Alternative superuser aside from root

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Alternative superuser aside from root

Tito Mari Francis Escano-2
Is it possible to replace root with another username as superuser?
This could make the system very secure because when it comes to
BSD/Unix/Linux, the root is the most coveted user account. That is,
hackers would all be barking the wrong tree if the real superuser is
actually another username.

I installed and use OpenBSD 3.9 as Internet gateway in our company,
installed it via floppy disk.

If it's possible, can you pls give me pointers how to do it? Thank you
very much!

Reply | Threaded
Open this post in threaded view
|

Re: Alternative superuser aside from root

Rogier Krieger
On 8/8/06, Tito Mari Francis Escaqo <[hidden email]> wrote:
> Is it possible to replace root with another username as superuser?

Sure, just change its password entry. That said, I wouldn't recommend
wasting your time on this.


> This could make the system very secure because when it comes to
> BSD/Unix/Linux, the root is the most coveted user account.

No, it wouldn't make your system any more secure than it was before
the change. I recommend you read the archives to see why your
suggestion isn't too worthwhile.

One reason why s/root/anything/ won't help you much is that its UID is
still 0. In other words: you still have an almighty user on the
system.

The concept of usernames is primarily to make things easier for us
humans. Under the hood, things work in terms of (numeric) UIDs/GIDs.
As a hacker, you'd just go for UID 0.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Reply | Threaded
Open this post in threaded view
|

Re: Alternative superuser aside from root

Stef K
In reply to this post by Tito Mari Francis Escano-2
Hi,
  It is possible to rename your root account... You have to change
it's name in /etc/passwd and maybe change its home directory.

  BUT:

a) some programs may not work properly 'cause they depend on the name
of the super-user account (I can't remember of any example right-now,
but I'm sure some exist...)

b) This is NOT a security enhancement... The superuser is not
understood by the system by its name, but by it's user-id. The
superuser is the account with user-id 0 (zero). When a hacker exploits
a known buffer overflow, what the code does is (try to) change its
user-id to 0. You won't achieve anything by renaming the account...
The quest of a hacker is not towards 'root' account, but towards
user-id zero.

regards,
stef

Reply | Threaded
Open this post in threaded view
|

Re: Alternative superuser aside from root

Lukasz Sztachanski
In reply to this post by Tito Mari Francis Escano-2
On Tue, Aug 08, 2006 at 03:54:45PM +0800, Tito Mari Francis Esca?o wrote:

> Is it possible to replace root with another username as superuser?
> This could make the system very secure because when it comes to
> BSD/Unix/Linux, the root is the most coveted user account. That is,
> hackers would all be barking the wrong tree if the real superuser is
> actually another username.
>
> I installed and use OpenBSD 3.9 as Internet gateway in our company,
> installed it via floppy disk.
>
> If it's possible, can you pls give me pointers how to do it? Thank you
> very much!
>
yes, it is, but it's pointless. Name doesn't matter too much, unlike uid.
In case of, i.e. sshd you can use PermitRootLogin directive.



                                - Lukasz Sztachanski


--
0x058B7133 // 16AB 4EBC 29DA D92D 8DBE  BC01 FC91 9EF7 058B 7133
http://entropy.pl
http://entropy.pl/?blog

Reply | Threaded
Open this post in threaded view
|

Re: Alternative superuser aside from root

Alexander Hall
In reply to this post by Tito Mari Francis Escano-2
Tito Mari Francis Escaqo wrote:
> Is it possible to replace root with another username as superuser?
> This could make the system very secure because when it comes to
                              ^^^^^^^^^^^ No.
                                   ^^^^^^ No.
> BSD/Unix/Linux, the root is the most coveted user account. That is,
> hackers would all be barking the wrong tree if the real superuser is
> actually another username.

Most exploits come from misbehaving programs running as the superuser
(formerly known as "root" :-p ), so the user name is not involved.

Use a good password (if any) for root and possibly disable root login
via ssh, and you're fine.

> I installed and use OpenBSD 3.9 as Internet gateway in our company,
> installed it via floppy disk.
>
> If it's possible, can you pls give me pointers how to do it? Thank you
> very much!

It is. See below. But don't. You'll screw things up. See below.

/Alexander

P.S.
Now look what you made me do!

--
$ sudo chpass root
   <changing name to root1>
$ sudo chpass root1
sudo: no passwd entry for root!
$ sudo <anything>
sudo: no passwd entry for root!
$ su -
su: unknown login root
$ su root1 -
Password:
# chpass root
chpass: unknown user: root
# chpass root1
   <changing name back to root>
# exit
$ sudo chpass root
chpass: no changes made
chpass: /etc/master.passwd: unchanged
--

See? Don't do this! :-(
D.S.