Date: Thu, 11 Feb 2010 21:16:01 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Matthew Seaman <m.seaman@black-earth.co.uk> Cc: Lin Taosheng <taosheng.lin@gmail.com>, Robert Huff <roberthuff@rcn.com>, freebsd-questions@freebsd.org Subject: Re: HELP! Is that possible "creating a user named root but acturally not the administrator root" Message-ID: <87hbpntwge.fsf@kobe.laptop> In-Reply-To: <4B73B9F0.1020105@black-earth.co.uk> (Matthew Seaman's message of "Thu, 11 Feb 2010 08:04:00 %2B0000") References: <5ffa459b1002102005i6b03c6fcqc1d4a11f590164d4@mail.gmail.com> <19315.37670.468383.119569@jerusalem.litteratus.org> <874olocpmc.fsf@kobe.laptop> <4B73B9F0.1020105@black-earth.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-=-= On Thu, 11 Feb 2010 08:04:00 +0000, Matthew Seaman <m.seaman@black-earth.co.uk> wrote: >On 11/02/2010 05:23, Giorgos Keramidas wrote: >>On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff <roberthuff@rcn.com> wrote: >>>Lin Taosheng writes: >>>> Is that possible to implementated? >>> >>> For most purposes, what's important is not the account name, >>> but the User II. "Root" is special because it has UID 0. You can, >>> create other accounts with UIS 0 ... but it's usually a Very Bad >>> Idea. >>> >>> As far as I know, there's no reason you can't rename the "root" >>> account and have a non UID 0 account with that name. On the other >>> hand, if you're asking this question there may be a better way to >>> accomplish your objective: would you care to share? >> >> The kernel doesn't really care what your user *name* is. See for >> example the 'toor user in '/etc/master.passwd'. > > On the other hand, lots of software expects the superuser account to > be called 'root' because that what it always has been ever since > Thompson and Ritchie et al. first created Unix. Changing the name of > the superuser account, and making root into an unprivileged user will > cause you much wailing and gnashing of teeth. It doesn't really buy > you much in terms of improved security in any case. Far better to > concentrate on making it impossible for the existing root account to > be compromised. This is a good point. One can argue that the specific applications are those that are broken if they do not use a tunable option to switch the name of the 'privileged user'. But that doesn't negate the fact that precisely *this* type of applications exists out there and will break. --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkt0V3EACgkQ1g+UGjGGA7bshwCdEXnOkpPSGV0KbIeKzkwvNF3q 3fsAnjt9tW6rj1+aZ2iHM6YUF1ATDzdm =41a8 -----END PGP SIGNATURE----- --=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87hbpntwge.fsf>