LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-09-2012, 04:34 AM   #1
narin1975
LQ Newbie
 
Registered: Aug 2012
Posts: 16

Rep: Reputation: Disabled
Can we change root to other username?


Hi

Does the superuser of Linux need to be named "root"?

Can we give other name or add other user to be completely previledged as root?

Don't you think the username root is not so secured, making brute-force password guessers have less work to do (don't have to also guess the username).

Thanks,
Narin
 
Old 11-09-2012, 04:41 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
changing the name of root is an *EXTREMELY* bad idea. Don't ever ever be tempted to try this again.

use a good root password, or rather make it so obscure you can't remember it at all. only ever gain root access via sudo and you never need the password ever. stop ssh allowing root logins etc.
 
Old 11-09-2012, 04:44 AM   #3
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
The permissions system is set up to cover 3 classes of user: the owner username, a group, and everyone else. If you find **every** file and directory owned by "root" and set up the permissions to include a group containing your new superuser, you would be part way there. One remaining issue would be the various programs that check to see who's running them. In practice, changing all of these might be more trouble than it's worth.
Quote:
Don't you think the username root is not so secured
No---just be sure to have a strong root password.
 
Old 11-09-2012, 04:48 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by pixellany View Post
No---just be sure to have a strong root password.
my take would be an impossible entry in /etc/shadow preventing any login at all, AFAIR that's usually done from prepending ! to the password field.
 
Old 11-09-2012, 04:54 AM   #5
narin1975
LQ Newbie
 
Registered: Aug 2012
Posts: 16

Original Poster
Rep: Reputation: Disabled
I see. Thanks both of you.

By the way, is there a way to sudo without typing root password? The system always ask me everytime I use the sudo command.

Thanks,
Narin
 
Old 11-09-2012, 05:24 AM   #6
agentsteel
Member
 
Registered: Oct 2012
Location: France
Distribution: Debian / Fedora / Ubuntu / OpenBSD
Posts: 46

Rep: Reputation: Disabled
Use the NOPASSWD statement in the sudoers files. (man sudoers ...).
 
Old 11-09-2012, 05:29 AM   #7
narin1975
LQ Newbie
 
Registered: Aug 2012
Posts: 16

Original Poster
Rep: Reputation: Disabled
Millions thanks.
 
Old 11-09-2012, 06:04 AM   #8
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,530
Blog Entries: 2

Rep: Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026
Ypu are really asking if it is more secure to obscure the root password and then you are asking how to run sudo without password? sudo without password means that everyone that has access to your account (even if you are only in a coffebreak without logging out) has total control over the system. if you are security aware don't do that.
Although the danger to start a flamewar is imminent, IMHO the whole concept of replacing the root user with sudo is from a security point of view a big flaw. It is merely done by many distros (mainly Ubuntu derivatives) for convenience reasons, not for security. If you want to have a secure system don't allow root to login over SSH, use a strong password for any user on the system (this is pretty obvious and shouldn't have to be emphasized) and use su to get root privileges. Never allow passwordless sudo and use sudo only if you want to give access to single applications as root without giving them the root password.
 
1 members found this post helpful.
Old 11-09-2012, 06:12 AM   #9
narin1975
LQ Newbie
 
Registered: Aug 2012
Posts: 16

Original Poster
Rep: Reputation: Disabled
Everytime we su, we send root password over ssh, do we?
 
Old 11-09-2012, 06:30 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by narin1975 View Post
I see. Thanks both of you.

By the way, is there a way to sudo without typing root password? The system always ask me everytime I use the sudo command.

Thanks,
Narin
No, it doesn't. Sudo is about proving YOU are YOU, it does NOT use the root password, hence with a good sudo setup you should NEVER need to know the root password.

---------- Post added 09-11-12 at 12:31 PM ----------

Quote:
Originally Posted by narin1975 View Post
Everytime we su, we send root password over ssh, do we?
yes, but it's over SSH, which is considered secure.
 
Old 11-09-2012, 06:33 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by TobiSGD View Post
Although the danger to start a flamewar is imminent, IMHO the whole concept of replacing the root user with sudo is from a security point of view a big flaw. It is merely done by many distros (mainly Ubuntu derivatives) for convenience reasons, not for security. If you want to have a secure system don't allow root to login over SSH, use a strong password for any user on the system (this is pretty obvious and shouldn't have to be emphasized) and use su to get root privileges. Never allow passwordless sudo and use sudo only if you want to give access to single applications as root without giving them the root password.
Where are my matches...?

What's your perspective on not allowing full root access via sudo? Where's the downside in a well managed environment? I would never recommend su over sudo. it has much poorer auditing and you are back to having a password kept in a safe, or on a post-it, or in memory if it's trivial.

Whilst Ubuntu's auth shift makes it more user friendly and ... windowsy ... I don't see this as a security flaw in any way.

Last edited by acid_kewpie; 11-09-2012 at 06:41 AM.
 
Old 11-09-2012, 09:17 AM   #12
narin1975
LQ Newbie
 
Registered: Aug 2012
Posts: 16

Original Poster
Rep: Reputation: Disabled
if we accept ssh as secured, we can log in as root from the start. no need to bother using ethier su or sudo. am I right?
 
Old 11-09-2012, 09:39 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
no, as you should never log in as root over ssh in the first instance. if this is a point of a confusion, it's the user with which you are establishing the secure channel itself that you need to look after. So root should *NEVER* log in to an SSH server, however once it's established and you're using a shell prompt, becoming root over it is a non-issue as far as the SSH security itself goes. Root should never log in for reasons including those you originally stated - a brute force attack on a known privileged user. Hence setting "PermitRootLogin no" in sshd_config.

Last edited by acid_kewpie; 11-09-2012 at 09:40 AM.
 
Old 11-09-2012, 09:39 AM   #14
snowpine
Senior Member
 
Registered: Feb 2009
Posts: 3,914

Rep: Reputation: 1046Reputation: 1046Reputation: 1046Reputation: 1046Reputation: 1046Reputation: 1046Reputation: 1046Reputation: 1046
Quote:
Originally Posted by narin1975 View Post
if we accept ssh as secured, we can log in as root from the start. no need to bother using ethier su or sudo. am I right?
No you are not right; your argument is based on theory, but experience says that brute-force-root-SSH is one of the most common attacks your Linux server will face. Changing root login from "yes" to "no" is an incredible "return on investment" for your security; 30 seconds to toggle 1 setting in 1 file and the risk of this particular type of attack is completely eliminated forever.
 
Old 11-09-2012, 09:55 AM   #15
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,530
Blog Entries: 2

Rep: Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026Reputation: 4026
Quote:
Originally Posted by acid_kewpie View Post
What's your perspective on not allowing full root access via sudo? Where's the downside in a well managed environment?
Imagine a brute-force attack via SSH. In both approaches, su and sudo, root login via SSH should be disabled. So it is up to find a valid username to try to brute-force the machine. At this point both approaches have the same security. If the attacker is able to figure out a valid username the brute-forcing begins and sooner or later (if something like fail2ban is not installed and the admin is not regularly reviewing the logs, which is pretty common with inexperienced or not well trained admins) the attacker will be able to log in to the account.
On a machine without full sudo access for the user (and at best noexec mount-options for /home and other user-writeable directories) the attacker now has to figure out the root password to be able to really compromise the machine. On a machine with full sudo access the attacker knows the user password, so directly after he is able to log into the machine he is in fact root.
I would think an admin that has to ask the questions the OP asked is either untrained or inexperienced. Using sudo (especially as he asked without password) may be more convenient, but it is not more secure. In this specific case I would recommend to the OP that he asks his employer for a training.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can i change username bobber Debian 2 01-19-2006 02:34 AM
Can I change my username? ssobeht LQ Suggestions & Feedback 19 10-14-2005 09:03 AM
Mainly out of curiousity, is it possible to change the username of the root account? microsoft/linux Debian 3 07-21-2005 03:11 PM
How to change root and username passwords? wardialer Mandriva 8 10-04-2004 07:32 AM
Possible to change the root username? Thaidog Linux - Security 1 05-15-2003 07:59 PM


All times are GMT -5. The time now is 07:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration