theoretical question - can root's username be changed?

Nix, Robert P. Nix.Robert at mayo.edu
Fri Dec 2 15:16:35 UTC 2005


 

-----Original Message-----
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com] On Behalf Of Craig White
Sent: Thursday, December 01, 2005 9:36 PM
To: For users of Fedora Core releases
Subject: Re: theoretical question - can root's username be changed?

On Thu, 2005-12-01 at 21:46 -0500, Claude Jones wrote:
> On Thu December 1 2005 9:31 pm, Mike McCarty wrote:
> > Claude Jones wrote:
> > > Subject line says it all...
> ----
> Best to save feeble attempts of security through obscurity for Windows. 
>
>Create another user and you can set that user's uid to 0 if you wish.

Practical experiences:

First, our Unix team maintains uid 0 accounts for all the team members on each Unix / Linux / AIX box we support. Many actions can be taken during system installs or problems via these accounts, and we retain some accountability for who has been on the box touching things. Also, we each have our own password, so if the root password is changed for some reason and we don't all know about it, we can still get in and do some (possibly all) of our work.

Note that having multiple uid 0 users will, in itself, break some things. SuSE's user maintenance program will not tolerate multiple users having the same uid (0 or otherwise). The way we've gotten around that is by using LDAP authentication, and defining the additional uid 0 users in LDAP. This way SuSE's tool does not see the "error".

Some vended products MUST be installed via root (not another uid 0 account). Something in the install checks for root, and aborts the install if using some other userid. Others must run as root.

The su - command is specific to the root userid. You can su to other uid 0 users, but you have to specify the userid to do it. So if you removed root, then you've removed the ability to use the "su -" command.

Last, here's an appeal to any and all vendors / authors of products: Please design your product / application so that it does not need root. Certainly not to run, and preferably not to install. I know that it's tempting to do the install as root, so that you can do everything you need to, without any manual intervention on the part of the installer, but that means that the person doing the install must have root privilege, and we'd prefer to allow the people in charge of the application be able to do the install. I'm willing to create the userids the app needs, and set up accesses, but I don't want to have to be present for every application install done on my systems. It takes up my time, and is unnecessary, other than the fact that you want to install via root.

-- 
Robert P. Nix		Mayo Foundation
RO-OC-1-13 (new loc)	200 First Street SW
507-284-0844		Rochester, MN 55905
-----
"In theory, theory and practice are the same, but
 in practice, theory and practice are different."




More information about the fedora-list mailing list