Date: Thu, 11 Feb 2010 14:08:40 -0500 From: Jerry McAllister <jerrymc@msu.edu> To: Bob Johnson <fbsdlists@gmail.com> Cc: Lin Taosheng <taosheng.lin@gmail.com>, freebsd-questions@freebsd.org Subject: Re: HELP! Is that possible "creating a user named root but acturally not the administrator root" Message-ID: <20100211190840.GB73100@gizmo.acns.msu.edu> In-Reply-To: <54db43991002111058r1d8d1244mff110ec0b6f69046@mail.gmail.com> References: <5ffa459b1002102005i6b03c6fcqc1d4a11f590164d4@mail.gmail.com> <19315.37670.468383.119569@jerusalem.litteratus.org> <54db43991002111058r1d8d1244mff110ec0b6f69046@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 11, 2010 at 01:58:07PM -0500, Bob Johnson wrote: > On 2/11/10, Robert Huff <roberthuff@rcn.com> wrote: > > > > Lin Taosheng writes: > > > >> Is that possible to implementated? > > > > Yes, use vipw to edit the password file. Add another username that is > UID zero. The name "toor" is actually already there as an example of > how to do that, but it is disabled because it has a "*" in the > password field. After the new username is tested and you know it > works, use vipw to replace the password field for "root" to an "*". > Then root will still exist, but it will not be possible to log in to > it. You could also delete the entire line for "root", but that gets > farther into unusual territory and increases the chance that you will > break something else by doing so. If I take what the OP said literally, you are answering backwards. The OP asked if it is possible to name a different account root - eg one that is not UID 0. You are answering that it is possible to give an account other than root a UID 0. Now, the OP may have meant to ask what you are answering and just got it mixed up. But, that was not the way the question went. Anyway, even if it is possible to name a non-UID 0 account root, it is a very bad idea. Too many things assume that the string 'root' refers to the UID 0 account. There may be something that depends on it. On the other side, it is possible to give an account with a different name the UID of 0. This is often done so someone can work at a root level without using the root name - probably in hopes of controlling things more tightly. Maybe it might help a bit. But, the FreeBSD system comes automatically set to you cannot log in over the net with a root (eg a UID 0) account. The recommended way to get to root is to either use the console or to log in as a non-root account using an encrypted path and then su(1) to root or to a root account (eg one with UID 0). ////jerry > > > For most purposes, what's important is not the account name, > > but the User II. "Root" is special because it has UID 0. You can, > > create other accounts with UIS 0 ... but it's usually a Very Bad > > Idea. > > I know of no reason that this would be a bad idea. It is in fact > useful in some situations to have more than one admin account, enough > so that about a decade ago some effort was put into making sure it > works properly when you do that in FreeBSD. > > > As far as I know, there's no reason you can't rename the "root" > > account and have a non UID 0 account with that name. On the other > > hand, if you're asking this question there may be a better way to > > accomplish your objective: would you care to share? > > Having an account named "root" that is not UID 0 (i.e. not an > administrator), is likely to have unexpected side effects that you > probably won't like. So even though it has theoretical security > advantages (because unlike Windows, you can't remotely query FreeBSD > and ask it the name of its administrator account), it probably isn't a > good idea. A quick search turned up problems when people tried this in > Debian, and I would expect similar issues in FreeBSD. But if you try > it, I'd love to hear the result. > > If you are worried about remote logins to the root account, that is > actually disabled by default in FreeBSD. The biggest hazard you face > in that area is that if you configure SSH to use PAM login, the PAM > subsystem can allow remote root logins when you think they are > disabled. You have to be careful to configure SSH (and anything else > that uses PAM) correctly in that situation. > > - Bob Johnson > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100211190840.GB73100>