On Tue, Jan 18, 2005 at 03:19:10PM -0600, Rodolfo J. Paiz wrote:
> On Tue, 2005-01-18 at 18:23 +0000, James Wilkinson wrote:
> > You might just want to disable root's login: I haven't tried this (or
> > anything else I'm recommending), but I should imagine that reducing the
> > length of the shadow password in /etc/shadow would mean that no
> > encrypted password would match. That would mean you couldn't log in by
> > password.
>
> The passwd command has a lockout and a disable feature; see the man page
> for details. However, I do not recommend this. Simply eliminate the
> ability to log in remotely as root, and lock the system down properly.
Spot on.
Renaming 'root' is full of pitfalls.
Software commonly installs files symbolically root:root not 0:0.
Scripts...
/etc/init.d/identd: chown root:root /etc/identd.key
Dozens and dozens of places.....
Things do get interesting with SELinux.
The idea of renaming, slicing and dicing capabilities to improve
security is important and worth working on. Look into the strict
policy design for SELinux. The most current work is on FC3...
Simply renaming root is security by obscurity.
As Rodolfo said lock the system down properly
no matter what the name of the UID=0 account.
If you have a test box try it and other stuff to see what breaks. ;=)
--
T o m M i t c h e l l
spam unwanted email.
SPAM, good eats, and a trademark of Hormel Foods.
