Operating System - HP-UX
1748233 Members
3196 Online
108759 Solutions
New Discussion юеВ

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

 
jsihp
Occasional Advisor

White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

There is a White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3?

 

 

P.S. This thread has been moved from HP-UX > White Papers to HP-UX > Security - HP Forums Moderator

9 REPLIES 9
Torsten.
Acclaimed Contributor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

You can configure your system to prevent root to logon, so you can only "su" to root.

 

This should be safe enough.

 

IMHO you should not rename root at all.


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
jsihp
Occasional Advisor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

I do not want to do, but I'm looking any arguments why not to do it.

Patrick Wallek
Honored Contributor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

There are some of the start/stop scripts in /sbin/init.d that look for the 'root' user name rather than the UID of 0 (which is what actually denotes "super user"). 

 

These could potentially be "fixed" but anytime a new product is installed or some is patched that may add/modify a script in that directory you will have to be sure to check it.

 

As a quick test on your system do:

 

# cd /sbin/init.d

# grep root *

 

and look at the results.  On my server there are some 'ps' commands that reference root, some 'su' commands and some chown commands.  These would all fail if the 'root'  name was changed.

 

I do not know about other commands on the system.  It is possible that some 'root only' commands would fail as well if they are checking for the root user name rather than the UID of 0.

 

I personally don't think this is worth the potential risk.

Patrick Wallek
Honored Contributor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

Bill Hassell
Honored Contributor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

White papers (or other 'official' documents)?  No, there aren't any, just as there aren't any stating that removing all the files with rm -rf * is "not supported". The name root has been the standard for 40 years and while it is bad programming practice to hard-code root into programs and scripts, it is nevertheless done all the time. So if you want to spend days and days troubleshooting Oracle, Sybase, Informix, CA subsystems, Apache, Tomcat, Java code, etc, only to find that it cannot be fixed due to the lack of a user named 'root', go ahead and change it.

 

As mentioned, root (like all Unix usernames) is simply an alias to the user ID of 0 (zero).  The proper way to code for a root user is to check for the UID as in: id -u but since you can't control poor programming techniques, renaming root (more accurately, aliasing UID to something else) guarantees failure after failure, if not now, soon.

 

The easy answer to an auditor's demand that you change root to xyzzy or something else, is to have them sign a paper stating that they will be financially liable for all damages and loss of business due to their recommendation. That usually makes the 'finding' go away very quickly.

 



Bill Hassell, sysadmin
jsihp
Occasional Advisor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

Thank you very much for all the arguments, but not enough.


How would you answer the following questions:


1. How much time do you need to change the name "root" account.


2. Brief description of the change of the name "root" account, What can be done in the system or application files to maintain system operation.(Oracle 11g, SAP R/3 Enterprise, Wall Street Finance, Tomcat, Java, ...)


3. What are the risks to the operation of the system when changing the name of the "root" account.

 

Best Regards

Dennis Handly
Acclaimed Contributor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

>1. How much time do you need to change the name "root" account.

 

Time for who to do what?  If you are asking HP, this isn't the place for it.  You need to contact the HPSC:

http://www.hp.com/go/hpsc


>2. Brief description of the change of the name "root" account, What can be done in the system or application files to >maintain system operation.

 

You mean to support changing the name of root?  They need to be changed to use UID 0 vs "root".


>3. What are the risks to the operation of the system when changing the name of the "root" account.

 

Some things don't work, as mentioned in previous posts.

Bill Hassell
Honored Contributor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

1. How much time do you need to change the name "root" account.

 

Perhaps 5 seconds to edit the passwd file, maybe 30 seconds if you run SAM to change the user name. But you should not be changing the root user name if you did not know this.

 


2. Brief description of the change of the name "root" account, What can be done in the system or application files to maintain system operation.(Oracle 11g, SAP R/3 Enterprise, Wall Street Finance, Tomcat, Java, ...)

 

Tell your management that you will need thousands of dollars of consulting for all the applications that must be researched by the manufacturer (Oracle, SAP, etc) and create a custom package just for you. And those applications will require a special support contract because patching and version changes may break the custom changes.

 


3. What are the risks to the operation of the system when changing the name of the "root" account.


All the risks that have been mentioned before plus all the risks for patches and new applications in the future. If this system is just a test or toy computer, go ahead and make the change. But if this is production, I would not accept any responsibility to keep it working as long as the root username has been modified. There are just too many other things that need attention when managing a production server -- you don't need an unsupported change by a misguided auditor to foul up the computer.



Bill Hassell, sysadmin
jsihp
Occasional Advisor

Re: White Paper authorized HP about renaming the root account in HP-UX 11i v1, v2, v3

Sorry, maybe I did not exactly, of course, when you use the command line "/usr/sbin/usermod -F -l h2s04 root",  it will be even faster(command will change at the same time and in the passwd and shadow files, but to me it is also a time-related changes such as scripts, ...