-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, One quick question: Is it safe and/or sensible to rename the root account, so that the only uid 0 user on a system is something different to root? I can see how this would be effective against external attackers who have no knowledge of the internals of the system as they would spend pointless hours trying to crack a user which doesnt exist, however to internal users they could always just cat /etc/passwd and see that root has been renamed. So firstly, is this possible, and security wise is it of any real use? Can anyone think of any apps it would break that assume that the uid 0 user is called root and don't just address the user by its uid? Thanks, Craig Edwards - -- WinBot IRC client developer: http://www.winbot.co.uk ChatSpike - The users network: http://www.chatspike.net InspIRCd - Modular IRC server: http://www.inspircd.org Online RPG Developer: http://www.ssod.org - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFCJsTf0k42Wxli/BARAp2DAJ9dp1eu2IL41pfp/4ZFp9kS2KuMdgCeI20k w1Jt+uriEmWM+wmhEFxH+vw=vGhO -----END PGP SIGNATURE-----
There may be others, but here are 2... 1. It's not a *good* idea because it's security through obscurity. It's not a bad idea on that account, but you should realize the limitations of security through obscurity when using that tactic. 2. It's a *bad* idea because you don't know what things *might* break down the road, even if you did manage to either verify that nothing would break currently if you made the change or fixed everything that would break currently if you made the change. Also, as you suggest in your question, I believe that most binary executables use "uid 0" vs "root", so changing the name of the account there might be of limited use. Additionally, with many remote attack types (eg. remote buffer overflows), the attacker does not need to know what access he is trying to get (eg. root or non-root), only what service her/his attack will use as a vector. For example, a remote attacker may not know that sendmail is running as the user "root" or "fakeroot," but neither does the attacker need to know what user sendmail is running as *if s/he is successfully able to execute her/his code* - s/he has gained some sort of access, privileged or otherwise. On Thu, 3 Mar 2005, Craig Edwards wrote:> Hi everyone, > > One quick question: Is it safe and/or sensible to rename the root > account, so that the only uid 0 user on a system is something different > to root? I can see how this would be effective against external > attackers who have no knowledge of the internals of the system as they > would spend pointless hours trying to crack a user which doesnt exist, > however to internal users they could always just cat /etc/passwd and see > that root has been renamed. So firstly, is this possible, and security > wise is it of any real use? Can anyone think of any apps it would break > that assume that the uid 0 user is called root and don't just address > the user by its uid? > > Thanks, > Craig Edwards > > -- > WinBot IRC client developer: http://www.winbot.co.uk > ChatSpike - The users network: http://www.chatspike.net > InspIRCd - Modular IRC server: http://www.inspircd.org > Online RPG Developer: http://www.ssod.org > --Signature by unknown keyid: 0x1962FC10 >/-------------------------------------------------------------------------/ "It was half way to Rivendell when the drugs began to take hold" --Hunter S Tolkien "Fear and Loathing in Barad Dur" finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/
This response is a bit off of what you asked but I will just toss this out there. I generally protect my machines from the root user but utilizing chflags and kernel secure levels. That way if an attacker were to gain root access they wouldn't be able to change files... On my firewalls I modify rc.conf to boot to secure level 2 ,then I lock down /bin /sbin /etc /usr/local/etc with chflags schg while still in secure level 0 then reboot. Upon the restart you have a very secure machine that is protected from root user. In secure level two, even root cannot change those files flagged immutable. The only way to change those files would be to have physical access to the machine and modify rc.conf in single user mode and then reboot change the flags back from immutable and then modify the files. That is a bit too secure to be user friendly. I am just a getRdun type of person, you could lock down certain files and leave the five passwd files alone so users could change their passwords but generally attackers try to add themselves an account right away. What application would you be using the server for? Most H4X0RZ attacks I have seen where they have gained shell access are stumped when it comes to file flags and kernel secure levels. On Thu, 2005-03-03 at 08:03 +0000, Craig Edwards wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > One quick question: Is it safe and/or sensible to rename the root > account, so that the only uid 0 user on a system is something different > to root? I can see how this would be effective against external > attackers who have no knowledge of the internals of the system as they > would spend pointless hours trying to crack a user which doesnt exist, > however to internal users they could always just cat /etc/passwd and see > that root has been renamed. So firstly, is this possible, and security > wise is it of any real use? Can anyone think of any apps it would break > that assume that the uid 0 user is called root and don't just address > the user by its uid? > > Thanks, > Craig Edwards > > - -- > WinBot IRC client developer: http://www.winbot.co.uk > ChatSpike - The users network: http://www.chatspike.net > InspIRCd - Modular IRC server: http://www.inspircd.org > Online RPG Developer: http://www.ssod.org > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > > iD8DBQFCJsTf0k42Wxli/BARAp2DAJ9dp1eu2IL41pfp/4ZFp9kS2KuMdgCeI20k > w1Jt+uriEmWM+wmhEFxH+vw> =vGhO > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Renaming root is generally a bad idea, what you could do, however, is set a password on(thus enabling) the "toor" account and set root's shell to /sbin/nologin Wouter ----- Original Message ----- From: "Craig Edwards" <brain@winbot.co.uk> To: <freebsd-security@freebsd.org> Sent: Thursday, March 03, 2005 09:03 Subject: Renaming root account> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > One quick question: Is it safe and/or sensible to rename the root > account, so that the only uid 0 user on a system is something different > to root? I can see how this would be effective against external > attackers who have no knowledge of the internals of the system as they > would spend pointless hours trying to crack a user which doesnt exist, > however to internal users they could always just cat /etc/passwd and see > that root has been renamed. So firstly, is this possible, and security > wise is it of any real use? Can anyone think of any apps it would break > that assume that the uid 0 user is called root and don't just address > the user by its uid? > > Thanks, > Craig Edwards > > - -- > WinBot IRC client developer: http://www.winbot.co.uk > ChatSpike - The users network: http://www.chatspike.net > InspIRCd - Modular IRC server: http://www.inspircd.org > Online RPG Developer: http://www.ssod.org > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > > iD8DBQFCJsTf0k42Wxli/BARAp2DAJ9dp1eu2IL41pfp/4ZFp9kS2KuMdgCeI20k > w1Jt+uriEmWM+wmhEFxH+vw> =vGhO > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to"freebsd-security-unsubscribe@freebsd.org">
Enabling "toor" is not very different from renaming the root account, worse because you would then have two "root" (uid 0) accounts. I don't see any harm in renaming the root account, but I don't think it would do much either. Most processes that use root run with setuid 0, regardless of what's in the passwd file. Even in user land you don't have to know what the root account is named if you use 'su' or 'sudo'. The only case I can envision where it would make a difference is if you have an application which wants to run as a specific (usually unpriv.) user and you set it to use "root", or if you allow "root" logon through ssh (bad idea) or terminal (but if somebody can get that then you are already in trouble). ---- Perfection is just a word I use occasionally with mustard. Atom Powers Systems Administrator Pyramid Breweries Inc. 206.682.8322 x251 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Wouter Sent: Thursday, March 03, 2005 1:22 AM To: freebsd-security@freebsd.org Subject: Re: Renaming root account Renaming root is generally a bad idea, what you could do, however, is set a password on(thus enabling) the "toor" account and set root's shell to /sbin/nologin Wouter ----- Original Message ----- From: "Craig Edwards" <brain@winbot.co.uk> To: <freebsd-security@freebsd.org> Sent: Thursday, March 03, 2005 09:03 Subject: Renaming root account> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > One quick question: Is it safe and/or sensible to rename the root > account, so that the only uid 0 user on a system is something different > to root? I can see how this would be effective against external > attackers who have no knowledge of the internals of the system as they > would spend pointless hours trying to crack a user which doesnt exist, > however to internal users they could always just cat /etc/passwd and see > that root has been renamed. So firstly, is this possible, and security > wise is it of any real use? Can anyone think of any apps it would break > that assume that the uid 0 user is called root and don't just address > the user by its uid? > > Thanks, > Craig Edwards > > - -- > WinBot IRC client developer: http://www.winbot.co.uk > ChatSpike - The users network: http://www.chatspike.net > InspIRCd - Modular IRC server: http://www.inspircd.org > Online RPG Developer: http://www.ssod.org > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > > iD8DBQFCJsTf0k42Wxli/BARAp2DAJ9dp1eu2IL41pfp/4ZFp9kS2KuMdgCeI20k > w1Jt+uriEmWM+wmhEFxH+vw> =vGhO > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to"freebsd-security-unsubscribe@freebsd.org">_______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"