I was wondering is there is a way to create another root user account say root2. Is this possible?? Thanx.
I was wondering is there is a way to create another root user account say root2. Is this possible?? Use a) ssh-keys and let the other users login using them b) sudo Although it IS possible to add another user with UID 0, it is not recommended to do so for several reasons (and currently I'm too stupid to find name one ... shame on me ;)
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
[Markus Gaugusch]
Although it IS possible to add another user with UID 0, it is not recommended to do so for several reasons (and currently I'm too stupid to find name one ... shame on me ;)
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect. Oh, maybe that with `ls', `root2' created files will appear as owned by `root', but this never bothered me. So if someone was recommending me not to do so, I would be tempted to ask for some explicit, convincing justification. P.S. - `fou4s' has always been a little wonder. Thanks for it! :-) -- François Pinard http://www.iro.umontreal.ca/~pinard
I once read security articles which RECCOMENDED doing this. If you create a second root account (plz name it something unusual, NOT root2 ;-) and use this one yourself, you can disallow 'normal root acces' on services to prevent security leaks. Also, IF someone gets through, you will notice immediately in your logging... -- Steef de Bruijn =-->> Against HTML in e-mail and news Francois Pinard wrote a long time ago...
[Markus Gaugusch]
Although it IS possible to add another user with UID 0, it is not recommended to do so for several reasons (and currently I'm too stupid to find name one ... shame on me ;)
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect. Oh, maybe that with `ls', `root2' created files will appear as owned by `root', but this never bothered me.
So if someone was recommending me not to do so, I would be tempted to ask for some explicit, convincing justification.
P.S. - `fou4s' has always been a little wonder. Thanks for it! :-)
-- François Pinard http://www.iro.umontreal.ca/~pinard
On 9 Jul 2003, Francois Pinard wrote:
[Markus Gaugusch]
Although it IS possible to add another user with UID 0, it is not recommended to do so for several reasons (and currently I'm too stupid to find name one ... shame on me ;)
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect. Oh, maybe that with `ls', `root2' created files will appear as owned by `root', but this never bothered me.
So if someone was recommending me not to do so, I would be tempted to ask for some explicit, convincing justification.
This is not a recommendation in any direction, only a side note: I created such secondary root accounts so that while I as admin can use one root password only known to and memorizeable by me, the main users of the PCs can still get root privileges with their own 'local' root password. The only drawback is that 'passwd' from localroot changes the password of root, not localroot... (and believe me, people do such things) Ciao, Roland +---------------------------+-------------------------+ | TU Muenchen | | | Physik-Department E18 | Raum 3558 | | James-Franck-Str. | Telefon 089/289-12592 | | 85747 Garching | | +---------------------------+-------------------------+ "If you think NT is the answer, you didn't understand the question." - Paul Stephens
* Francois Pinard wrote on Wed, Jul 09, 2003 at 10:03 -0400:
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect.
What does this help? It would be interesting to know, "what root" e.g. changed or created a file, but as you stated, this is not possible this way. I think this may introduce some confusion (without any positive effect I can see) - which I would not recommend. Maybe this is a reason: KISS (keep it simple, stupid) is a little violated by such a configuration (which I would call uncommon and missleading, maybe). If you what to have multiple people to access this accout, a shared password should be OK, because root can easily install local password sniffing by replacing /bin/login or something. Even strace should be sufficient for this. In this case SSH Keys help, because even root cannot compromise the secret key of the connecting client AFAIK. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Simple solution. echo "root2::0:0:inetd:/home/dir:/bin/bash" >> /etc/passwd passwd root2 and set the password On Wednesday 09 July 2003 14:13, Steffen Dettmer wrote:
* Francois Pinard wrote on Wed, Jul 09, 2003 at 10:03 -0400:
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect.
What does this help? It would be interesting to know, "what root" e.g. changed or created a file, but as you stated, this is not possible this way. I think this may introduce some confusion (without any positive effect I can see) - which I would not recommend. Maybe this is a reason: KISS (keep it simple, stupid) is a little violated by such a configuration (which I would call uncommon and missleading, maybe).
If you what to have multiple people to access this accout, a shared password should be OK, because root can easily install local password sniffing by replacing /bin/login or something. Even strace should be sufficient for this. In this case SSH Keys help, because even root cannot compromise the secret key of the connecting client AFAIK.
oki,
Steffen
Gargl, and thou have the root2 Password-Key world_readable. Sit down and think about simple solutions. ;-(( Dirk Adam Schmidt schrieb:
Simple solution.
echo "root2::0:0:inetd:/home/dir:/bin/bash" >> /etc/passwd passwd root2 and set the password
[Steffen Dettmer]
* Francois Pinard wrote on Wed, Jul 09, 2003 at 10:03 -0400:
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect.
What does this help?
Someone wrote that this was not to be recommended, yet without giving real reasons against it. I just wanted to say that any recommendation should be backed by some justification. In my case, I had good reasons to use `root' and `root2', and saw nothing wrong with it for the time I needed it. So far in this thread, I did not see a convincing justification yet, for avoiding two accounts with the same UID.
It would be interesting to know, "what root" e.g. changed or created a file, but as you stated, this is not possible this way.
If there is indeed a need to know, then of course, having two accounts for the same UID is not acceptable. That need does not necessarily exist.
I think this may introduce some confusion (without any positive effect I can see) - which I would not recommend.
Or maybe, it just does not introduce any confusion for those needing it.
Maybe this is a reason: KISS (keep it simple, stupid) is a little violated by such a configuration (which I would call uncommon and missleading, maybe).
Uncommon, I agree. But maybe not misleading at all. I do not think that if someone knows what s/he is doing (and why!), there is a real problem. This thread is a bit amusing, as some correspondents try to guess "why", but do not necessarily guess correctly. They then reply to their own guesses... -- François Pinard http://www.iro.umontreal.ca/~pinard
I think perhaps in this line of discussion, one must ask what the benefits are for having two account names with the same userIDNumber, and what the possible side effects of this action are. Based on the answer to those two questions, and the security requirements of the system in question you can then take the appropriate action. When administering Solaris systems prior to 5.7, I've found it convenient to have a duplicate root user who's home directory and shell are different from the default. On systems running older or improperly configured versions of sendmail for instance, this could have allowed security compromises which would not have otherwise occurred. However, Sun has always said that you shouldn't change the login shell or home directory of the user 'root'. Indeed, earlier versions of Solaris did depend on 'root' having a certain shell. As my experience has grown I've discovered that this warning from Sun is only in place to make it easier for their support technicians to troubleshoot issues remotely. Now then... By default, failed login or su attempts to the 'root' username are logged extensively, including sending a notification to any users logged in with the userIDNumber of 0. Other userNames whose userIDNumber is 0 may not be logged in such a manner. Perhaps we could count this as reason number one, and depending upon the security requirements of the system in question this alone could be enough. On most systems, Authentication and Authorization are interlinked so tightly that the distinction between the two becomes blurred. You authenticate based on your userName, principalName, etcetera. You are then counted by the operating system as Authorized for access to given functionality usually according to your userIDNumber, which was derived from your userName. Only in the realm of new media (web applications) has the userName taken precedence over the userIDNumber. Further, we have the question of system accounting. Most accounting systems will take the first userName found with a given userIDNumber to be the username of all actions performed by that userIDNumber. For systems requiring C2 level or above security, having two userNames with the same userIDNumber immediately removes your clearance, as you cannot prove with reasonable effort which userName was logged in as that userIDNumber. So in conclusion, I will state that duplicate logins with differing userNames are a bad idea in my opinion, dependant upon security and accounting requirements. I cannot state that I have not committed the sin of having done so, but I stand by the conclusion. In the instance of modern POSIX compliant systems running ssh, I can see no true benefit to having a secondary root account. I count Linux as a modern POSIX compliant system. Startup and shutdown scripts are not dependant upon the user 'root's shell, nor are they dependant upon that user's home directory. Therefore, I can not see the benefit of copying the root account's priveledges to another username under linux. I can see this need only for systems which are dependant upon the shell and/or home directory of the 'root' userName. <quote who="pinard@iro.umontreal.ca (François Pinard)">
[Steffen Dettmer]
* Francois Pinard wrote on Wed, Jul 09, 2003 at 10:03 -0400:
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect.
What does this help?
Someone wrote that this was not to be recommended, yet without giving real reasons against it. I just wanted to say that any recommendation should be backed by some justification. In my case, I had good reasons to use `root' and `root2', and saw nothing wrong with it for the time I needed it.
So far in this thread, I did not see a convincing justification yet, for avoiding two accounts with the same UID.
It would be interesting to know, "what root" e.g. changed or created a file, but as you stated, this is not possible this way.
If there is indeed a need to know, then of course, having two accounts for the same UID is not acceptable. That need does not necessarily exist.
I think this may introduce some confusion (without any positive effect I can see) - which I would not recommend.
Or maybe, it just does not introduce any confusion for those needing it.
Maybe this is a reason: KISS (keep it simple, stupid) is a little violated by such a configuration (which I would call uncommon and missleading, maybe).
Uncommon, I agree. But maybe not misleading at all. I do not think that if someone knows what s/he is doing (and why!), there is a real problem.
This thread is a bit amusing, as some correspondents try to guess "why", but do not necessarily guess correctly. They then reply to their own guesses...
Hi, maybe the answers where short because it is boring, having this thread every two months ;->> (Btw. is there no searchable Website of this List?) The Fact is nobody should ever think about using two accounts with same UID. Linux and it`s Apps are not designed to handle this. Just think about NIS maps *.byuid ;-) Although UID 0 should not show up there. :->=> Also think about NSCD. Or some Username-checking tools..... Kernel 1.0 and it`s tools didn`t bother, but the more Security will be involved in Linux the less this will work. So just forget the history, and _never_ use two accounts with same UID. Greetings Dirk François Pinard schrieb:
[Steffen Dettmer]
* Francois Pinard wrote on Wed, Jul 09, 2003 at 10:03 -0400:
I once used to have a `root' and a `root2', both having uid 0 in `/etc/passwd', and I used this for quite a while, and do not remember any adverse effect.
What does this help?
Someone wrote that this was not to be recommended, yet without giving real reasons against it. I just wanted to say that any recommendation should be backed by some justification. In my case, I had good reasons to use `root' and `root2', and saw nothing wrong with it for the time I needed it.
So far in this thread, I did not see a convincing justification yet, for avoiding two accounts with the same UID.
It would be interesting to know, "what root" e.g. changed or created a file, but as you stated, this is not possible this way.
If there is indeed a need to know, then of course, having two accounts for the same UID is not acceptable. That need does not necessarily exist.
I think this may introduce some confusion (without any positive effect I can see) - which I would not recommend.
Or maybe, it just does not introduce any confusion for those needing it.
Maybe this is a reason: KISS (keep it simple, stupid) is a little violated by such a configuration (which I would call uncommon and missleading, maybe).
Uncommon, I agree. But maybe not misleading at all. I do not think that if someone knows what s/he is doing (and why!), there is a real problem.
This thread is a bit amusing, as some correspondents try to guess "why", but do not necessarily guess correctly. They then reply to their own guesses...
Dirk Schreiner wrote:
Hi,
maybe the answers where short because it is boring, having this thread every two months ;->>
(Btw. is there no searchable Website of this List?)
Yes, look at ... http://marc.theaimsgroup.com/ -- -.Francisco Acosta.- chesco@idea.com.py
participants (11)
-
Adam Schmidt
-
Chris Bek
-
Dirk Schreiner
-
Francisco Acosta
-
Francois Pinard
-
Markus Gaugusch
-
pinard@iro.umontreal.ca
-
Roland Kuhn
-
Steef de Bruijn
-
Steffen Dettmer
-
Ted Garrett