LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices

Reply
 
Search this Thread
Old 11-25-2012, 06:16 PM   #1
hackersarchangel
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Rep: Reputation: Disabled
Question Create a hidden user on a desktop for admin purposes, need to find a free UID number


I am wanting to create a hidden user on a client based station as an alternative to root.

Basically I want to make my own "Joshua" like in Wargames, except that I'll set it up so it's almost like root, but not completely. The primary reason behind it is that I want to be able to run all the custom scripts and backup any potentially critical data using an alternate account so I can give root a really strong password and not be concerned that the end user will be able to break into root, but still leave root accessible for the Administration to access if really necessary.

I know it sounds like a lot of extra work, and a possible security loophole, but I think if we hide the account and make it so I can only sign into it from a terminal, that will increase the security of said account.

So far what I have come up with is to set the UID to a number less than 1000. Problem is, I'm not able to determine what numbers are available, and I don't want to keep guessing till I find one. Is there an easy way to determine that? I don't want to hijack a UID of a running process just in case I have to back out of this idea at a later date and risk damaging part of the system.

If anyone wants to help take on this task, that would be very much appreciated
 
Old 11-25-2012, 06:56 PM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,592
Blog Entries: 2

Rep: Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047
Security by obscourity never works. Besides that, when you set up the root account with a strong password to prevent the end-user from breaking into that account there is no need for a separate admin user at all.
 
Old 11-25-2012, 07:36 PM   #3
hackersarchangel
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Ok...

Let's assume that I make the password for root super difficult to remember and I want to have a backdoor just in case I forget the root password and need to have an account that lets me backup all of the files on it without giving a known user account access to that.

This is a possible scenario where I can forsee this being useful for me.
 
Old 11-26-2012, 09:53 AM   #4
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,475
Blog Entries: 6

Rep: Reputation: Disabled
Quote:
Originally Posted by hackersarchangel View Post
...Problem is, I'm not able to determine what numbers are available, and I don't want to keep guessing till I find one. ...
Dude, if you can't "figure out" used or available UIDs then how will you ever keep out the guy who can?

There are SO many things wrong with this request.

Good luck.

Last edited by Habitual; 11-26-2012 at 09:54 AM.
 
Old 11-26-2012, 05:26 PM   #5
John VV
Guru
 
Registered: Aug 2005
Posts: 13,051

Rep: Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741
you already have a "root" account

use a LONG 12 to 16 character password
something like a two or three word phrase

Quote:
Let's assume that I make the password for root super difficult to remember
BAD for YOU
but VERY VERY VERY EASY for a computer to crack in less than 30 Min.
99% of people use one of the top 10,000 passwords

"2jir976&0Z<?08yFod4VoN*#kY(@!0A~ot@#SroE" is near imposable for you to remember but is easy to crack ( or you wright it down on paper )

BUT
"LifeIsA-BowlOfCherries,ThenWhyAmI-InThePits"
is near imposable to crack but is VERY easy fo a human to remember
( thank you Erma Bombeck )
or
"OneRingy-dingyTwoRingy-dingyThreeRingy-dingy"
( think "laugh-in" regular , kudos to who remembers the "telephone operator" in the skit )

Last edited by John VV; 11-26-2012 at 05:28 PM.
 
Old 11-26-2012, 05:34 PM   #6
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,475
Blog Entries: 6

Rep: Reputation: Disabled
Quote:
Originally Posted by John VV View Post
...kudos to who remembers the "telephone operator" in the skit )
Lily Tomlin.

#OldGuysRule
 
Old 11-26-2012, 05:56 PM   #7
John VV
Guru
 
Registered: Aug 2005
Posts: 13,051

Rep: Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741
yes back in the day when a REAL person had to MANUALLY connect you to the other person
using a switch board with jumper cables
 
Old 11-28-2012, 12:08 AM   #8
hackersarchangel
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
I was merely attempting to speculate on the matter as I cannot find a lot of useful information in regards to the subject.

Furthermore, if a system is properly set-up, I can keep out the people that would attempt to hack the system as there are many ways to limit a user's access.

Also, a random password such as the one described above is actually quite difficult to crack as the responses to each query of the password is a simple Pass/Fail, therefore it would take a system a good long while to figure out that random Alpha-Numeric combination. Insert some symbols and you have a ridiculously complex password. Also one needs to consider that unless the user has physical access and the capabilities of running a script that could obtain access to the passwords file on a machine fast enough to compute the password hashing quickly enough via a Rainbow table or some other means, the odds of them successfully cracking a password is limited to the connection into the machine, and fail safe's can be put into place to rectify that. So no, this idea is not that outlandish, it is a less secure plan I agree, but I was merely wanting to see if anyone wanted to try to take on the challenge of something that is outside the box in thinking.


I think that to figure out this "hidden" user, one would need access to the machine in some fashion, and proper access with an account that could tell that user everything they wanted to know in the first place, thus negating this whole idea from the get go. If someone made every account but the hidden one severely restricted, this would limit most methods of cracking this idea.

Example: change all users path to only include a specific folder that has access to the essential software for that user. Restrict access to the system folders on a per group basis, meaning if your not in say admin, you can't access /boot, /etc, /dev, /usr/bin, etc. and I think that methods of that caliber would limit the hackability of this idea.

Besides, this is all in good fun, and a constructive thinking idea I had that I wanted to test my knowledge on.
 
Old 11-28-2012, 06:57 AM   #9
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,592
Blog Entries: 2

Rep: Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047
Quote:
Originally Posted by hackersarchangel View Post
Also one needs to consider that unless the user has physical access and the capabilities of running a script that could obtain access to the passwords file on a machine fast enough to compute the password hashing quickly enough via a Rainbow table or some other means, the odds of them successfully cracking a password is limited to the connection into the machine, and fail safe's can be put into place to rectify that.
Don't allow remote root access (I thoght til today every admin would know this basic security principle) and use key based authentication instead of passwords, so neither the user's nor the admin's password can be cracked with brute-force methods from a remote location.

Quote:
I think that to figure out this "hidden" user, one would need access to the machine in some fashion, and proper access with an account that could tell that user everything they wanted to know in the first place, thus negating this whole idea from the get go.
No need for a hidden user if you don't allow remote password authentication.

Quote:
Example: change all users path to only include a specific folder that has access to the essential software for that user. Restrict access to the system folders on a per group basis, meaning if your not in say admin, you can't access /boot, /etc, /dev, /usr/bin, etc. and I think that methods of that caliber would limit the hackability of this idea.
This is nothing new, just use chroots.
 
Old 11-28-2012, 08:26 PM   #10
hackersarchangel
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
That's what I was saying, the "hacker" in question would need physical access to crack anything. Why on earth would anyone do remote logins unless it was over SSH and would only accept a known key that was preauthorized?
 
Old 11-30-2012, 07:17 AM   #11
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Quote:
Originally Posted by John VV View Post
yes back in the day when a REAL person had to MANUALLY connect you to the other person
using a switch board with jumper cables
I was on of those operators in college.
 
Old 11-30-2012, 10:17 AM   #12
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,475
Blog Entries: 6

Rep: Reputation: Disabled
Quote:
...The primary reason behind it is that I want to be able to run all the custom scripts and backup any potentially critical data using an alternate account so I can give root a really strong password and not be concerned that the end user will be able to break into root, but still leave root accessible for the Administration to access if really necessary.
Quote:
the "hacker" in question would need physical access to crack anything.
Security 101:
There is No Security without physical security.

sudo was made for this.
UIDs < 1000 I "think" are hidden from graphical display managers.

Any other wheels to re-invent?

Edit0:

re: Security 101:
There is No Security without physical security.
Lock down the BIOS and protect CMOS with passwords,
restrict the boot order, Power-On Password, Encrypted LVMs...
That is a hardy start.
Combined with a strong root password and a sudo account.

Last edited by Habitual; 11-30-2012 at 10:28 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to create a user in linux with admin rights. ckiran04 Linux - General 20 10-26-2011 12:16 AM
Create An Admin User hemmeena Solaris / OpenSolaris 7 09-13-2009 05:44 PM
Need to create an admin user on Red Hat Enterprise Linux chwilson0607 Linux - Newbie 2 09-04-2008 01:33 PM
How do I create a admin user for FTP? dwz3591 Linux From Scratch 1 07-03-2005 06:47 AM
non UID '0' admin e1000 Linux - General 2 02-26-2004 11:35 AM


All times are GMT -5. The time now is 02:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration