Re: theoretical question - can root's username be changed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2005-01-12 at 23:16 -0500, Claude Jones wrote:
> On Thu December 1 2005 10:36 pm, Craig White wrote:
> > Best to save feeble attempts of security through obscurity for Windows.
> 
> I'm trying to get at a deeper understanding of the thinking that underlies 
> Linux architecture - that's really the motivation of this thread. Your 
> rhetoric, while it may be true, doesn't help. Why the word 'feeble'?  If 
> everyone in the Linux world knows that the chance is good that there is a 
> user called 'root' on any given Linux box, and that user has nearly 
> unrestrained privileges, why would it be feeble to double the guessing that 
> must go on to get at root's privileges, by changing his username. What is the 
> advantage of every Linux system having this same user, 'root'? I make it a 
> point when securing a Windows server of always deleting the administrator 
> account and creating a new account with membership in administrators for 
> administration purposes. Why is that concept flawed, or feeble, as you put 
> it? It pretty much goes downhill from there with Windows, but, I see nothing 
> wrong with that particular feature. 

Ick... the "W" word. ;-)

I do not disagree that root should be able to be changed to 
whatever the system administrator wants it to be. Many 
people fear change, and root has been a de facto standard 
literally for generations now, so the :
"If it was good enough for my grampa it's good enough for me."
Will persist in infiltrating this topic.

Derogatory comments should generally be ignored, they are 
usually themselves flawed and feeble responses. But the 
flawed and feeble comment may have a little merit since 
the UID=0 is the "root" user and the UID is a more 
important security concern that the username, and that is 
where SELinux steps in. Using SELinux even UID=0 may be 
restricted.

One of the things I have learnt over the last two decades 
administrating Unix and Linux systems, is that sometimes 
there can be such a thing as too much security. I have 
had intel based pc systems that were hardened so much that 
even with physical access to the system it took a drill 
to remove the case locking mechanism in order to access 
the motherboard to erase the bios password before being able 
to boot with a recovery disk. Once the recovery disk was 
loaded I was able to change the "admin" users password to 
gain access to the system, after the customer "lost" the 
password, when an employee left. On that system I had 
disabled root from being able to be logged in from all tty's 
and the console, only the "admin" user was able to log in 
from the console. That customer opted for less security on 
the next system.

If you want that kind of security, get a good steel case 
and check out the Bastille Linux project.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux