Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-19-2006, 02:15 PM
|
#1
|
Member
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653
Rep:
|
Security, root and password ageing
I decided to up the security on my system by changing the root password and setting password ageing through YaST>Security and Users>Local Security. However, considering that I very rarely log in as root, is there a chance that the root password will be expired without giving any warning via my user account?
I already had some fun arising from this, as I set it without changing the password on my user account, then logged out. I expected simply that I would be prompted to change my password next time I logged in, but nooo... Instead, next time I booted up I was greeted with the message that "the system administrator has locked your account." Finally solved this by logging in as root and running usermod --inactive -1 <name>, then changing the password.
Also (bonus question): is there any way to change the username for root, to make it a little more difficult for would-be hackers?
Thanks,
Rob
Last edited by Robhogg; 06-19-2006 at 02:17 PM.
|
|
|
06-19-2006, 02:37 PM
|
#2
|
Member
Registered: Jan 2004
Location: /dev/random
Distribution: Gentoo amd64, CrunchBang amd64
Posts: 350
Rep:
|
I can answer the bonus question: root is simply the user with UID 0, GID 0 so yes, in theory, you could change the name of the super-user. Just change the entries in /etc/passwd and /etc/shadow from root to whatever and it should work. I have never tried this for the root account, so whatever security measures (like PAM or something else) you have might throw a fit if its changed from root.
|
|
|
06-20-2006, 05:57 AM
|
#3
|
Member
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653
Original Poster
Rep:
|
Thanks for the response. Sounds like something I should try with a test installation first (when I get round to it), rather than with the installation I'm using everyday.
Rob
|
|
|
06-20-2006, 08:10 AM
|
#4
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
Sounds like something the people who make up security "best practices" for Microsoft should have tested as well. Not only does changing the default local admin account (root) break things in Linux, doing so in Windows does too. For example, when you attempt to repair a Windows installation, the recovery console is hard coded to prompt for the Administrator account password. Not a administrator account, the Administrator account! So if you change it you'll have to completely reinstall the OS to do something like fixmbr. That makes it a pretty bad practice in my book.
|
|
|
06-20-2006, 05:37 PM
|
#5
|
Member
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653
Original Poster
Rep:
|
Yet Mac OSX allows you to change the Administrator username to, say, Ermintrude. In this case the administrator is not root, but allows you to carry out a number of root-like tasks, and to activate or deactivate root login as necessary (deactivated by default). sudo works with the administrator, rather than root, password under OSX.
Anyone got any idea on the first question I posed (possibility of being locked out of root without warning by password ageing)?
Yours,
Rob
|
|
|
06-20-2006, 05:56 PM
|
#6
|
LQ Sage
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,675
Rep:
|
You can always change the root password to something you know if you have physical acces to the box. Log on in single user mode or use some LiveCD and chroot.
|
|
|
06-20-2006, 06:02 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Plausible. Just have expiries (cronjob) emailed to your unpriv'ed user account.
Wrt to bonus: don't. Please search this forum for previous discussions about it.
|
|
|
06-20-2006, 07:07 PM
|
#8
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
Quote:
Originally Posted by Robhogg
Yet Mac OSX allows you to change the Administrator username to, say, Ermintrude.
|
And I can create a user account named root under Windows too, make that user a member of the account operators group and disable local Administrator. Net effect would be exactly the same: I've created an additional layer of complexity to solve a non-existant security problem. Weak passwords and users with no understanding of social engineering is the real problem. The solution, therefore, is to enforce strong passwords and educate your users. Not create an administrative nightmare. IMVHO.
|
|
|
06-25-2006, 08:58 AM
|
#9
|
Member
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653
Original Poster
Rep:
|
Thanks for the reply.
Quote:
Originally Posted by unSpawn
Plausible. Just have expiries (cronjob) emailed to your unpriv'ed user account.
|
How would I do this? Apropos doesn't show anything for 'expiries'
Quote:
Wrt to bonus: don't. Please search this forum for previous discussions about it.
|
OK I won't
I don't agree, though, that it is pointless to change the name of the admin account. Knowing that any linux system will have an account called root vastly simplifies the job of anyone who wants to hack in. It means that, with passwords of equivalent complexity, it will actually be easier for a hacker to access root than an unprivileged user account.
Rob
Last edited by Robhogg; 06-25-2006 at 09:03 AM.
|
|
|
06-27-2006, 09:05 AM
|
#10
|
Moderator
Registered: May 2001
Posts: 29,415
|
How would I do this? Apropos doesn't show anything for 'expiries'
"man chage" ;-p
Here's a lame example:
Code:
cat /etc/passwd | cut -d ":" -f 1,3 | tr ":" " " | sort -k2 -S1 | while read logname uid;
do echo -n "$logname "; chage -l $logname | grep "^Password Exp" | cut -d ":" -f 2-;
done | grep -v Never | awk '{print $4, $2, $3, $1}' | sort
I don't agree, though,
...and that's exactly why I told you to search this forum: to avoid unnecessary dicussion. TIA
|
|
|
All times are GMT -5. The time now is 06:00 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|