LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-24-2013, 03:03 AM   #1
urip
LQ Newbie
 
Registered: Mar 2013
Posts: 10

Rep: Reputation: Disabled
How to diff between 2 users with uid 0


Hello,
I created a new user "rootNew"
After creation I manually change the file /etc/passwd and gave the new user "rootNew" uid 0.
Now I have 2 users with uid 0 (root,rootNew) how can I know which user is log in the system?
"whoami" command return "root" for both users.
Thanks,
Uri
 
Old 03-24-2013, 04:20 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,264
Blog Entries: 54

Rep: Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841
Quote:
Originally Posted by urip View Post
I created a new user "rootNew"
After creation I manually change the file /etc/passwd and gave the new user "rootNew" uid 0.
Creating multiple root users is strongly discouraged as it is not a security best practice.
Why do you (think you) need another root account in the first place?
 
Old 03-24-2013, 04:25 AM   #3
urip
LQ Newbie
 
Registered: Mar 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
I know this is bad practice to do so.
The reason I asked the question in the first place is to catch the times that someone use a bad configuration and a user like this is login.
That's why I want to know if there is a way to know if a non root user with uid 0 has login?
 
Old 03-24-2013, 04:38 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You should create another user who can use sudo instead. Don't create a user who is an alias for root. The system uses the UID and not the username.
 
Old 03-24-2013, 04:44 AM   #5
urip
LQ Newbie
 
Registered: Mar 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Yes I know this is not the correct configuration.
This is part of a solution for our customers to detect such bad practice configuration.
That's why I want to catch those mistakes by script or any other solution.
 
Old 03-24-2013, 07:20 AM   #6
pierre2
Member
 
Registered: May 2009
Location: Perth, AU
Distribution: LinuxMint
Posts: 336
Blog Entries: 7

Rep: Reputation: 73
as per the answers that you were given in the Mint forum

http://forums.linuxmint.com/viewtopi...701857#p701857

- on the user privileges tab - give the account holder, the same privileges as root.
 
Old 03-24-2013, 07:58 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,264
Blog Entries: 54

Rep: Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841
Monitor / examine /etc/passwd, filter log files for logged account changes (PAM mostly) and check wtmp and lastlog login records. That should give you a warning when changes happen, if the account gets used and allows you to retaliatesuppress usage and revert back. GNU Tiger, Logwatch, LSAT, Rootkit Hunter and a gazillion other tools already contain checks to warn you so there's no need for wheel re-invention IMHO: just cron job your tool of choice.

There's probably a login watcher in your distributions repos that would be better to use instead of doing something like this:
Code:
awk -F':' '($3 == 0 && $1 != "root") {print $1}' /etc/passwd | while read _USERNAME; do
 who -u | awk -v U=$_USERNAME '($1 == U) {print $2}' | while read _USERTTY; do
  \ps --noheaders -t /dev/$_USERTTY -o pid | while read _USERPID; do
   kill -9 $_USERPID
  done
 done
done
 
Old 03-24-2013, 08:00 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,264
Blog Entries: 54

Rep: Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841
Quote:
Originally Posted by pierre2 View Post
- on the user privileges tab - give the account holder, the same privileges as root.
AFAIK the question is about detection and negating the effect of cluebies creating additional root accounts rather than the OP seeking a way to deliberately weaken a machines security posture.
 
Old 03-24-2013, 11:07 PM   #9
pierre2
Member
 
Registered: May 2009
Location: Perth, AU
Distribution: LinuxMint
Posts: 336
Blog Entries: 7

Rep: Reputation: 73
Quote:
negating the effect of cluebies creating additional root accounts
root privileges on another account, still need to be given by an account holder,
who already has root privileges.

so, they would need to know the actual root password,
so that they can grant that privilege to another account.
& this has to be done on the user privileges tab - of the non_root account.

it really a case of the weakness of the root password, in being too widely know. .. ..
this is the only way that a cluebie could create another root account.

you can have lots of users, who all have root privliges,
that can do stuff, that really should be done using SUDO
but there should only ever be one, actual root_user account.
 
Old 03-25-2013, 12:35 AM   #10
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 518

Rep: Reputation: 51
is the env the same for both? can $HOME reveal what you need?
 
Old 03-25-2013, 02:02 AM   #11
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,722

Rep: Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261
Quote:
Originally Posted by Linux_Kidd View Post
is the env the same for both? can $HOME reveal what you need?
I do not think they are really different. Most (if not all) of the applications handle the user ID, not the user name, therefore they cannot distinguish between them.

If you need some special account you will need to use sudoers or similar (as it was already suggested)
 
Old 03-25-2013, 06:16 AM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I tried it out for myself. The last and who commands do show the alias name. Whoami shows root. Remember, the new user is an alias as root. In other words, it is root.

I don't know if PAM can be modified to prevent a root from logging in.

Also consider installing and configuring the audit system. See if it logs commands by UID or
You could have a cron job check for multiple entries in /etc/passwd with a UID of 0.

---
I guess that PCI compliance may require that the root user be replaced with a different username alias. Since /etc/passwd is readable by all users, this is security by pretend obscurity, and may make a system unstable if the username of root is assumed by any programs or scripts. Who's the moron who thought that one up?
 
Old 03-26-2013, 05:13 PM   #13
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 518

Rep: Reputation: 51
so, we need clarity from the OP. i didnt see anything about apps knowing the diff. the OP's Q was "how can i tell them apart", and gave a whoami example.

echo $HOME will tell the two apart if -d was used with useradd
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[GlusterFS] Issue with users same uid when setting POSIX ACL 3storm Linux - Software 1 11-26-2012 09:05 PM
avoiding allocate uid/gid belonged to delete's users erodri07 Linux - Security 7 06-18-2012 06:32 PM
Changing password for various users with same UID kapil.kshirsagar Linux - Software 3 07-04-2008 04:36 AM
Multiple users with the same UID Korto Suse/Novell 2 07-15-2006 09:19 AM
2 users 1 UID? cli_man Linux - General 4 06-07-2003 06:55 PM


All times are GMT -5. The time now is 01:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration