On Thu, 16 Jan 2003, Matthias Riese wrote:
But even if a public service, for example ssh, is configured not to let "root" login remotely, a security hole may enable an attacker to do so nevertheless. Therefore renaming the "root" login however CAN delay a successfull hack, just depending on the kind of security hole. This can give the administrator the time needed to fix the security hole.
Most of the exploits out there don't care how uid 0 is called. The exploits spawn a shell/execute something with the uid under which the exploited program/daemon runs - it doesn't matter if it is called root, superuser or foo. If this is uid 0 the attacker can do what he wants on the system. The kernel itself has no conecpt about the names, all it cares about are the numerical user-ids. So the goal has to be to run as much as possible under different uids than 0, and to use services for which no working exploit exists/is known. I have yet to see an successful attack using the username "root" and the valid passwort without the admin beeing a complete moron. c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)