Date: Thu, 3 Mar 2005 09:12:38 -0800 From: "Atom Powers" <APowers@PyramidBrew.com> To: "Wouter" <wouter@spierenburg.net>, <freebsd-security@freebsd.org> Subject: RE: Renaming root account Message-ID: <1AE2004B175A3D4A8B6230A10D0B5BE368E420@mercury0.pyramidbrew.com>
next in thread | raw e-mail | index | archive | help
=20 Enabling "toor" is not very different from renaming the root account, = worse because you would then have two "root" (uid 0) accounts. I don't see any harm in renaming the root account, but I don't think it = would do much either. Most processes that use root run with setuid 0, = regardless of what's in the passwd file. Even in user land you don't have to know what = the root account is named if you use 'su' or 'sudo'. The only case I can envision where it would make a difference is if you = have an application which wants to run as a specific (usually unpriv.) user = and you set it to use "root", or if you allow "root" logon through ssh (bad = idea) or terminal (but if somebody can get that then you are already in = trouble). ---- Perfection is just a word I use occasionally with mustard. Atom Powers Systems Administrator Pyramid Breweries Inc. 206.682.8322 x251 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Wouter Sent: Thursday, March 03, 2005 1:22 AM To: freebsd-security@freebsd.org Subject: Re: Renaming root account Renaming root is generally a bad idea, what you could do, however, is = set a password on(thus enabling) the "toor" account and set root's shell to /sbin/nologin Wouter ----- Original Message ----- From: "Craig Edwards" <brain@winbot.co.uk> To: <freebsd-security@freebsd.org> Sent: Thursday, March 03, 2005 09:03 Subject: Renaming root account > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > One quick question: Is it safe and/or sensible to rename the root > account, so that the only uid 0 user on a system is something = different > to root? I can see how this would be effective against external > attackers who have no knowledge of the internals of the system as they > would spend pointless hours trying to crack a user which doesnt exist, > however to internal users they could always just cat /etc/passwd and = see > that root has been renamed. So firstly, is this possible, and security > wise is it of any real use? Can anyone think of any apps it would = break > that assume that the uid 0 user is called root and don't just address > the user by its uid? > > Thanks, > Craig Edwards > > - -- > WinBot IRC client developer: http://www.winbot.co.uk > ChatSpike - The users network: http://www.chatspike.net > InspIRCd - Modular IRC server: http://www.inspircd.org > Online RPG Developer: http://www.ssod.org > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > > iD8DBQFCJsTf0k42Wxli/BARAp2DAJ9dp1eu2IL41pfp/4ZFp9kS2KuMdgCeI20k > w1Jt+uriEmWM+wmhEFxH+vw=3D > =3DvGhO > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1AE2004B175A3D4A8B6230A10D0B5BE368E420>