Re: Alternative superuser aside from root
Tito Mari Francis Escaqo wrote: Is it possible to replace root with another username as superuser? This could make the system very secure because when it comes to ^^^ No. ^^ No. BSD/Unix/Linux, the root is the most coveted user account. That is, hackers would all be barking the wrong tree if the real superuser is actually another username. Most exploits come from misbehaving programs running as the superuser (formerly known as "root" :-p ), so the user name is not involved. Use a good password (if any) for root and possibly disable root login via ssh, and you're fine. I installed and use OpenBSD 3.9 as Internet gateway in our company, installed it via floppy disk. If it's possible, can you pls give me pointers how to do it? Thank you very much! It is. See below. But don't. You'll screw things up. See below. /Alexander P.S. Now look what you made me do! -- $ sudo chpass root $ sudo chpass root1 sudo: no passwd entry for root! $ sudo sudo: no passwd entry for root! $ su - su: unknown login root $ su root1 - Password: # chpass root chpass: unknown user: root # chpass root1 # exit $ sudo chpass root chpass: no changes made chpass: /etc/master.passwd: unchanged -- See? Don't do this! :-( D.S.
Re: Alternative superuser aside from root
On Tue, Aug 08, 2006 at 03:54:45PM +0800, Tito Mari Francis Esca?o wrote: > Is it possible to replace root with another username as superuser? > This could make the system very secure because when it comes to > BSD/Unix/Linux, the root is the most coveted user account. That is, > hackers would all be barking the wrong tree if the real superuser is > actually another username. > > I installed and use OpenBSD 3.9 as Internet gateway in our company, > installed it via floppy disk. > > If it's possible, can you pls give me pointers how to do it? Thank you > very much! > yes, it is, but it's pointless. Name doesn't matter too much, unlike uid. In case of, i.e. sshd you can use PermitRootLogin directive. - Lukasz Sztachanski -- 0x058B7133 // 16AB 4EBC 29DA D92D 8DBE BC01 FC91 9EF7 058B 7133 http://entropy.pl http://entropy.pl/?blog
Re: Alternative superuser aside from root
Hi, It is possible to rename your root account... You have to change it's name in /etc/passwd and maybe change its home directory. BUT: a) some programs may not work properly 'cause they depend on the name of the super-user account (I can't remember of any example right-now, but I'm sure some exist...) b) This is NOT a security enhancement... The superuser is not understood by the system by its name, but by it's user-id. The superuser is the account with user-id 0 (zero). When a hacker exploits a known buffer overflow, what the code does is (try to) change its user-id to 0. You won't achieve anything by renaming the account... The quest of a hacker is not towards 'root' account, but towards user-id zero. regards, stef
Re: Alternative superuser aside from root
On 8/8/06, Tito Mari Francis Escaqo <[EMAIL PROTECTED]> wrote: Is it possible to replace root with another username as superuser? Sure, just change its password entry. That said, I wouldn't recommend wasting your time on this. This could make the system very secure because when it comes to BSD/Unix/Linux, the root is the most coveted user account. No, it wouldn't make your system any more secure than it was before the change. I recommend you read the archives to see why your suggestion isn't too worthwhile. One reason why s/root/anything/ won't help you much is that its UID is still 0. In other words: you still have an almighty user on the system. The concept of usernames is primarily to make things easier for us humans. Under the hood, things work in terms of (numeric) UIDs/GIDs. As a hacker, you'd just go for UID 0. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Alternative superuser aside from root
Is it possible to replace root with another username as superuser? This could make the system very secure because when it comes to BSD/Unix/Linux, the root is the most coveted user account. That is, hackers would all be barking the wrong tree if the real superuser is actually another username. I installed and use OpenBSD 3.9 as Internet gateway in our company, installed it via floppy disk. If it's possible, can you pls give me pointers how to do it? Thank you very much!