RE: Renaming root account
From: Atom Powers (APowers_at_PyramidBrew.com)
Date: 03/03/05
- Previous message: Greg Barniskis: "Re: Renaming root account"
- Maybe in reply to: Craig Edwards: "Renaming root account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Mar 2005 09:12:38 -0800 To: "Wouter" <wouter@spierenburg.net>, <freebsd-security@freebsd.org>
Enabling "toor" is not very different from renaming the root account, worse
because you would then have two "root" (uid 0) accounts.
I don't see any harm in renaming the root account, but I don't think it would
do much either. Most processes that use root run with setuid 0, regardless of
what's in the passwd file. Even in user land you don't have to know what the
root account is named if you use 'su' or 'sudo'.
The only case I can envision where it would make a difference is if you have
an application which wants to run as a specific (usually unpriv.) user and
you set it to use "root", or if you allow "root" logon through ssh (bad idea)
or terminal (but if somebody can get that then you are already in trouble).
---- Perfection is just a word I use occasionally with mustard. Atom Powers Systems Administrator Pyramid Breweries Inc. 206.682.8322 x251 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Wouter Sent: Thursday, March 03, 2005 1:22 AM To: freebsd-security@freebsd.org Subject: Re: Renaming root account Renaming root is generally a bad idea, what you could do, however, is set a password on(thus enabling) the "toor" account and set root's shell to /sbin/nologin Wouter ----- Original Message ----- From: "Craig Edwards" <brain@winbot.co.uk> To: <freebsd-security@freebsd.org> Sent: Thursday, March 03, 2005 09:03 Subject: Renaming root account > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > One quick question: Is it safe and/or sensible to rename the root > account, so that the only uid 0 user on a system is something different > to root? I can see how this would be effective against external > attackers who have no knowledge of the internals of the system as they > would spend pointless hours trying to crack a user which doesnt exist, > however to internal users they could always just cat /etc/passwd and see > that root has been renamed. So firstly, is this possible, and security > wise is it of any real use? Can anyone think of any apps it would break > that assume that the uid 0 user is called root and don't just address > the user by its uid? > > Thanks, > Craig Edwards > > - -- > WinBot IRC client developer: http://www.winbot.co.uk > ChatSpike - The users network: http://www.chatspike.net > InspIRCd - Modular IRC server: http://www.inspircd.org > Online RPG Developer: http://www.ssod.org > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > > iD8DBQFCJsTf0k42Wxli/BARAp2DAJ9dp1eu2IL41pfp/4ZFp9kS2KuMdgCeI20k > w1Jt+uriEmWM+wmhEFxH+vw= > =vGhO > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Greg Barniskis: "Re: Renaming root account"
- Maybe in reply to: Craig Edwards: "Renaming root account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
