How to diff between 2 users with uid 0
 

Hello,
I created a new user "rootNew"
After creation I manually change the file /etc/passwd and gave the new user "rootNew" uid 0.
Now I have 2 users with uid 0 (root,rootNew) how can I know which user is log in the system?
"whoami" command return "root" for both users.
Thanks,
Uri

Creating multiple root users is strongly discouraged as it is not a security best practice.
Why do you (think you) need another root account in the first place?

I know this is bad practice to do so.
The reason I asked the question in the first place is to catch the times that someone use a bad configuration and a user like this is login.
That's why I want to know if there is a way to know if a non root user with uid 0 has login?

You should create another user who can use sudo instead. Don't create a user who is an alias for root. The system uses the UID and not the username.

Yes I know this is not the correct configuration.
This is part of a solution for our customers to detect such bad practice configuration.
That's why I want to catch those mistakes by script or any other solution.

as per the answers that you were given in the Mint forum

http://forums.linuxmint.com/viewtopi...701857#p701857

- on the user privileges tab - give the account holder, the same privileges as root.

Monitor / examine /etc/passwd, filter log files for logged account changes (PAM mostly) and check wtmp and lastlog login records. That should give you a warning when changes happen, if the account gets used and allows you to retaliatesuppress usage and revert back. GNU Tiger, Logwatch, LSAT, Rootkit Hunter and a gazillion other tools already contain checks to warn you so there's no need for wheel re-invention IMHO: just cron job your tool of choice.

There's probably a login watcher in your distributions repos that would be better to use instead of doing something like this:

AFAIK the question is about detection and negating the effect of cluebies creating additional root accounts rather than the OP seeking a way to deliberately weaken a machines security posture.

root privileges on another account, still need to be given by an account holder,
who already has root privileges.

so, they would need to know the actual root password,
so that they can grant that privilege to another account.
& this has to be done on the user privileges tab - of the non_root account.

it really a case of the weakness of the root password, in being too widely know. .. ..
this is the only way that a cluebie could create another root account.

you can have lots of users, who all have root privliges,
that can do stuff, that really should be done using SUDO
but there should only ever be one, actual root_user account.

is the env the same for both? can $HOME reveal what you need?

I do not think they are really different. Most (if not all) of the applications handle the user ID, not the user name, therefore they cannot distinguish between them.

If you need some special account you will need to use sudoers or similar (as it was already suggested)

I tried it out for myself. The last and who commands do show the alias name. Whoami shows root. Remember, the new user is an alias as root. In other words, it is root.

I don't know if PAM can be modified to prevent a root from logging in.

Also consider installing and configuring the audit system. See if it logs commands by UID or
You could have a cron job check for multiple entries in /etc/passwd with a UID of 0.

---
I guess that PCI compliance may require that the root user be replaced with a different username alias. Since /etc/passwd is readable by all users, this is security by pretend obscurity, and may make a system unstable if the username of root is assumed by any programs or scripts. Who's the moron who thought that one up?

so, we need clarity from the OP. i didnt see anything about apps knowing the diff. the OP's Q was "how can i tell them apart", and gave a whoami example.

echo $HOME will tell the two apart if -d was used with useradd