Date: Thu, 11 Feb 2010 13:58:07 -0500 From: Bob Johnson <fbsdlists@gmail.com> To: Lin Taosheng <taosheng.lin@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: HELP! Is that possible "creating a user named root but acturally not the administrator root" Message-ID: <54db43991002111058r1d8d1244mff110ec0b6f69046@mail.gmail.com> In-Reply-To: <19315.37670.468383.119569@jerusalem.litteratus.org> References: <5ffa459b1002102005i6b03c6fcqc1d4a11f590164d4@mail.gmail.com> <19315.37670.468383.119569@jerusalem.litteratus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/11/10, Robert Huff <roberthuff@rcn.com> wrote: > > Lin Taosheng writes: > >> Is that possible to implementated? > Yes, use vipw to edit the password file. Add another username that is UID zero. The name "toor" is actually already there as an example of how to do that, but it is disabled because it has a "*" in the password field. After the new username is tested and you know it works, use vipw to replace the password field for "root" to an "*". Then root will still exist, but it will not be possible to log in to it. You could also delete the entire line for "root", but that gets farther into unusual territory and increases the chance that you will break something else by doing so. > For most purposes, what's important is not the account name, > but the User II. "Root" is special because it has UID 0. You can, > create other accounts with UIS 0 ... but it's usually a Very Bad > Idea. I know of no reason that this would be a bad idea. It is in fact useful in some situations to have more than one admin account, enough so that about a decade ago some effort was put into making sure it works properly when you do that in FreeBSD. > As far as I know, there's no reason you can't rename the "root" > account and have a non UID 0 account with that name. On the other > hand, if you're asking this question there may be a better way to > accomplish your objective: would you care to share? Having an account named "root" that is not UID 0 (i.e. not an administrator), is likely to have unexpected side effects that you probably won't like. So even though it has theoretical security advantages (because unlike Windows, you can't remotely query FreeBSD and ask it the name of its administrator account), it probably isn't a good idea. A quick search turned up problems when people tried this in Debian, and I would expect similar issues in FreeBSD. But if you try it, I'd love to hear the result. If you are worried about remote logins to the root account, that is actually disabled by default in FreeBSD. The biggest hazard you face in that area is that if you configure SSH to use PAM login, the PAM subsystem can allow remote root logins when you think they are disabled. You have to be careful to configure SSH (and anything else that uses PAM) correctly in that situation. - Bob Johnson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54db43991002111058r1d8d1244mff110ec0b6f69046>