Use a Different Name for 'root'
 

Okay. This might be a stupid question, but is there any way to build a linux distro with a root user named something other than 'root'?

I'm trying to set up a mobile system where the username 'root' will be used for something else. It'd probably be more secure with an unconventional superuser name, anyway.

(Also, is there any way to rename the root user on an existing distro, pre- or post-install?)

Thanks all!

Well even if it is possible why not create extra user with root privileges and lock root account with password that is very very long and will take ages to break + configure system use the other account when needed?

Well, I suppose I could, but it wouldn't solve the problem of me needing the username 'root' for a non-superuser.

Even if it isn't a good idea, let's just say in the spirit of academic inquiry, is there a way to do this?

Thanks for your response. :D

Also, disable root login from remote, so it won't do anyone any good to try to brute force the account without physical access.

If you set up an app that uses a less privileged account named "root", and you try to do something with it that says you need "root" privileges, things are going to get mighty confusing.

The root account gets all sorts of special treatment in terms of the way it can access files and run commands. My understanding is that these features are built into the kernel itself, which means you would probably have to build your own kernel--probably not worth the trouble.

You might be able to switch around user/UID and group/GID pairings by doing some clever juggling with usermod, but I don't know that the system would honour changes to the root account while logged in as root.

Another thought: if you lock down the root account, like Arcane suggests, you still can't create an additional "root" account. However, since Linux is case sensitive, you could create something similar; Root or r00t, perhaps

Oh, okay. I wasn't sure if 'root' was built into the kernel or not. In the case that it is, I suppose my project just go 10x more complex.

'root' is a poor choice for a superuser name, in my opinion. The word "root" seems to already be used all over the place in the computer sciences.

At any rate, does anyone have any good resources on the mechanics of a superuser? If I do modify the kernel (which is currently way over my head), I might also need a reference to a good source which could explain the anatomy of the Linux kernel. :D

Why aren't you using sudo? That way you can restrict access to superuser actions, you can even restrict the superuser actions taken by account and you don't have to give out the root password. Look into visudo (man visudo).

Em..root privileges is key not account - ubuntu is example that root isn't required as rule for distro to work + extra users can be created just like in Windows with admin rights. My point was to disable root or not use at all so not create duplicate root in first place which makes no sence because OP wanted get rid of it.

That's not a problem with Linux but with a faulty or lacking project definition. And an odd choice of user name in the first place given you told us yourself you know that "The word "root" seems to already be used all over the place in the computer sciences"...


You do not want to go there. It's against standards, you'll break more than you will be able to fix and you'll be SOL and w/o support. If you want to dip your toes in kernel land beyond 'man capabilities' and its references I'd suggest starting with "Understanding the Linux Kernel".

I second Sudo usage for tasks requiring root privileges.

Arcane, I concur: it is perfectly possible and even desirable to grant administrative privileges to different accounts. I read stormreactor's post to mean that he wanted to use the word "root" as the name for a different account (presumably non-administrative). I was saying that the system would not allow that particular string of letters, r-o-o-t, to be used to indicate two separate accounts ( that is, 2 UIDs), and that there was likely no way to assign the root account (UID 0) a different user name.

Haha, okay. I guess I'd better go into a bit more detail on my project.

I am attempting to build a Linux distribution for a particular homebrew mobile computing platform. It's not another run-of-the-mill computer operating system for you desktop. It has to serve some very specific functions, one of which involves utilizing a user named 'root'.

For the purposes of security, I don't want to use the superuser account 'root' which appears in 99% of Linux distros out there. I want to create an separate account named 'root', which will be highly restricted and not have any root privileges whatsoever.

Why not create another user with a different name that can do the same tasks, you might ask? Well, I suppose I could, but naming the user 'root' would make things much easier at a hardware level. Trust me.

I know that this is the "Newbie" section of LinuxQuestions.org, and I am a Linux newbie, so I didn't know how complicated this question was. It is possible that I just bit off more than I can chew, or I'll just have to migrate to another Unix-like kernel where the root user can be renamed. (I'm not aware of any that exists, however.)

As for Ubuntu, I am keenly aware that you don't need to use the root account to get root privileges, since sudo is installed by default. But the 'root' user does still exist and is still vital to the function of the system under the surface. (You can access it by entering "sudo su" in the terminal.)
______________________________

@unSpawn - True, it may be faulty. I did think of that, but also thought that it would be easier to rename 'root'. I guess I was wrong. Also, read below.

@brain-ocs - You are correct in your reading of my post. I do want to totally obliterate 'root' as a superuser, which means replacing UID 0. If this isn't possible, I most definitely have to figure out a workaround. The mobile platform I'm working on is supposed to be a 'client' to another piece of hardware (which I didn't build) that imitates an actual physical user through a hard-wired interface. This piece of hardware often accesses the client by logging in as 'root', and I am not aware of a way to reprogram it. It's decently old.

Wtf? The root account is utterly essential under Ubuntu, you just don't directly login to it. What account do you think sudo uses? What account do you think all the init processes run as?

In principle there should be a logical difference between root and uid 0. The main init process launches as uid 0. But you can't easily know it other scripts do reference "root ". If you are stripping things down a lot you might be able to get into a state where you do know that. I'm not aware of any sanity checks etc, but I may well be wrong. Just rename it in passed and shadow and group and reboot...

root is disabled on Ubuntu and you won't access it with sudo you will just execute stuff with root privileges but will stay in custom account name. This is why many people avoid Ubuntu because they need root account by default. If you compare it to Windows sudo is like "Run as" command where you execute something as admin while staying in limited user without logging in that account.
https://help.ubuntu.com/community/RootSudo
Custom account with root privileges? It is like Windows XP where root is hidden Administrator account from Welcome screen outside safe mode and working one is extra admin acc with custom name you specify when install it. Also i never said root account doesn't exist in Ubuntu but is denied to user by default which makes same outcome.
http://en.wikipedia.org/wiki/Sudo

I thought that the kernel doesn't pay attention to the user's name, and that it only uses the user IDs (0 == root).

I wonder what would happen if you would just rename the "root" entries in /etc/passwd and /etc/shadow to some other name.

Open a terminal and run "sudo -i ". Root login shell.

Sorry, but this is wrong. At first, root is not disabled in Ubuntu, it simply has a very long and secure random password. Also, if you use sudo to start a program that program will be started as user root, not as your normal user with more rights. You can simply test that withthen do a on a different terminal and have a look who runs the nano-editor. And, as already stated by acid_kewpie, all init-scripts are runs as root. That is for example the reason, why you don't need to use sudo when adding commands that need root-privileges to rc.local.

Root is not "disabled". People do not avoid ubutu for that reason. You want root? Fine have it. Ubuntu doesn't limit you from doing anything as root it just uses a more finely tuned model for how it recommends you use it.

@Arcane - Are you sure? I can easily access the user named 'root' by entering "sudo su" (exactly like that and without the quotes) in an Ubuntu terminal. I don't think it's actually disabled. I just think it just doesn't have direct accessibility without using sudo, unless just some command line output that just imitates 'root'.

@unSpawn - Thanks for the reference. I'll definitely look into it if I actually do need to build my own kernel. Also, sorry for the 'root' name-bashing rant in my earlier post. I suppose it was a bit out of place. :D

@acid_kewpie - Thanks for the info! The 'distro', if I should even call it that, will be very stripped-down. It won't have a GUI or even --gasp-- cron if I could get away with it. I just saw your most recent post. I had no idea about "sudo -i". Same function as "sudo su", I suppose.
__________________________

EDIT: Wow! This thread is updating so fast! Even this reply is outdated.

EDIT 2: Spelling correction. Paragraph 1: "accessibly" -> "accessibility"

Is the password legal? I thought it just had a. "!" In the crypt string or something to make it impossible to match. That would be the "disable " as far as it could be described as such.

Sudo su - is one command nested in another. Yuck. Sudo -i is all within sudo and the resulting environment has useful variables like SUDO_USER and other useful things. It's a more recent addition though. In rhel5 but not rhel4 for example.

@acid_kewpie - Thanks for that. Just realized that "sudo -i" doesn't need a password as a result. Using that from now on. :D

Okay, back on topic, as for the whole "rename 'root'" thing, I'm going to install a distro in VirtualBox and try renaming 'root'. (I might need a bit of help with that, though.) And if it works, I'll totally post the results.

Any recommendations on a VERY lightweight distro of Linux? ^_^"

Sorry, don't know that.

It may be a bit longer to learn that, but for your purpose I would recommend to go the way through LFS to get a better understanding of the whole system. If you don't want that, VERY lightweight distributions are Tinycore (or, if you don't need GUI better Microcore) and Slitaz, which also have a version without GUI. The Slitaz scratchbook may also help you to set up a basic system that is tailored to your needs.

People read please that link i posted from official Ubuntu website. Ubuntu gives your user admin rights but unlike other distros it hides root so you don't have it by default without executing special commands. And it asks your user password not root password for sudo. Some quotes to get you interested to click on that link:
If it doesn't ask for root password it shows user is in admin group.
It is all just misunderstanding. I just said Ubuntu works different from rest of distros which it does.

But when you use sudo, it still doesn't "stay in custom account name", as you claimed.

You can "re-enable" Ubuntu's root account like this:

Enter your new root password when it prompts you, and now it's just like any other distro.

As mentioned above, in reality (in special handling inside kernel etc) it's all about the uid = 0, rather than the actual string name 'root'.
You could try(?) renaming the root username, but remember that the uid for the 'SysAdmin' is still hardcoded as zero and you'd have to do your own kernel (and prob a few other tools) to get around that.
More trouble than it's worth imho.

The use of the word root for SysAdmin and root of the dir tree goes back to at least 1970 when Unix was invented, so I'd say the widespread use of there word nowadays for various stuff is derived from that, it's not the other way around as some earlier posts seem to imply.

Thanks TobiSGD. I'll definitely give Micro Core a whirl. As for LFS, I'm probably going to have to follow it to build my crippled mobile distro at some point, anyway. Thanks for the rec! Downloading as we... type. :D

Have you used Ubuntu? It stays. Ok example

But the Firefox of this example is launched as root, it doesn't stay in your users account. You can achieve the same behavior on any distro with a "real" root-account with Of course it is not recommended to use Firefox as root.

@Arcane - When I do that, it actually does say "root@ubuntu" if I use "sudo su" or "sudo -i". I'm using 11.04 (Natty Narwhal).

@chrism01 - Thanks for that. Yeah, I'm definitely going to try and rename 'root'. Having the system administrator at UID 0 is no problem. ^_^

Just ensure your new 'root' doesn't try to use that uid ... ;)
Usernames are like DNS names, they're just there for human convenience; in reality it's all done with numbers underneath :)

This is where other link comes in.
Can we stop now? My point was to say Ubuntu doesn't share same philosphy like rest of common distributions. How come when there is topic about how bad Ubuntu is people remember this but when there isn't they forget differences? Of course under the hood it is still same Debian and same Linux but it works different when it comes to execution.
Maybe you enabled it? After fresh install it doesn't do it. Doubt they changed this from Natty but i may be outdated. On 10.10 version this system was still working.
edit: I just noticed you used different command. Try just

@chrism01 - I'm a bit confused. Doesn't renaming a user maintain their UID? Unless you were kidding, in which case, it flew over my newbie head. LOL.

@Arcane - I don't recall enabling it. I'm using a fresh install on VirtualBox, and it's been doing it for me since 9.04 or earlier as far as I know. I have 10.10 installed on another computer (as the primary OS), and it behaves the same way. Is there something in the installation process that would control this? I've been seeing "root@whatever" ever since I learned about "sudo su".

Yeah, changing the string eg by editing /etc/passwd , has no effect on the uid. Normally(!) root=uid 0 (zero) and the zero is hardcoded inside kernel etc.

Edit; don't forget /etc/shadow as well :)

@Arcane - Whoa, I just saw that you used "sudo firefox" and not "sudo su" your command line example a few replies ago. --facepalm-- Yes, that will indeed run the program as root without switching users. --sighs-- I need to read more carefully.

sudo doesn't work like su. It runs a command, not an interactive shell (use "sudo -i" for that).

Ooooookay. I've been at this all day, believe it or not. I installed Micro Core in VirtualBox and messed around with it until I realized that it doesn't include a usermod function. --smack--

Then I moved onto Damn Small Linux and successfully changed the root username to admin:

It successfully changed root's username, but that caused everything else to crap out. (I could no longer use sudo because root no longer existed, etc., etc.)

Can anyone think of a better way to do this? Should I change something in the sudoers file first or modify /etc/passwd? Any help would be appreciated. ^_^

Alright. After some more messing around, I think I've gotten pretty close.

In my DSL install, I've managed to changed the name of root to 'admin' and it's, for the most part, been successful.

After exiting to command prompt, I switched to 'root' and did the following:

While I can now log in as admin with su and do everything as if I'm root, sudo still does not work.

The amount of time it took me to figure this out shows my newbism loud and high. At any rate, with a little more tweaking, I suppose it is very possible to rename 'root' without hampering the OS's functions.

If anyone has anything else to add to (or detract from) my methods, please let me know. I'll post a full report once I get sudo and anything else that's been affected working. Thanks all!

What about /etc/shadow, or does DSL not use that ?

Finallly (!)
 

Welp, it seems that everything is working fine! I simply rebooted the system, and sudo works just dandy! Looks like renaming 'root' isn't so tough after all! Thank you everyone for all your input and help. You guys rock!

And cancel that full report deal. The last reply just about covers it all. ^_^" But in case you want me to hold to my word, here's basically what I did:

1. Boot your Linux distro into command prompt (no GUI, though I guess using a GUI wouldn't hurt).
2. Switch over to root with " su root "
3. Edit the sudoers file to reflect the new name for 'root'.
4. Change the name of root using usermod. (" usermod -l <new name> root ")
5. Edit /etc/passwd by replacing 'root' with your new root username.
6. You can now create a new underprivileged user named 'root' with adduser (optional).
7. Exit to the previous user and do a test switch to the new root (" su <new root name> ").
8. Reboot to get sudo working right.

That's all, folks!

@chrism01 - Hmm... Upon inspection, it appears that /etc/shadow is automatically modified by usermod.

Cheers!

Of course. This is why first link from Ubuntu page comes in. I was just answering reply but you can't deny Ubuntu uses different approach and doesn't enable root by default for people to login and use without enabling it - even Debian after fresh install allows login as root without enabling it. This is just 1 example why people say Ubuntu and Debian not mention other distros not based on *buntu shares differences in working approach.

OK, but it sure looks like you expected sudo to give you a root prompt and thought that it's not woring correctly:

sudo works like "su -c". And why would you expect it give you a prompt if you told it to run the "firefox" command? What does that have to do with a bash prompt?

@stormreactor,

Congratulations on your success! I have to admit that I'm a little surprised that changing UID 0 to something other than "root" didn't cause more problems.

At the risk of being a downer; have you tested to see if this breaks some services that run as root or need to access directories and files owned by root? Do httpd, vsftpd, Samba, NFS, etc, still work?

Just curious...

@brian-ocs,

So far, it seems that nearly everything works as expected. Since this was only a test run, I haven't really tested it on any other services or daemons.

The only things that I have noticed which doesn't work correctly is DSL's GUI Exit function and the network. As for Exit, the GUI prompt loads correctly, but when you make a selection, nothing happens. Regarding the network, neither Dillo nor Firefox seem to be able to connect to the Internet (i.e., resolve domain names, load webpages, etc.).

Ultimately, I don't think that changing UID 0's name is clean by far. 'root' seems to be so ingrained into Linux's software that changing it is bound to break something. It is possible that making some adjustments to the config files will help resolve some of the issues, but 'root' may just be hard-wired into some binaries (again, newb here, so I don't know).

Nevertheless, despite the problems, the OS (at least DSL) remains pretty functional. All programs seem to load, and even the 'root access' options correctly direct you to the correct new root user. In terms of my personal project, this is a great success. ^_^
_____________

EDIT: If you can, try doing some testing of your own, perhaps in a virtual environment, and see if you come up with any issues deeper in the OS. My knowledge of Linux is currently limited to what I can visually see in GUI and shell outputs, unfortunately, and I don't really know what to specifically look for to see if all the gears are working right.

EDIT 2: LOL, I don't know why I didn't think of this earlier, but in direct response to your question, running "ps" in the terminal shows a bunch of services running under the new root username, which is 'admin' in my case. So I suppose yes, for the most part? I don't have httpd, vsftpd, Samba, NFS, or any of those non-essential services installed, but services like pump, syslogd, and getty are running under the new root user.

Okay, new update.

After changing the name of UID 0 (root), sudo doesn't actually work correctly. If you use it to access a protected file, it will still deny permission (such as accessing /etc/sudoers, for example). Other operations, such as the GUI mount for DSL, will also not work.

What I mean to say is that this may not have been as 'clean' as I thought. While sudo gives the appearance of working, it does not. (You can still do root-level operations by switching to the root user with "su <root user>", however.)

Also, as I mentioned in an earlier reply, the network stops working in DSL. Some of these problems may just be DSL specific, but for your advice for anyone who wants do what I did, build your own Linux system and do it at the beginning. It will remove a lot of headache.

Nevertheless, if you do do it on a functioning system temporarily, it won't drastically kill it (with the stripped-down distros at any rate). You'll just have some problems with some system services and processes, that's all. Anyway, I hope this helps anyone who wants to replace 'root' out there, however few there may be. Good luck!

yeah root has been a standard for the sysadmin's user name for decades, not just for linux/unix but other things like mysql
honestly i don't see any real reason to change it, but good luck

As others have said, that's true. The name "root" has no real significance (or it least it should have no significance). UID=0 is what is important. (I'm not certain how this would all tie into SELinux, though.)

But, if you had this,
Then reversed the first two /etc/passwd entries,
If you logon as root after the above change is made,
But it's just a bad idea to change the first root/uid=0 entry.

Edited: never thought about sudo, but clearly that's another complication...

superuser with an identity crisis?

go talk to the emacs psychiatrist :)

Don't remember how it's done, but I have changed a users number. Most users users (in most distros) default to user id #1000. Some default to 500. I wanted all of my users (different distros) to be the same (since I am all of them), since I changed it to #1000.

I don't know if it would be possible to change a users ID # to #0. thereby giving him complete root privileges. Don't really think it would be a good idea. And I would hope that it would be more difficult than that to obtain root privileges.