LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-09-2012, 02:14 PM   #16
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963

Quote:
Originally Posted by TobiSGD View Post
Imagine a brute-force attack via SSH. In both approaches, su and sudo, root login via SSH should be disabled. So it is up to find a valid username to try to brute-force the machine. At this point both approaches have the same security. If the attacker is able to figure out a valid username the brute-forcing begins and sooner or later (if something like fail2ban is not installed and the admin is not regularly reviewing the logs, which is pretty common with inexperienced or not well trained admins) the attacker will be able to log in to the account.
On a machine without full sudo access for the user (and at best noexec mount-options for /home and other user-writeable directories) the attacker now has to figure out the root password to be able to really compromise the machine. On a machine with full sudo access the attacker knows the user password, so directly after he is able to log into the machine he is in fact root.
I would think an admin that has to ask the questions the OP asked is either untrained or inexperienced. Using sudo (especially as he asked without password) may be more convenient, but it is not more secure. In this specific case I would recommend to the OP that he asks his employer for a training.
I understand what you're saying, but you can go on indefinitely adding additional arbitrary layers onto an environment, and you have to stop somewhere where there's an appropriate balance of security and usability. I don't see any "flaw" here still, just a suitable balance.
 
Old 11-10-2012, 12:09 AM   #17
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
I've been using a different username for "root" a long time ago and I never had a problem with it - with perhaps a minor exemption to some things I already forgot; not too affecting that I can't even remember those troubles.

The trick is not to delete root but just change its password field in /etc/shadow as to make it not parse-able like "-". Then create another username that would match the UID of root (0). You could still set root's home directory to /root but use a symbolic link instead that would point to the preferred home directory you like for the preferred user e.g. /home/someone.

You should also set the group settings as to not make conflict between the two users i.e. like have a group name same with the username with same GID as root (0).
 
Old 11-10-2012, 12:20 AM   #18
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
I believe some security experts/hackers already know my trick or that they prefer to keep it secret from the public, or not really make the idea well known widely.

Here's an example /etc/passwd, /etc/shadow and /etc/group:

/etc/passwd
Code:
abcd:x:0:0::/home/abcd:/bin/bash
root:x:0:0:root:/root:/bin/bash
/etc/shadow
Code:
abcd:$XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.XXXXXXXXXXXXXXXXX.XXXXXXX/XXXXXX:12345:0:99999:7:::
root:-:12345:0:::::
....
/etc/group
Code:
abcd:x:0:abcd
root:x:0:root,abcd
....
If in doubt that this idea has already been thought of generally, try to question why 'useradd -o' was made possible.
 
Old 11-10-2012, 02:11 AM   #19
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
it's been thought of plenty, doesn't make it good advice to someone not au fait with the system. Really dumb idea imho. More than that though, it's utterly pointless.
 
Old 11-10-2012, 02:26 AM   #20
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by acid_kewpie View Post
Really dumb idea imho. More than that though, it's utterly pointless.
And what exactly is dumb and utterly pointless?
 
Old 11-10-2012, 02:39 AM   #21
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by konsolebox View Post
And what exactly is dumb and utterly pointless?
it adds nothing but obscurity and promotes lazy system administration.
 
Old 11-10-2012, 05:15 AM   #22
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by acid_kewpie View Post
it adds nothing but obscurity
Obscurity may be a common reason but it's not always that. Sometimes it's just a matter of taste and not really about security or logic. I myself dislike root as the common name for the superuser. Always helpful to people who see more benefit with easy control than having safe but limited access with normal user accounts.
Quote:
and promotes lazy system administration.
On what situation exactly could that be related to laziness? Depends if the user rely on that believing their system is secured enough because of it. I don't. It certainly helps a lot though if you look at it especially in attacks which aren't special to the machine or manually done like automated or compounded attacks. I'd rather pick the obvious benefits rather than take a conservative pride.

Last edited by konsolebox; 11-10-2012 at 05:18 AM.
 
Old 11-12-2012, 02:45 AM   #23
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by konsolebox View Post
I myself dislike root as the common name for the superuser.
So what?? I think that's a terribel reason to change it. I think "fstab" is a silly file name, maybe I'll go change that.
Quote:
On what situation exactly could that be related to laziness?
by logging in routinely and working as "dave" with uid=0.
Quote:
Depends if the user rely on that believing their system is secured enough because of it. I don't. It certainly helps a lot though if you look at it especially in attacks which aren't special to the machine or manually done like automated or compounded attacks. I'd rather pick the obvious benefits rather than take a conservative pride.
I still see literally zero obvious benefits. I hope this is just a noddy home machine. If I started a job and inherited servers screwed up like this, I'd be livid.

It's up to you if you want to change it on your own system, but I really do believe that promoting this non-standard behavior online is extremely irresponsible. With so many people picking up Linux and being unused to a proper user security model, encouraging people to undermine something they don't understand is not good.

Last edited by acid_kewpie; 11-12-2012 at 02:48 AM.
 
Old 11-12-2012, 02:56 AM   #24
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by acid_kewpie View Post
So what?? I think that's a terribel reason to change it.
Like I said sometimes it's just a matter of taste. Do you really need to have reason to change the layout of your desktop?
Quote:
I think "fstab" is a silly file name, maybe I'll go change that.
And what does a static file have that you could compare it to usernames?
Quote:
by logging in routinely and working as "dave" with uid=0.
For my favored username I actually prefer that form.
Quote:
I still see literally zero obvious benefits. I hope this is just a noddy home machine. If I started a job and inherited servers screwed up like this, I'd be livid.
If it's servers that aren't personal and used by many I won't disagree. - Unless the group decides to change it anyway.

Quote:
It's up to you if you want to change it on your own system, but I really do believe that promoting this non-standard behavior online is extremely irresponsible. With so many people picking up Linux and being unused to a proper user security model, encouraging people to undermine something they don't understand is not good.
Sometimes yes, sometimes not as some people may understand and some may not, at least not yet.

Last edited by konsolebox; 11-12-2012 at 03:06 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can i change username bobber Debian 2 01-19-2006 02:34 AM
Can I change my username? ssobeht LQ Suggestions & Feedback 19 10-14-2005 09:03 AM
Mainly out of curiousity, is it possible to change the username of the root account? microsoft/linux Debian 3 07-21-2005 03:11 PM
How to change root and username passwords? wardialer Mandriva 8 10-04-2004 07:32 AM
Possible to change the root username? Thaidog Linux - Security 1 05-15-2003 07:59 PM


All times are GMT -5. The time now is 06:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration