From owner-freebsd-security@FreeBSD.ORG Thu Mar 3 17:13:34 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A6A016A4CE for ; Thu, 3 Mar 2005 17:13:34 +0000 (GMT) Received: from hermes0.pyramidbrew.com (hermes0.pyramidbrew.com [12.46.52.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF45143D2D for ; Thu, 3 Mar 2005 17:13:31 +0000 (GMT) (envelope-from APowers@PyramidBrew.com) Received: from mercury0.pyramidbrew.com (mercury0.pyramidbrew.com [192.168.0.60]) by hermes0.pyramidbrew.com (Postfix) with ESMTP id 85C0F5C77; Thu, 3 Mar 2005 09:13:32 -0800 (PST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Date: Thu, 3 Mar 2005 09:12:38 -0800 Message-ID: <1AE2004B175A3D4A8B6230A10D0B5BE368E420@mercury0.pyramidbrew.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Renaming root account Thread-Index: AcUf9m9Dez50041oSHKDcb50qBHungAHDrSw From: "Atom Powers" To: "Wouter" , Subject: RE: Renaming root account X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 17:13:34 -0000 =20 Enabling "toor" is not very different from renaming the root account, = worse because you would then have two "root" (uid 0) accounts. I don't see any harm in renaming the root account, but I don't think it = would do much either. Most processes that use root run with setuid 0, = regardless of what's in the passwd file. Even in user land you don't have to know what = the root account is named if you use 'su' or 'sudo'. The only case I can envision where it would make a difference is if you = have an application which wants to run as a specific (usually unpriv.) user = and you set it to use "root", or if you allow "root" logon through ssh (bad = idea) or terminal (but if somebody can get that then you are already in = trouble). ---- Perfection is just a word I use occasionally with mustard. Atom Powers Systems Administrator Pyramid Breweries Inc. 206.682.8322 x251 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Wouter Sent: Thursday, March 03, 2005 1:22 AM To: freebsd-security@freebsd.org Subject: Re: Renaming root account Renaming root is generally a bad idea, what you could do, however, is = set a password on(thus enabling) the "toor" account and set root's shell to /sbin/nologin Wouter ----- Original Message ----- From: "Craig Edwards" To: Sent: Thursday, March 03, 2005 09:03 Subject: Renaming root account > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > One quick question: Is it safe and/or sensible to rename the root > account, so that the only uid 0 user on a system is something = different > to root? I can see how this would be effective against external > attackers who have no knowledge of the internals of the system as they > would spend pointless hours trying to crack a user which doesnt exist, > however to internal users they could always just cat /etc/passwd and = see > that root has been renamed. So firstly, is this possible, and security > wise is it of any real use? Can anyone think of any apps it would = break > that assume that the uid 0 user is called root and don't just address > the user by its uid? > > Thanks, > Craig Edwards > > - -- > WinBot IRC client developer: http://www.winbot.co.uk > ChatSpike - The users network: http://www.chatspike.net > InspIRCd - Modular IRC server: http://www.inspircd.org > Online RPG Developer: http://www.ssod.org > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > > iD8DBQFCJsTf0k42Wxli/BARAp2DAJ9dp1eu2IL41pfp/4ZFp9kS2KuMdgCeI20k > w1Jt+uriEmWM+wmhEFxH+vw=3D > =3DvGhO > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org"