theoretical question - can root's username be changed?
Guy Fraser
guy at incentre.net
Fri Dec 2 16:58:47 UTC 2005
On Thu, 2005-01-12 at 23:16 -0500, Claude Jones wrote:
> On Thu December 1 2005 10:36 pm, Craig White wrote:
> > Best to save feeble attempts of security through obscurity for Windows.
>
> I'm trying to get at a deeper understanding of the thinking that underlies
> Linux architecture - that's really the motivation of this thread. Your
> rhetoric, while it may be true, doesn't help. Why the word 'feeble'? If
> everyone in the Linux world knows that the chance is good that there is a
> user called 'root' on any given Linux box, and that user has nearly
> unrestrained privileges, why would it be feeble to double the guessing that
> must go on to get at root's privileges, by changing his username. What is the
> advantage of every Linux system having this same user, 'root'? I make it a
> point when securing a Windows server of always deleting the administrator
> account and creating a new account with membership in administrators for
> administration purposes. Why is that concept flawed, or feeble, as you put
> it? It pretty much goes downhill from there with Windows, but, I see nothing
> wrong with that particular feature.
Ick... the "W" word. ;-)
I do not disagree that root should be able to be changed to
whatever the system administrator wants it to be. Many
people fear change, and root has been a de facto standard
literally for generations now, so the :
"If it was good enough for my grampa it's good enough for me."
Will persist in infiltrating this topic.
Derogatory comments should generally be ignored, they are
usually themselves flawed and feeble responses. But the
flawed and feeble comment may have a little merit since
the UID=0 is the "root" user and the UID is a more
important security concern that the username, and that is
where SELinux steps in. Using SELinux even UID=0 may be
restricted.
One of the things I have learnt over the last two decades
administrating Unix and Linux systems, is that sometimes
there can be such a thing as too much security. I have
had intel based pc systems that were hardened so much that
even with physical access to the system it took a drill
to remove the case locking mechanism in order to access
the motherboard to erase the bios password before being able
to boot with a recovery disk. Once the recovery disk was
loaded I was able to change the "admin" users password to
gain access to the system, after the customer "lost" the
password, when an employee left. On that system I had
disabled root from being able to be logged in from all tty's
and the console, only the "admin" user was able to log in
from the console. That customer opted for less security on
the next system.
If you want that kind of security, get a good steel case
and check out the Bastille Linux project.
More information about the fedora-list
mailing list