LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 08-16-2004, 04:16 PM   #1
eech55
LQ Newbie
 
Registered: Aug 2004
Posts: 23

Rep: Reputation: 15
Question: Changing My Root Account Name


hi all


for secrurity reaons, i want to change my root account name to some thing else


could you please tell me how?

is using the command "chpass" is the modular sultion?

i used chpass command, and then i renamed "root" with "new_name".. but then i found my FreeBSD with two root accounts with the same ID
 
Old 08-16-2004, 04:53 PM   #2
frob23
Senior Member
 
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: Ubuntu, FreeBSD, NetBSD
Posts: 1,449

Rep: Reputation: 47
Do NOT remove the account with the name root. This is begging for problems. If you want, you can create a second account with a UID of zero (example toor already exists like this) and give that a password. Then you can edit master.passwd to put a "*" where the old root account's password is.

But for fnord's sake... leave the old name there.
 
Old 08-16-2004, 05:00 PM   #3
frob23
Senior Member
 
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: Ubuntu, FreeBSD, NetBSD
Posts: 1,449

Rep: Reputation: 47
/etc/passwd
Code:
root:*:0:0:This is the old unusable root account:/root:/bin/csh
newrootuser:*:0:0:This is the real root account:/root:
/etc/master.passwd
Code:
root:*:0:0::0:0:This is the old unusable root account:/root:/bin/csh
newrootuser:$1$gt1.mwCO$yJfqN3c2/hg6QdE4dnfve1:0:0::0:0:This is the real root account:/root:
After editing these files... be sure to run:
pwd_mkdb

This will be run automatically if you use vipw -- which is a good idea. Using vipw will allow you to edit both files at once. Just star out the old root password. Then edit out of vipw. and "passwd newrootuser" which will place a password for your new root.
 
Old 08-16-2004, 05:04 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
changing an account name isn't good in the name of security, just obscurity. it's not a practise to be recommended at any level. if a system is suitably secure then the root account will be perfectly safe.
 
Old 08-16-2004, 05:24 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You always have a uid 0 account, so it's not like you're getting rid of anything. In fact, if you completely remove the name to uid mapping for "root", you will probably cause a large number of problems when trying to install certain software packages.

The best way to protect root is to not allow users to attempt remote login attempts with that accounts, so disable them in sshd_config and hopefully that's the only remote shell you're using (you shouldn't have telnetd or any of the "r commands" enabled).

Exploits such as buffer overflows and rootkits use uid 0 and don't rely on the name to uid mapping, so removing the "root" name will not prevent those attacks.
 
Old 08-16-2004, 06:31 PM   #6
eech55
LQ Newbie
 
Registered: Aug 2004
Posts: 23

Original Poster
Rep: Reputation: 15
can i have a super account exactly with root permissions but with an UID of 1002 for example? can i make installations then without problems?
will i be safe fro exploits?
 
Old 08-16-2004, 06:39 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
No.

The UNIX is based on a concept of a super-user and all over non-super-users. Since the super-user is special, there has to be a way to identify that it has special powers other users don't have. uid 0 is that special identifier.

There is no simple magic trick to just make something instantly secure. You have to know how your system works, and you have to configure it with as few avenues for attack as possible. Also, one of the most important things is to make sure you always install security updates quickly, which means paying attention to security advisories and downloading & applying security patches soon after they become available.

Also, if you run a relatively proactively secure OS, such as OpenBSD there will be a number of controls in place to help you out, such as stack protection, write-exclusively-or-execute, immutable kernel in multi-user mode, etc. You could get patches to do that kind of thing in Linux, but then you would have to know how to apply and configure them.

Last edited by chort; 08-16-2004 at 06:41 PM.
 
Old 08-18-2004, 02:08 AM   #8
noir911
Member
 
Registered: Apr 2004
Location: Baltimore, MD
Posts: 681

Rep: Reputation: Disabled
cat /etc/passwd | grep 0:0

security thru obscurity is no security at all.
 
Old 08-18-2004, 03:09 PM   #9
eech55
LQ Newbie
 
Registered: Aug 2004
Posts: 23

Original Poster
Rep: Reputation: 15
thanks a lot guys
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I retain the PATH in the root account even when I switch to root using su? thearchitect Linux - Newbie 1 08-13-2005 12:02 AM
Help with root account... thmonkey Linux - Newbie 3 04-05-2005 08:51 PM
Using root account mfo6463 Linux - Newbie 12 03-27-2004 11:41 PM
The use of the 'root' account... tarballed Linux - Security 4 07-02-2003 07:07 AM
Root Account???????? Silverado2000 Linux - General 5 02-01-2002 12:55 PM


All times are GMT -5. The time now is 11:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration