*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Do NOT remove the account with the name root. This is begging for problems. If you want, you can create a second account with a UID of zero (example toor already exists like this) and give that a password. Then you can edit master.passwd to put a "*" where the old root account's password is.
root:*:0:0:This is the old unusable root account:/root:/bin/csh
newrootuser:*:0:0:This is the real root account:/root:
/etc/master.passwd
Code:
root:*:0:0::0:0:This is the old unusable root account:/root:/bin/csh
newrootuser:$1$gt1.mwCO$yJfqN3c2/hg6QdE4dnfve1:0:0::0:0:This is the real root account:/root:
After editing these files... be sure to run:
pwd_mkdb
This will be run automatically if you use vipw -- which is a good idea. Using vipw will allow you to edit both files at once. Just star out the old root password. Then edit out of vipw. and "passwd newrootuser" which will place a password for your new root.
changing an account name isn't good in the name of security, just obscurity. it's not a practise to be recommended at any level. if a system is suitably secure then the root account will be perfectly safe.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
You always have a uid 0 account, so it's not like you're getting rid of anything. In fact, if you completely remove the name to uid mapping for "root", you will probably cause a large number of problems when trying to install certain software packages.
The best way to protect root is to not allow users to attempt remote login attempts with that accounts, so disable them in sshd_config and hopefully that's the only remote shell you're using (you shouldn't have telnetd or any of the "r commands" enabled).
Exploits such as buffer overflows and rootkits use uid 0 and don't rely on the name to uid mapping, so removing the "root" name will not prevent those attacks.
can i have a super account exactly with root permissions but with an UID of 1002 for example? can i make installations then without problems?
will i be safe fro exploits?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
No.
The UNIX is based on a concept of a super-user and all over non-super-users. Since the super-user is special, there has to be a way to identify that it has special powers other users don't have. uid 0 is that special identifier.
There is no simple magic trick to just make something instantly secure. You have to know how your system works, and you have to configure it with as few avenues for attack as possible. Also, one of the most important things is to make sure you always install security updates quickly, which means paying attention to security advisories and downloading & applying security patches soon after they become available.
Also, if you run a relatively proactively secure OS, such as OpenBSD there will be a number of controls in place to help you out, such as stack protection, write-exclusively-or-execute, immutable kernel in multi-user mode, etc. You could get patches to do that kind of thing in Linux, but then you would have to know how to apply and configure them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.