Use a Different Name for 'root'
Okay. This might be a stupid question, but is there any way to build a linux distro with a root user named something other than 'root'?
I'm trying to set up a mobile system where the username 'root' will be used for something else. It'd probably be more secure with an unconventional superuser name, anyway. (Also, is there any way to rename the root user on an existing distro, pre- or post-install?) Thanks all! |
Well even if it is possible why not create extra user with root privileges and lock root account with password that is very very long and will take ages to break + configure system use the other account when needed?
|
Well, I suppose I could, but it wouldn't solve the problem of me needing the username 'root' for a non-superuser.
Even if it isn't a good idea, let's just say in the spirit of academic inquiry, is there a way to do this? Thanks for your response. :D |
Also, disable root login from remote, so it won't do anyone any good to try to brute force the account without physical access.
If you set up an app that uses a less privileged account named "root", and you try to do something with it that says you need "root" privileges, things are going to get mighty confusing. |
The root account gets all sorts of special treatment in terms of the way it can access files and run commands. My understanding is that these features are built into the kernel itself, which means you would probably have to build your own kernel--probably not worth the trouble.
You might be able to switch around user/UID and group/GID pairings by doing some clever juggling with usermod, but I don't know that the system would honour changes to the root account while logged in as root. Another thought: if you lock down the root account, like Arcane suggests, you still can't create an additional "root" account. However, since Linux is case sensitive, you could create something similar; Root or r00t, perhaps |
Oh, okay. I wasn't sure if 'root' was built into the kernel or not. In the case that it is, I suppose my project just go 10x more complex.
'root' is a poor choice for a superuser name, in my opinion. The word "root" seems to already be used all over the place in the computer sciences. At any rate, does anyone have any good resources on the mechanics of a superuser? If I do modify the kernel (which is currently way over my head), I might also need a reference to a good source which could explain the anatomy of the Linux kernel. :D |
Why aren't you using sudo? That way you can restrict access to superuser actions, you can even restrict the superuser actions taken by account and you don't have to give out the root password. Look into visudo (man visudo).
|
Quote:
|
Quote:
Quote:
I second Sudo usage for tasks requiring root privileges. |
Arcane, I concur: it is perfectly possible and even desirable to grant administrative privileges to different accounts. I read stormreactor's post to mean that he wanted to use the word "root" as the name for a different account (presumably non-administrative). I was saying that the system would not allow that particular string of letters, r-o-o-t, to be used to indicate two separate accounts ( that is, 2 UIDs), and that there was likely no way to assign the root account (UID 0) a different user name.
|
Haha, okay. I guess I'd better go into a bit more detail on my project.
I am attempting to build a Linux distribution for a particular homebrew mobile computing platform. It's not another run-of-the-mill computer operating system for you desktop. It has to serve some very specific functions, one of which involves utilizing a user named 'root'. For the purposes of security, I don't want to use the superuser account 'root' which appears in 99% of Linux distros out there. I want to create an separate account named 'root', which will be highly restricted and not have any root privileges whatsoever. Why not create another user with a different name that can do the same tasks, you might ask? Well, I suppose I could, but naming the user 'root' would make things much easier at a hardware level. Trust me. I know that this is the "Newbie" section of LinuxQuestions.org, and I am a Linux newbie, so I didn't know how complicated this question was. It is possible that I just bit off more than I can chew, or I'll just have to migrate to another Unix-like kernel where the root user can be renamed. (I'm not aware of any that exists, however.) As for Ubuntu, I am keenly aware that you don't need to use the root account to get root privileges, since sudo is installed by default. But the 'root' user does still exist and is still vital to the function of the system under the surface. (You can access it by entering "sudo su" in the terminal.) ______________________________ @unSpawn - True, it may be faulty. I did think of that, but also thought that it would be easier to rename 'root'. I guess I was wrong. Also, read below. @brain-ocs - You are correct in your reading of my post. I do want to totally obliterate 'root' as a superuser, which means replacing UID 0. If this isn't possible, I most definitely have to figure out a workaround. The mobile platform I'm working on is supposed to be a 'client' to another piece of hardware (which I didn't build) that imitates an actual physical user through a hard-wired interface. This piece of hardware often accesses the client by logging in as 'root', and I am not aware of a way to reprogram it. It's decently old. |
Quote:
In principle there should be a logical difference between root and uid 0. The main init process launches as uid 0. But you can't easily know it other scripts do reference "root ". If you are stripping things down a lot you might be able to get into a state where you do know that. I'm not aware of any sanity checks etc, but I may well be wrong. Just rename it in passed and shadow and group and reboot... |
Quote:
https://help.ubuntu.com/community/RootSudo Quote:
http://en.wikipedia.org/wiki/Sudo |
Quote:
I wonder what would happen if you would just rename the "root" entries in /etc/passwd and /etc/shadow to some other name. |
Quote:
|
Quote:
Code:
sudo nano Code:
ps aux | grep nano |
Root is not "disabled". People do not avoid ubutu for that reason. You want root? Fine have it. Ubuntu doesn't limit you from doing anything as root it just uses a more finely tuned model for how it recommends you use it.
|
@Arcane - Are you sure? I can easily access the user named 'root' by entering "sudo su" (exactly like that and without the quotes) in an Ubuntu terminal. I don't think it's actually disabled. I just think it just doesn't have direct accessibility without using sudo, unless just some command line output that just imitates 'root'.
@unSpawn - Thanks for the reference. I'll definitely look into it if I actually do need to build my own kernel. Also, sorry for the 'root' name-bashing rant in my earlier post. I suppose it was a bit out of place. :D @acid_kewpie - Thanks for the info! The 'distro', if I should even call it that, will be very stripped-down. It won't have a GUI or even --gasp-- cron if I could get away with it. I just saw your most recent post. I had no idea about "sudo -i". Same function as "sudo su", I suppose. __________________________ EDIT: Wow! This thread is updating so fast! Even this reply is outdated. EDIT 2: Spelling correction. Paragraph 1: "accessibly" -> "accessibility" |
Quote:
|
Sudo su - is one command nested in another. Yuck. Sudo -i is all within sudo and the resulting environment has useful variables like SUDO_USER and other useful things. It's a more recent addition though. In rhel5 but not rhel4 for example.
|
@acid_kewpie - Thanks for that. Just realized that "sudo -i" doesn't need a password as a result. Using that from now on. :D
Okay, back on topic, as for the whole "rename 'root'" thing, I'm going to install a distro in VirtualBox and try renaming 'root'. (I might need a bit of help with that, though.) And if it works, I'll totally post the results. Any recommendations on a VERY lightweight distro of Linux? ^_^" |
Quote:
Quote:
|
Quote:
Code:
By default, the Root account password is locked in Ubuntu. Code:
Just remember, when sudo asks for a password, it needs YOUR USER password, and not the Root account password. Code:
Enabling the Root account is rarely necessary. Almost everything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent Root login, the best alternative is to simulate a Root login shell using the following command... |
But when you use sudo, it still doesn't "stay in custom account name", as you claimed.
You can "re-enable" Ubuntu's root account like this: Code:
sudo passwd |
As mentioned above, in reality (in special handling inside kernel etc) it's all about the uid = 0, rather than the actual string name 'root'.
You could try(?) renaming the root username, but remember that the uid for the 'SysAdmin' is still hardcoded as zero and you'd have to do your own kernel (and prob a few other tools) to get around that. More trouble than it's worth imho. The use of the word root for SysAdmin and root of the dir tree goes back to at least 1970 when Unix was invented, so I'd say the widespread use of there word nowadays for various stuff is derived from that, it's not the other way around as some earlier posts seem to imply. |
Thanks TobiSGD. I'll definitely give Micro Core a whirl. As for LFS, I'm probably going to have to follow it to build my crippled mobile distro at some point, anyway. Thanks for the rec! Downloading as we... type. :D
|
Quote:
Code:
ubuntu@ubuntu# sudo firefox |
Quote:
Code:
su -c firefox |
@Arcane - When I do that, it actually does say "root@ubuntu" if I use "sudo su" or "sudo -i". I'm using 11.04 (Natty Narwhal).
@chrism01 - Thanks for that. Yeah, I'm definitely going to try and rename 'root'. Having the system administrator at UID 0 is no problem. ^_^ |
Just ensure your new 'root' doesn't try to use that uid ... ;)
Usernames are like DNS names, they're just there for human convenience; in reality it's all done with numbers underneath :) |
Quote:
Code:
The sudo command ("su do", pronounced /ˈsuːduː/,[2] though /ˈsuːdoʊ/ is also common, as is /ˌɛsˌjuːˈduː/) is a program for some Unix and Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser, or root). It is an abbreviation for "substitute user do" (as in, do a command with another user's privileges). By default, sudo will prompt for a user password but it may be configured to require the root password, and will require it only once every 15 minutes per pseudo terminal, or no password at all.[3] Sudo is able to log each command run and in some cases has completely supplanted the superuser login for administrative tasks, most notably in Linux distributions, such as Fedora and Ubuntu, as well as Apple's Mac OS X.[4][5] Quote:
edit: I just noticed you used different command. Try just Code:
sudo something |
@chrism01 - I'm a bit confused. Doesn't renaming a user maintain their UID? Unless you were kidding, in which case, it flew over my newbie head. LOL.
|
@Arcane - I don't recall enabling it. I'm using a fresh install on VirtualBox, and it's been doing it for me since 9.04 or earlier as far as I know. I have 10.10 installed on another computer (as the primary OS), and it behaves the same way. Is there something in the installation process that would control this? I've been seeing "root@whatever" ever since I learned about "sudo su".
|
Yeah, changing the string eg by editing /etc/passwd , has no effect on the uid. Normally(!) root=uid 0 (zero) and the zero is hardcoded inside kernel etc.
Edit; don't forget /etc/shadow as well :) |
@Arcane - Whoa, I just saw that you used "sudo firefox" and not "sudo su" your command line example a few replies ago. --facepalm-- Yes, that will indeed run the program as root without switching users. --sighs-- I need to read more carefully.
|
Quote:
|
Ooooookay. I've been at this all day, believe it or not. I installed Micro Core in VirtualBox and messed around with it until I realized that it doesn't include a usermod function. --smack--
Then I moved onto Damn Small Linux and successfully changed the root username to admin: Code:
sudo usermod -l admin root Can anyone think of a better way to do this? Should I change something in the sudoers file first or modify /etc/passwd? Any help would be appreciated. ^_^ |
Alright. After some more messing around, I think I've gotten pretty close.
In my DSL install, I've managed to changed the name of root to 'admin' and it's, for the most part, been successful. After exiting to command prompt, I switched to 'root' and did the following: Code:
sudo su /*this to switch to root*/ The amount of time it took me to figure this out shows my newbism loud and high. At any rate, with a little more tweaking, I suppose it is very possible to rename 'root' without hampering the OS's functions. If anyone has anything else to add to (or detract from) my methods, please let me know. I'll post a full report once I get sudo and anything else that's been affected working. Thanks all! |
What about /etc/shadow, or does DSL not use that ?
|
Finallly (!)
Welp, it seems that everything is working fine! I simply rebooted the system, and sudo works just dandy! Looks like renaming 'root' isn't so tough after all! Thank you everyone for all your input and help. You guys rock!
And cancel that full report deal. The last reply just about covers it all. ^_^" But in case you want me to hold to my word, here's basically what I did: 1. Boot your Linux distro into command prompt (no GUI, though I guess using a GUI wouldn't hurt). 2. Switch over to root with " su root " 3. Edit the sudoers file to reflect the new name for 'root'. 4. Change the name of root using usermod. (" usermod -l <new name> root ") 5. Edit /etc/passwd by replacing 'root' with your new root username. 6. You can now create a new underprivileged user named 'root' with adduser (optional). 7. Exit to the previous user and do a test switch to the new root (" su <new root name> "). 8. Reboot to get sudo working right. That's all, folks! |
@chrism01 - Hmm... Upon inspection, it appears that /etc/shadow is automatically modified by usermod.
Cheers! |
Quote:
|
OK, but it sure looks like you expected sudo to give you a root prompt and thought that it's not woring correctly:
Quote:
|
@stormreactor,
Congratulations on your success! I have to admit that I'm a little surprised that changing UID 0 to something other than "root" didn't cause more problems. At the risk of being a downer; have you tested to see if this breaks some services that run as root or need to access directories and files owned by root? Do httpd, vsftpd, Samba, NFS, etc, still work? Just curious... |
@brian-ocs,
So far, it seems that nearly everything works as expected. Since this was only a test run, I haven't really tested it on any other services or daemons. The only things that I have noticed which doesn't work correctly is DSL's GUI Exit function and the network. As for Exit, the GUI prompt loads correctly, but when you make a selection, nothing happens. Regarding the network, neither Dillo nor Firefox seem to be able to connect to the Internet (i.e., resolve domain names, load webpages, etc.). Ultimately, I don't think that changing UID 0's name is clean by far. 'root' seems to be so ingrained into Linux's software that changing it is bound to break something. It is possible that making some adjustments to the config files will help resolve some of the issues, but 'root' may just be hard-wired into some binaries (again, newb here, so I don't know). Nevertheless, despite the problems, the OS (at least DSL) remains pretty functional. All programs seem to load, and even the 'root access' options correctly direct you to the correct new root user. In terms of my personal project, this is a great success. ^_^ _____________ EDIT: If you can, try doing some testing of your own, perhaps in a virtual environment, and see if you come up with any issues deeper in the OS. My knowledge of Linux is currently limited to what I can visually see in GUI and shell outputs, unfortunately, and I don't really know what to specifically look for to see if all the gears are working right. EDIT 2: LOL, I don't know why I didn't think of this earlier, but in direct response to your question, running "ps" in the terminal shows a bunch of services running under the new root username, which is 'admin' in my case. So I suppose yes, for the most part? I don't have httpd, vsftpd, Samba, NFS, or any of those non-essential services installed, but services like pump, syslogd, and getty are running under the new root user. |
Okay, new update.
After changing the name of UID 0 (root), sudo doesn't actually work correctly. If you use it to access a protected file, it will still deny permission (such as accessing /etc/sudoers, for example). Other operations, such as the GUI mount for DSL, will also not work. What I mean to say is that this may not have been as 'clean' as I thought. While sudo gives the appearance of working, it does not. (You can still do root-level operations by switching to the root user with "su <root user>", however.) Also, as I mentioned in an earlier reply, the network stops working in DSL. Some of these problems may just be DSL specific, but for your advice for anyone who wants do what I did, build your own Linux system and do it at the beginning. It will remove a lot of headache. Nevertheless, if you do do it on a functioning system temporarily, it won't drastically kill it (with the stripped-down distros at any rate). You'll just have some problems with some system services and processes, that's all. Anyway, I hope this helps anyone who wants to replace 'root' out there, however few there may be. Good luck! |
yeah root has been a standard for the sysadmin's user name for decades, not just for linux/unix but other things like mysql
honestly i don't see any real reason to change it, but good luck |
Quote:
But, if you had this, Code:
[root@athlon ~]# vi /etc/passwd Code:
[root@athlon ~]# vi /etc/passwd Code:
Last login: Fri Jul 22 17:22:53 2011 from 192.168.1.99 Edited: never thought about sudo, but clearly that's another complication... |
superuser with an identity crisis?
go talk to the emacs psychiatrist :) |
Don't remember how it's done, but I have changed a users number. Most users users (in most distros) default to user id #1000. Some default to 500. I wanted all of my users (different distros) to be the same (since I am all of them), since I changed it to #1000.
I don't know if it would be possible to change a users ID # to #0. thereby giving him complete root privileges. Don't really think it would be a good idea. And I would hope that it would be more difficult than that to obtain root privileges. |
All times are GMT -5. The time now is 11:04 PM. |