On Thu, 2005-01-12 at 23:16 -0500, Claude Jones wrote: > On Thu December 1 2005 10:36 pm, Craig White wrote: > > Best to save feeble attempts of security through obscurity for Windows. > > I'm trying to get at a deeper understanding of the thinking that underlies > Linux architecture - that's really the motivation of this thread. Your > rhetoric, while it may be true, doesn't help. Why the word 'feeble'? If > everyone in the Linux world knows that the chance is good that there is a > user called 'root' on any given Linux box, and that user has nearly > unrestrained privileges, why would it be feeble to double the guessing that > must go on to get at root's privileges, by changing his username. What is the > advantage of every Linux system having this same user, 'root'? I make it a > point when securing a Windows server of always deleting the administrator > account and creating a new account with membership in administrators for > administration purposes. Why is that concept flawed, or feeble, as you put > it? It pretty much goes downhill from there with Windows, but, I see nothing > wrong with that particular feature. Ick... the "W" word. ;-) I do not disagree that root should be able to be changed to whatever the system administrator wants it to be. Many people fear change, and root has been a de facto standard literally for generations now, so the : "If it was good enough for my grampa it's good enough for me." Will persist in infiltrating this topic. Derogatory comments should generally be ignored, they are usually themselves flawed and feeble responses. But the flawed and feeble comment may have a little merit since the UID=0 is the "root" user and the UID is a more important security concern that the username, and that is where SELinux steps in. Using SELinux even UID=0 may be restricted. One of the things I have learnt over the last two decades administrating Unix and Linux systems, is that sometimes there can be such a thing as too much security. I have had intel based pc systems that were hardened so much that even with physical access to the system it took a drill to remove the case locking mechanism in order to access the motherboard to erase the bios password before being able to boot with a recovery disk. Once the recovery disk was loaded I was able to change the "admin" users password to gain access to the system, after the customer "lost" the password, when an employee left. On that system I had disabled root from being able to be logged in from all tty's and the console, only the "admin" user was able to log in from the console. That customer opted for less security on the next system. If you want that kind of security, get a good steel case and check out the Bastille Linux project.