Ok.. so you can change the root account to a different name with a Linux box... for security or whatever reason... I also have a Mac OS workstation.. and I wonder if I can change the root name to whatever... so I ask in a forum... All of a sudden I'm a complete idiot for even asking... I get nothing but a bunch of off topic posts from people, who quote: "have been unix admin for years" and are now saying what a stupid idea... Hey, I'm just asking is it possible... what do you care? here's the post:

http://forums.macnn.com/showthread.p...hreadid=160799

Coming from a Linux standpoint I don't think this was a stupid question... So what if I want to change it? Heck, maybe I want to change it just because I don't want root as the user name... maybe my real name... who cares? No reason to call me an idiot just answer a yes/no question... All of a sudden Mac OS X is unix and everybody with a one button mouse is an experienced unix adimn... somebody please shoot me. Turns out that the root account is by default turned off... yeah I know this... but I still like to enable it sometimes do my thing, and then disable it... Then I get, "No other unix os will let you disable the root account" What's true here... please excuse my lowly mainframe admin standpoint.. I need support!

Well like unSpawn pointed out renaming root is security through obscurity, which is not real security. Poorly written software doesn't do a check for uid(0) it checks by name (rare but still around such software).

But if you understand the possible risk of it you need to change /etc/password, /etc/shadow and /ec/group ... don't cry if this messes up your system. You have been warned!

Everything I can currnetly think of on my Mac os x box is completely locked down.... everything within my power and knowledge of the system... I've got nothing else to secure but the obsure.... if my job has taught me one thing though, as much of a hack as it might be, security through obscurity works!

I think we handled this question well in the other thread and if you take the 90 percent air out of the the macnn thread, you'll see their reach the same conclusion.

Again, if you want to really "protect" root uid, it would be more efficient to focus on taking away capabilities from root directly or tru using something like LIDS.

So, if you still want to pursue this course, I hope you agree it's time to give us the ultimate overruling arguments and examples (and let they make a strong case, not something easily rejected) in favour of this approach.

In most basic terms the argument is that there is absolutely no reason to log in as root *ever*. All administration can be done from sudo commands. Therefore, there is no reason to even enable the root account. Now, in Mac OS X the root account is disabled by default and there is an application called netinfo that you authenticate and then enable root with... The first obvious point would be... then why have a way to enable root in the 1st place if it's never needed? Why risk having it enabled if it's not needed for anything but un-securing your system? This is where my argument comes into place... so then if you *can* enable root, why then not change the name to a tad bit more security, or if you like total control, change the name to your username and use it all the time? (if there is no difference... the flip side to a this one-sided argument) Of course, barring in mind that you are root and know how to handle root, like so many Linux admin do.. In windows, any admin worth his weight knows how to rename the admin account to something other than admin to make it a tad bit more difficult to hack the username/password combo... Same thing with some Linux distros.... so in most basic terms... if it's possible to enable root for whatever reason why not secure it? They go on to say that no unix os can disable root... another falsehood... somebody already caught that in thread, but worth bringing up anyway. So why would I want to change the root name in the 1st place? I log into root sometimes to do something... I like to do things in combination with the gui and the command line.. I think it gives me more freedom... a couple of days ago, I left my workstation with root still enabled... thank God I remembered that and went back and disabled... but it left me cold to think for a second that my admin account was more bullet-proof than the root account! Scary! After beating my head against a wall with these people just trying to get a "how to", if there even is one, it seemed I was just getting force feed what these people only know... don't enable root, we don't know how to change the user name... instead of simply answering te question, I get people calling me an idiot and tap dancing around my question.... the point is, who cares if it does secure my system or not what do they care? Just show me how and let me on my way!

Further they go on to say you can log into root shell from admin using sudo -sh... my point here is Look where your user base is coming from! A gui only OS... MAC OS 9... and if you can enable root this easy though the gui, what do you think 99% of these people are going to learn and do first? And do you think they will think to disable it? No more than likely, they will think its "Cool" because they now have neat little root account to use! (What's even worse, you can dual boot between OS X and OS 9... and when you boot into OS 9 you can modify ANY OS X file on the hard drive with no way to stop it!) so this *idea* of if you don't enable root, you don't have any worries, is TOTAL and COMPLETE bullshizzey....

Well I have been working with servers that had the security through obscurity idea and these got more frequently hacked as some other I have been REALLY securing. Real life shows that security through obscurity is honestly NO SECURITY.

You should really check the case again:
Do you want to SECURE your system or do you just want to rename root for fun?

Well why don't you just disable root account then? You should consider unusual situations also in your SUDO configuration. I advice you NOT to disable root. Choose more secure passwords, enfore password aging, etc.

Also patch your kernel using the grsecurity kernel patches or LIDS or some others. If you want a HIGHLY SECURE system go for OpenBSD

I have a router thats hooked to a router that hooked to my mac that was a firewall that has snort that has secure user accounts with random upper lower numeric passwords with strict file permissions... anything else?

Oh.. not mention all my systems are audited by www.edgos.com
...with no secuity holes... ever...

In most basic terms the argument is that there is absolutely no reason to log in as root *ever*. All administration can be done from sudo commands. Therefore, there is no reason to even enable the root account.
There is a distinct difference between renaming, altering (or should I say corrupting?) account info and restricting logins. We already gave reasons why renaming the user name wouldn't add any (substantial) protection. Anyway. If I focus strictly on the act of denying login, not the value of doing so, yada yada yada, what could break a root login could be: "nologin" shell in /etc/passwd, chage and lock the account, ulimiting (maxlogins), PAM ACL, other PAM lib (like Xad?), emptying securetty, setting "exit 1" in the root shell's login script.

Be warned tho things goin fubar trying out stuff is your fault, problem, responsability, not ours.

Recapping this and the other thread I hope you agree the impact of disabling a root account has negligible value within the scope of any security framework because it IN NO WAY touches on the essence of what the root account represents: a set of privileged capabilities.

Logging in may be viewed as unlocking a door to using those capabilities, but it is not the only door or the only way of unlocking. The fact you insist painting the door over with red paint instead of the sophisticated black it's always been doesn't take away stuff behind the door...

Let me ask you, then... do you feel the same is true for renaming the admin account in XP/2000?