry if this might sound crazy, but is there anyway to rename
> > > root account to something else for extra security?
> >
> > No.  At least, not as far as I know.
> >
> > Probably because it wouldn't provide any extra security unless you
> > tinkered with a hell of a lot of settings; [...]
>
> What I mean if someone wants to hack to machine or even get physical access
> half of the job is done by knowing the root user name. Although windows
> security blows but they have this feature renaming administrator user
> account name

Even if you rename the root user it's easy to find out the names of the
privileged accounts on a system by looking at /etc/passwd.  The mapping of
username/userid is useful for many things besides knowing who the "root"
user is though, so it would break a lot of things if you just removed the
read permissions of /etc/passwd.  For instance, ls(1) would have no way to
match the owner of files with a name in filename listings and would produce
output like this:

    $ ls -ln | head -5
    total 1804
    drwxrwxr-x   2 1001  groupname     512 Aug 23 04:37 CVS
    drwxrwxr-x   5 1001  groupname     512 Jan 12  2003 GNUstep
    drwxrwxr-x   4 1001  groupname     512 Dec 26  2003 Mail
    -rw-------   1 1001  groupname   46340 Aug 26 02:10 Mailbox

Not very nice...

Other parts of /etc that are now readable and provide potentially harmful
information are practically all the files in `/etc'.  Instead of hacking
the permissions and owner of these files to avoid letting your users read
things that they should not be able to read, you might find it more useful
and more convenient to use chroot(8) or jail(8) to compartmentalize the
system and block the user from accessing the "outter" levels of the
installation.

> It would be like if you want to go in a street and steal a diamond ring.
> First you have to know the lot number of house which has it and second the
> key to get in. would make it harder to try every single house

Yeah, well.  You wouldn't be able to steal the diamond if you were trapped
in a single neighborhood and the diamond happened to be in a safe downtown,
a few dozen neighborhoods away ;-)

> Anyway thank you for fast response

You're welcome.

- Giorgos

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040825232940.GA2911>