Re: theoretical question - can root's username be changed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nix, Robert P. wrote:
-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Craig White
Sent: Thursday, December 01, 2005 9:36 PM
To: For users of Fedora Core releases
Subject: Re: theoretical question - can root's username be changed?

On Thu, 2005-12-01 at 21:46 -0500, Claude Jones wrote:

On Thu December 1 2005 9:31 pm, Mike McCarty wrote:

Claude Jones wrote:

Subject line says it all...

----
Best to save feeble attempts of security through obscurity for Windows.
Create another user and you can set that user's uid to 0 if you wish.


Practical experiences:

First, our Unix team maintains uid 0 accounts for all the team
members

PLEASE hit return!

on each Unix / Linux / AIX box we support. Many actions can be taken
during system installs or problems via these accounts, and we retain
some accountability for who has been on the box touching things. Also,
we each have our own password, so if the root password is changed for
some reason and we don't all know about it, we can still get in and do
some (possibly all) of our work.

Note that having multiple uid 0 users will, in itself, break some
things. SuSE's user maintenance program will not tolerate multiple users
having the same uid (0 or otherwise). The way we've gotten around that
is by using LDAP authentication, and defining the additional uid 0 users
in LDAP. This way SuSE's tool does not see the "error".

Well, that seems to be SuSE specific. What breaks with Fedora?


Some vended products MUST be installed via root (not another uid 0
account). Something in the install checks for root, and aborts the
install if using some other userid. Others must run as root.

Examples?

The su - command is specific to the root userid. You can su to other
uid 0 users, but you have to specify the userid to do it. So if you
removed root, then you've removed the ability to use the "su -" command.

This looks like a rather weak argument.

Last, here's an appeal to any and all vendors / authors of products:
Please design your product / application so that it does not need root.
Certainly not to run, and preferably not to install. I know that it's

One problem with this is that then one has to have a special
user for installs who owns /usr/local and /usr/var and maybe
other places *special* to the app, for otherwise an ordinary
user could accidentally clobber the installed software. So the
installer would have to know in advance to set up these directories
with the appropriate ownership. And, the software would need to
know the UID to do a suid to in order to administer its own
special files.

These are not insurmountable, but they are objections.

tempting to do the install as root, so that you can do everything you
need to, without any manual intervention on the part of the installer,
but that means that the person doing the install must have root
privilege, and we'd prefer to allow the people in charge of the
application be able to do the install. I'm willing to create the userids
the app needs, and set up accesses, but I don't want to have to be
present for every application install done on my systems. It takes up my
time, and is unnecessary, other than the fact that you want to install
via root.

As I mentioned, it also requires the app to know the UID, and
any changes to the UID requires a reconfiguration of all the apps.

You'd need a *real* user named "games", and "include" and so on.
(Or at least "install".) If you have different "owners" for the
different applications, then what happens when two different
apps want to manage different aspects of the same file?

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux