HPE Community
Operating System - HP-UX
1754014 Members
6840 Online
108811 Solutions
New Discussion юеВ

Re: Renaming root account...

 
SOLVED
Go to solution
Paul F. Bennett
Advisor

тАО08-06-2007 06:37 AM

тАО08-06-2007 06:37 AM

Renaming root account...

Our security group would like use to rename our HPUX systems root account (username), I donтАЩt think this is possible but if I create another account with full-root privileges and disable the root what type of problem will/may I encounter?
0 Kudos
Reply
6 REPLIES 6
Pete Randall
Outstanding Contributor

тАО08-06-2007 06:44 AM

тАО08-06-2007 06:44 AM

Solution

Re: Renaming root account...

Larry, Curly and Moe can all be root equivalents, simply by assigning them uid zero. However, this is something that is usually frowned by security folks because you will have no chance of auditing who did what to your system.

I also would not want to remove the root account itself. How would you reboot into single user mode to fix a problem if there was no root account?


Pete

Pete
Reply
James R. Ferguson
Acclaimed Contributor

тАО08-06-2007 06:45 AM

тАО08-06-2007 06:45 AM

Re: Renaming root account...

Hi Paul:

Don't. While privilege is conferred when the 'uid' (or 'euid') is zero, the name 'root' is also commonly evaluated in code.

Regards!

...JRF...
Reply
James R. Ferguson
Acclaimed Contributor

тАО08-06-2007 06:50 AM

тАО08-06-2007 06:50 AM

Re: Renaming root account...

Hi (again) Paul:

...AND...if you create other accounts with a uid=0 and you or someone will one day forget what they are and do something stupid (!) like:

# find / -user something -exec rm -rf {} +

...NOW consider that UNIX knows the account "something" only by number, and the number was ZERO (0) just as if you typed "root" in lieu of the account "something". A dead server is what you would have.

Regards!

...JRF...
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО08-06-2007 06:53 AM

тАО08-06-2007 06:53 AM

Re: Renaming root account...

Your security group is populated with Windows experts; any user with a UID of zero (and there can be n) will have super-user status. However, many, many scripts and applications actually look for "root" so I can almost guarantee a partially broken box if you change "root" to "toor". Now it is possible to have a system where no one knows the root password (it can even be changed randomly every hour or so) and yet have root access for those who should have it. That is a perfect use of sudo.
If it ain't broke, I can fix that.
Reply
DCE
Honored Contributor

тАО08-06-2007 06:55 AM

тАО08-06-2007 06:55 AM

Re: Renaming root account...



Rather than disable root, restrict it to console only, and install sudo for those people who need root level access - that way you at least have an audit trail
0 Kudos
Reply
Anshumali
Esteemed Contributor

тАО08-06-2007 07:43 PM

тАО08-06-2007 07:43 PM

Re: Renaming root account...

Agreed with Clay. In windows, renaming a Administrator( read root ) account doesnt cause much trouble and your security auditors might be having the same idea here. Root account renaming and even shell changes may be serious issues on the server.
Having another people as UID 0 is dangerous and should be avoided.
Root access can be restriced to console using /etc/securetty and i hope even IP restrictions can be placed for root logins using SSH.
If you need to grant other user as root privileges, you may use sticky bits(think always twice), sam -r (If the user work is possible with SAM kind of menus.)
and the best will be sudo ( You will know what is configured and a logging will be available) but in no case....... UID 0 should be duplicated.............


Dreams are not which you see while sleeping, Dreams are which doesnt allow you to sleep while you are chasing for them!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.