HPE Community
Operating System - HP-UX
1846858 Members
9356 Online
110256 Solutions
New Discussion

Duplicate root id2

 
SOLVED
Go to solution
Fauziah Mahdan
Super Advisor

‎02-06-2007 12:01 PM

‎02-06-2007 12:01 PM

Duplicate root id2

Hi all,
I have read the thread of duplicate root id from http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=943392
Actually during year 2005 I have tried to set my uid=0 and I found the root uid become non zero that means the UID is unique. So root no longer become 'root' or power user. Am I correct?
From the thread I read is like more than one user can share UID=0. Pls brief.
Is there any link or white paper saying that to set any other user UID=0 is not a good practice? Require the info as supporting document to the Audit Dept.
BTW I am learning how to use SUDO instead if assign UID 0 to non root user.

Thanks,
Fauziah
0 Kudos
Reply
3 REPLIES 3
James R. Ferguson
Acclaimed Contributor

‎02-06-2007 12:15 PM

‎02-06-2007 12:15 PM

Solution

Re: Duplicate root id2

Hi Fauziah:

*Absolutely* do *not* create multiple uid=0 users!

By manually editting '/etc/passwd' and changing an account of a name other than "root" to have a uid=0, you clone the 'root' account. Indeed, it is possible to define multiple account names with a 'uid' (user ID) of zero. When done, each of the accounts is a "root" or "superuser".

While this underscores the fact that the Unix only "cares" about the 'uid' of a process or file when confering privilege and that 'uid=0' denotes ultimate privilege, administrators who define multiple uid=0 accounts are creating extremely insecure, unstable systems!

Imagine that you create a second "root" user named "hpitrc" with a uid=0. Now, sometime later when you, or your replacement, decides that this is a dormant account and any files it has should be removed, you do:

# find / -user hpitrc -exec rm -r {} \+

You just destroyed your system! The *name* "hpitrc" maps to a uid=0 which means that every file and every directory owned by 'root' is removed from the system leaving it wholly unusable.

Regards!

...JRF...
Reply
Bill Hassell
Honored Contributor

‎02-06-2007 03:14 PM

‎02-06-2007 03:14 PM

Re: Duplicate root id2

And just to amplify the security aspect of duplicate UID=0 logins, this is one of the first steps that a hacker will take to gain access to your system. The hacker will modify /etc/passwd (much more difficult with a Trusted system) to make a hacked login into a UID=0 user. You can verify that there are no duplicate user IDs of any sort with:

logins -d

Your security audit should require one and only one root user as well as the use of sudo to distribute limited root capabilities to selected users. And no shared logins (multiple users logging in with the same username).


Bill Hassell, sysadmin
0 Kudos
Reply
John Collier
Esteemed Contributor

‎02-08-2007 04:54 AM

‎02-08-2007 04:54 AM

Re: Duplicate root id2

I asked a question about this same subject long ago (just over 4 years ago to be exact) and the responses I got were very useful to me.

You may want to check out the old thread here:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=74854

I was involved in another thread on the same subject later that year that looks like it may have been added on to the end of mine when they did some database consolidations in HP a few years later. That thread is here:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=57432
Just to let you see where the two of them were blended and to give you the full flow and make some of the comments less confusing.

The bottom line seems to be that YES it can be done, but NO it SHOULD NOT be done.

I have started to use SUDO on my home Linux network pretty much exclusively since all of this was laid out for me. It may be a bit confusing at first, but the more you look into it and use it, the easier it becomes to grasp.

Best of luck to you and I hope it all goes well for you.
"I expect to pass through this world but once. Any good, therefore, that I can do, or any kindness that I can show to any human being, let me do it now. Let me not defer or neglect it, for I shall not pass this way again." Stephen Krebbet, 1793-1855
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.