Create a hidden user on a desktop for admin purposes, need to find a free UID number
Linux - DesktopThis forum is for the discussion of all Linux Software used in a desktop context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Create a hidden user on a desktop for admin purposes, need to find a free UID number
I am wanting to create a hidden user on a client based station as an alternative to root.
Basically I want to make my own "Joshua" like in Wargames, except that I'll set it up so it's almost like root, but not completely. The primary reason behind it is that I want to be able to run all the custom scripts and backup any potentially critical data using an alternate account so I can give root a really strong password and not be concerned that the end user will be able to break into root, but still leave root accessible for the Administration to access if really necessary.
I know it sounds like a lot of extra work, and a possible security loophole, but I think if we hide the account and make it so I can only sign into it from a terminal, that will increase the security of said account.
So far what I have come up with is to set the UID to a number less than 1000. Problem is, I'm not able to determine what numbers are available, and I don't want to keep guessing till I find one. Is there an easy way to determine that? I don't want to hijack a UID of a running process just in case I have to back out of this idea at a later date and risk damaging part of the system.
If anyone wants to help take on this task, that would be very much appreciated
Security by obscourity never works. Besides that, when you set up the root account with a strong password to prevent the end-user from breaking into that account there is no need for a separate admin user at all.
Let's assume that I make the password for root super difficult to remember and I want to have a backdoor just in case I forget the root password and need to have an account that lets me backup all of the files on it without giving a known user account access to that.
This is a possible scenario where I can forsee this being useful for me.
use a LONG 12 to 16 character password
something like a two or three word phrase
Quote:
Let's assume that I make the password for root super difficult to remember
BAD for YOU
but VERY VERY VERY EASY for a computer to crack in less than 30 Min.
99% of people use one of the top 10,000 passwords
"2jir976&0Z<?08yFod4VoN*#kY(@!0A~ot@#SroE" is near imposable for you to remember but is easy to crack ( or you wright it down on paper )
BUT
"LifeIsA-BowlOfCherries,ThenWhyAmI-InThePits"
is near imposable to crack but is VERY easy fo a human to remember
( thank you Erma Bombeck )
or
"OneRingy-dingyTwoRingy-dingyThreeRingy-dingy"
( think "laugh-in" regular , kudos to who remembers the "telephone operator" in the skit )
I was merely attempting to speculate on the matter as I cannot find a lot of useful information in regards to the subject.
Furthermore, if a system is properly set-up, I can keep out the people that would attempt to hack the system as there are many ways to limit a user's access.
Also, a random password such as the one described above is actually quite difficult to crack as the responses to each query of the password is a simple Pass/Fail, therefore it would take a system a good long while to figure out that random Alpha-Numeric combination. Insert some symbols and you have a ridiculously complex password. Also one needs to consider that unless the user has physical access and the capabilities of running a script that could obtain access to the passwords file on a machine fast enough to compute the password hashing quickly enough via a Rainbow table or some other means, the odds of them successfully cracking a password is limited to the connection into the machine, and fail safe's can be put into place to rectify that. So no, this idea is not that outlandish, it is a less secure plan I agree, but I was merely wanting to see if anyone wanted to try to take on the challenge of something that is outside the box in thinking.
I think that to figure out this "hidden" user, one would need access to the machine in some fashion, and proper access with an account that could tell that user everything they wanted to know in the first place, thus negating this whole idea from the get go. If someone made every account but the hidden one severely restricted, this would limit most methods of cracking this idea.
Example: change all users path to only include a specific folder that has access to the essential software for that user. Restrict access to the system folders on a per group basis, meaning if your not in say admin, you can't access /boot, /etc, /dev, /usr/bin, etc. and I think that methods of that caliber would limit the hackability of this idea.
Besides, this is all in good fun, and a constructive thinking idea I had that I wanted to test my knowledge on.
Also one needs to consider that unless the user has physical access and the capabilities of running a script that could obtain access to the passwords file on a machine fast enough to compute the password hashing quickly enough via a Rainbow table or some other means, the odds of them successfully cracking a password is limited to the connection into the machine, and fail safe's can be put into place to rectify that.
Don't allow remote root access (I thoght til today every admin would know this basic security principle) and use key based authentication instead of passwords, so neither the user's nor the admin's password can be cracked with brute-force methods from a remote location.
Quote:
I think that to figure out this "hidden" user, one would need access to the machine in some fashion, and proper access with an account that could tell that user everything they wanted to know in the first place, thus negating this whole idea from the get go.
No need for a hidden user if you don't allow remote password authentication.
Quote:
Example: change all users path to only include a specific folder that has access to the essential software for that user. Restrict access to the system folders on a per group basis, meaning if your not in say admin, you can't access /boot, /etc, /dev, /usr/bin, etc. and I think that methods of that caliber would limit the hackability of this idea.
That's what I was saying, the "hacker" in question would need physical access to crack anything. Why on earth would anyone do remote logins unless it was over SSH and would only accept a known key that was preauthorized?
...The primary reason behind it is that I want to be able to run all the custom scripts and backup any potentially critical data using an alternate account so I can give root a really strong password and not be concerned that the end user will be able to break into root, but still leave root accessible for the Administration to access if really necessary.
Quote:
the "hacker" in question would need physical access to crack anything.
Security 101:
There is No Security without physical security.
sudo was made for this.
UIDs < 1000 I "think" are hidden from graphical display managers.
Any other wheels to re-invent?
Edit0:
re: Security 101:
There is No Security without physical security.
Lock down the BIOS and protect CMOS with passwords,
restrict the boot order, Power-On Password, Encrypted LVMs...
That is a hardy start.
Combined with a strong root password and a sudo account.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.