Re: Change root user name? possible?
Ara Avvali writes: Sorry if this might sound crazy, but is there anyway to rename root account to something else for extra security? Thank you It would not provide you any more security. The key thing is the UID which for root has to be '0' You can create any number of accounts with UID of 0 if you want. I usually create another account with UID 0 for my own use, but for convenience reasons and not security. That way I can have a root account with a different home directory and shell, and such stuff all ready for me when I log in, but not have to tamper with the main root account. jerry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
* Ara Avvali <[EMAIL PROTECTED]> [0804 00:04]: > What I mean if someone wants to hack to machine or even get physical access > half of the job is done by knowing the root user name. Although windows > security blows but they have this feature renaming administrator user > account name uid 0 is special, not the name root. A lot of exploits try to su to uid 0. But a buttload of scripts would do a chown root secretfile; chmod 400 secretfile which would cause you all sorts of problems. > It would be like if you want to go in a street and steal a diamond ring. > First you have to know the lot number of house which has it and second the > key to get in. would make it harder to try every single house you're better off locking the door. disallow root logins off the network. -- VMS is like a nightmare about RSX-11M. Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
On Thu, Aug 26, 2004 at 08:49:06AM +0930, Tim Aslat wrote: > In the immortal words of Charles Swiger <[EMAIL PROTECTED]>... > > Whether this gains you much security is another question entirely, and > > you risk breaking single-user mode and various low-level pieces of > > software which expect root to exist, but it can be done. > > I know it can be done, a couple of typos in vipw and I lost the root > account, very disconcerting, but single use mode still seemed to work, > probably because the toor account was still intact even though it has a > password of *. Actually, single user mode doesn't consult the password file at all -- or anything much in /etc except for /etc/fstab, and even that you can avoid. It gives you a superuser login session simply by setting the UID to 0, which is all that really counts to the lower leves of the system. If you think about it, that's a really useful design feature. It means you can recover the system even if your /etc directory gets completely scrambled. A good measure of the strength of your unix-fu is how badly trashed a system you can recover without having to re-install. You'ld be amazed at what some people have managed to resurrect. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpyM98O1icdI.pgp Description: PGP signature
Change root user name? possible?
Huh Looks like it is pointless do such a thing. Thank you for reply Message: 21 Date: Thu, 26 Aug 2004 00:59:26 +0200 From: Radek Kozlowski <[EMAIL PROTECTED]> Subject: Re: Change root user name? possible? To: Ara Avvali <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=iso-8859-2 On Wed, Aug 25, 2004 at 06:50:46PM -0400, Ara Avvali wrote: > Sorry if this might sound crazy, but is there anyway to rename root account > to something else for extra security? > Thank you I don't think it would increase your security, because any person that has access to your machine could perform `pw usershow -u 0` and get the name of superuser's account. You'd be much better off setting PermitRootLogin to No in sshd_config and using only su everytime you need root privileges. -Radek -- Message: 22 Date: Mon, 26 Jul 2004 01:59:02 +0200 From: "Mania.co.il" <[EMAIL PROTECTED]> Subject: Re: Change root user name? possible? To: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii Hello Ara, Thursday, August 26, 2004, 12:50:46 AM, you wrote: AA> Sorry if this might sound crazy, but is there anyway to rename root account AA> to something else for extra security? AA> Thank you AA> ___ AA> [EMAIL PROTECTED] mailing list AA> http://lists.freebsd.org/mailman/listinfo/freebsd-questions AA> To unsubscribe, send any mail to AA> "[EMAIL PROTECTED]" That is possible. Create other account, grant him superuser priveleges, and change "root"'s privileges to regular user. -- Best regards, Mania.co.ilmailto:[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
[-- Outlook mutilation of text and top-posting manually fixed. --] On 2004-08-25 19:03, Ara Avvali <[EMAIL PROTECTED]> wrote: > Giorgos Keramidas [mailto:[EMAIL PROTECTED] wrote: > > On 2004-08-25 18:50, Ara Avvali <[EMAIL PROTECTED]> wrote: > > > Sorry if this might sound crazy, but is there anyway to rename > > > root account to something else for extra security? > > > > No. At least, not as far as I know. > > > > Probably because it wouldn't provide any extra security unless you > > tinkered with a hell of a lot of settings; [...] > > What I mean if someone wants to hack to machine or even get physical access > half of the job is done by knowing the root user name. Although windows > security blows but they have this feature renaming administrator user > account name Even if you rename the root user it's easy to find out the names of the privileged accounts on a system by looking at /etc/passwd. The mapping of username/userid is useful for many things besides knowing who the "root" user is though, so it would break a lot of things if you just removed the read permissions of /etc/passwd. For instance, ls(1) would have no way to match the owner of files with a name in filename listings and would produce output like this: $ ls -ln | head -5 total 1804 drwxrwxr-x 2 1001 groupname 512 Aug 23 04:37 CVS drwxrwxr-x 5 1001 groupname 512 Jan 12 2003 GNUstep drwxrwxr-x 4 1001 groupname 512 Dec 26 2003 Mail -rw--- 1 1001 groupname 46340 Aug 26 02:10 Mailbox Not very nice... Other parts of /etc that are now readable and provide potentially harmful information are practically all the files in `/etc'. Instead of hacking the permissions and owner of these files to avoid letting your users read things that they should not be able to read, you might find it more useful and more convenient to use chroot(8) or jail(8) to compartmentalize the system and block the user from accessing the "outter" levels of the installation. > It would be like if you want to go in a street and steal a diamond ring. > First you have to know the lot number of house which has it and second the > key to get in. would make it harder to try every single house Yeah, well. You wouldn't be able to steal the diamond if you were trapped in a single neighborhood and the diamond happened to be in a safe downtown, a few dozen neighborhoods away ;-) > Anyway thank you for fast response You're welcome. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Change root user name? possible?
Damn right. Never thought of that -Original Message- From: Lewis Thompson [mailto:[EMAIL PROTECTED] Sent: August 25, 2004 7:25 PM To: Ara Avvali Cc: 'Giorgos Keramidas'; [EMAIL PROTECTED] Subject: Re: Change root user name? possible? On Wed, Aug 25, 2004 at 07:03:10PM -0400, Ara Avvali wrote: > What I mean if someone wants to hack to machine or even get physical access > half of the job is done by knowing the root user name. But they could just look in the passwd file... -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
On Wed, Aug 25, 2004 at 07:03:10PM -0400, Ara Avvali wrote: > What I mean if someone wants to hack to machine or even get physical access > half of the job is done by knowing the root user name. But they could just look in the passwd file... -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- pgpmMshBaT4aT.pgp Description: PGP signature
Re: Change root user name? possible?
In the immortal words of Charles Swiger <[EMAIL PROTECTED]>... > Whether this gains you much security is another question entirely, and > you risk breaking single-user mode and various low-level pieces of > software which expect root to exist, but it can be done. I know it can be done, a couple of typos in vipw and I lost the root account, very disconcerting, but single use mode still seemed to work, probably because the toor account was still intact even though it has a password of *. -- Tim Aslat <[EMAIL PROTECTED]> Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
On Aug 25, 2004, at 6:50 PM, Ara Avvali wrote: Sorry if this might sound crazy, but is there anyway to rename root account to something else for extra security? Why, yes, you can rename root. Use vipw. If you setup sudo properly, you can even run a system without any valid uid=0 users existing at all, although it would be safer to simply give root a password of "*", which disables password-based logins but leaves the account present. Whether this gains you much security is another question entirely, and you risk breaking single-user mode and various low-level pieces of software which expect root to exist, but it can be done. [MacOS X ships without root enabled, for example.] -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Change root user name? possible?
There are far better and less problematic ways to increase the security of a system. If you haven't already look at man 7 security. Disable SSH root login and turn off telnet to remove the ability of a remote root login at the very least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ara Avvali Sent: Wednesday, August 25, 2004 4:51 PM To: [EMAIL PROTECTED] Subject: Change root user name? possible? Sorry if this might sound crazy, but is there anyway to rename root account to something else for extra security? Thank you ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Change root user name? possible?
What I mean if someone wants to hack to machine or even get physical access half of the job is done by knowing the root user name. Although windows security blows but they have this feature renaming administrator user account name It would be like if you want to go in a street and steal a diamond ring. First you have to know the lot number of house which has it and second the key to get in. would make it harder to try every single house Anyway thank you for fast response -Original Message- From: Giorgos Keramidas [mailto:[EMAIL PROTECTED] Sent: August 25, 2004 6:55 PM To: Ara Avvali Cc: [EMAIL PROTECTED] Subject: Re: Change root user name? possible? On 2004-08-25 18:50, Ara Avvali <[EMAIL PROTECTED]> wrote: > Sorry if this might sound crazy, but is there anyway to rename root account > to something else for extra security? No. At least, not as far as I know. Probably because it wouldn't provide any extra security unless you tinkered with a hell of a lot of settings; both in the default, base system and any ports/packages you installed afterwards. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
Hello Ara, Thursday, August 26, 2004, 12:50:46 AM, you wrote: AA> Sorry if this might sound crazy, but is there anyway to rename root account AA> to something else for extra security? AA> Thank you AA> ___ AA> [EMAIL PROTECTED] mailing list AA> http://lists.freebsd.org/mailman/listinfo/freebsd-questions AA> To unsubscribe, send any mail to AA> "[EMAIL PROTECTED]" That is possible. Create other account, grant him superuser priveleges, and change "root"'s privileges to regular user. -- Best regards, Mania.co.ilmailto:[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
On Wed, Aug 25, 2004 at 06:50:46PM -0400, Ara Avvali wrote: > Sorry if this might sound crazy, but is there anyway to rename root account > to something else for extra security? > Thank you I don't think it would increase your security, because any person that has access to your machine could perform `pw usershow -u 0` and get the name of superuser's account. You'd be much better off setting PermitRootLogin to No in sshd_config and using only su everytime you need root privileges. -Radek ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Change root user name? possible?
On 2004-08-25 18:50, Ara Avvali <[EMAIL PROTECTED]> wrote: > Sorry if this might sound crazy, but is there anyway to rename root account > to something else for extra security? No. At least, not as far as I know. Probably because it wouldn't provide any extra security unless you tinkered with a hell of a lot of settings; both in the default, base system and any ports/packages you installed afterwards. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Change root user name? possible?
Sorry if this might sound crazy, but is there anyway to rename root account to something else for extra security? Thank you ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"