From owner-freebsd-questions@FreeBSD.ORG Thu Feb 11 18:58:08 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 487C5106566B for ; Thu, 11 Feb 2010 18:58:08 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from mail-px0-f176.google.com (mail-px0-f176.google.com [209.85.216.176]) by mx1.freebsd.org (Postfix) with ESMTP id 1D5748FC0A for ; Thu, 11 Feb 2010 18:58:07 +0000 (UTC) Received: by pxi6 with SMTP id 6so2028770pxi.14 for ; Thu, 11 Feb 2010 10:58:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=2HMpruL/01jDl0WeUD4VIsgO804MBEpf3go4LgXJsSI=; b=FEPhGrH+rJ+7dLfzTizHmat34WVaKM6Royy90dzz8mUouuvhh4VGrc27W5pqiP8UUH d+xybhztdpOdaIm6/wYSsbHveOu+8BmE2DuOAQo1QkXt2T8g8OnWcVttPpkULTE08XrV c4f53JoymOvGUhOGwRZYChG1YoS+fD7ucTmVk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Rd4RSgQsYXC5OVwSDDwbuCbOI5qzxbKQD412sfd96dDD9IsWaq5oxC0DIodFDmtPR/ cZkOcnIKfgkA2mCryftislQwGLAcVGN2ere4EhBpluSNmHkBVB2q3LoWSfd5S7uOBnlb b84RJ9Jij5IjgDSDR+mVE1iK2O/RoJCf/F+GU= MIME-Version: 1.0 Received: by 10.142.7.38 with SMTP id 38mr172382wfg.179.1265914687390; Thu, 11 Feb 2010 10:58:07 -0800 (PST) In-Reply-To: <19315.37670.468383.119569@jerusalem.litteratus.org> References: <5ffa459b1002102005i6b03c6fcqc1d4a11f590164d4@mail.gmail.com> <19315.37670.468383.119569@jerusalem.litteratus.org> Date: Thu, 11 Feb 2010 13:58:07 -0500 Message-ID: <54db43991002111058r1d8d1244mff110ec0b6f69046@mail.gmail.com> From: Bob Johnson To: Lin Taosheng Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: HELP! Is that possible "creating a user named root but acturally not the administrator root" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 18:58:08 -0000 On 2/11/10, Robert Huff wrote: > > Lin Taosheng writes: > >> Is that possible to implementated? > Yes, use vipw to edit the password file. Add another username that is UID zero. The name "toor" is actually already there as an example of how to do that, but it is disabled because it has a "*" in the password field. After the new username is tested and you know it works, use vipw to replace the password field for "root" to an "*". Then root will still exist, but it will not be possible to log in to it. You could also delete the entire line for "root", but that gets farther into unusual territory and increases the chance that you will break something else by doing so. > For most purposes, what's important is not the account name, > but the User II. "Root" is special because it has UID 0. You can, > create other accounts with UIS 0 ... but it's usually a Very Bad > Idea. I know of no reason that this would be a bad idea. It is in fact useful in some situations to have more than one admin account, enough so that about a decade ago some effort was put into making sure it works properly when you do that in FreeBSD. > As far as I know, there's no reason you can't rename the "root" > account and have a non UID 0 account with that name. On the other > hand, if you're asking this question there may be a better way to > accomplish your objective: would you care to share? Having an account named "root" that is not UID 0 (i.e. not an administrator), is likely to have unexpected side effects that you probably won't like. So even though it has theoretical security advantages (because unlike Windows, you can't remotely query FreeBSD and ask it the name of its administrator account), it probably isn't a good idea. A quick search turned up problems when people tried this in Debian, and I would expect similar issues in FreeBSD. But if you try it, I'd love to hear the result. If you are worried about remote logins to the root account, that is actually disabled by default in FreeBSD. The biggest hazard you face in that area is that if you configure SSH to use PAM login, the PAM subsystem can allow remote root logins when you think they are disabled. You have to be careful to configure SSH (and anything else that uses PAM) correctly in that situation. - Bob Johnson