On Tue, 2005-01-18 at 15:05 -0800, Nifty Hat Mitch wrote: > On Tue, Jan 18, 2005 at 03:19:10PM -0600, Rodolfo J. Paiz wrote: > > On Tue, 2005-01-18 at 18:23 +0000, James Wilkinson wrote: > > > You might just want to disable root's login: I haven't tried this (or > > > anything else I'm recommending), but I should imagine that reducing the > > > length of the shadow password in /etc/shadow would mean that no > > > encrypted password would match. That would mean you couldn't log in by > > > password. > > > > The passwd command has a lockout and a disable feature; see the man page > > for details. However, I do not recommend this. Simply eliminate the > > ability to log in remotely as root, and lock the system down properly. > > Spot on. > Renaming 'root' is full of pitfalls. > Software commonly installs files symbolically root:root not 0:0. > Scripts... > /etc/init.d/identd: chown root:root /etc/identd.key > Dozens and dozens of places..... > Sorry Mitch, your interpretation of this is not correct. What you as the user see is root:root. What the system sees is uid:gid, which is, in the case of root 0:0. Chown for example looks at /etc/passwd to get the numeric values to assign. I can create any user I want, with any name I want to use for either user or group. Then go in and change that users uid and gid in the passwd file to 0:0 and now that user can log in and has exactly the same permissions as logging in with root does. (SELinux may have some effects on this, but the standard 'nix security ONLY looks at the numeric uid:gid for permissions) Another way to see that the displayed value (name) is not the actual value stored (numeric) would be to create a new user and specify some arbitrary uid for that user. Log in as the new user so you are sure the system has some files created as that user. Now delete that user (without deleting the users home directory) and go look at the ls -l output of that users directory. What you will see is the numeric uid as owner of the files. Programmers who use the data in the inodes will verify this fact. > > Things do get interesting with SELinux. > > The idea of renaming, slicing and dicing capabilities to improve > security is important and worth working on. Look into the strict > policy design for SELinux. The most current work is on FC3... > > Simply renaming root is security by obscurity. > As Rodolfo said lock the system down properly > no matter what the name of the UID=0 account. > > If you have a test box try it and other stuff to see what breaks. ;=) > > > > -- > T o m M i t c h e l l > spam unwanted email. > SPAM, good eats, and a trademark of Hormel Foods. >