PDA

View Full Version : How to add user previllage same ROOT !!!



::Ake::
19th April 2006, 05:49 PM
I want to create user that can do anythings same ROOT user. How to create that user?

Thank you

dillybat
19th April 2006, 06:31 PM
I want to create user that can do anythings same ROOT user. How to create that user?

Thank you
The short answer is that you don't. Some system utils have the UID and GID of 0 (root) hard coded into them so that they cannot be used by anyone but root. You can come close to pulling this off but it will never be the same. I recommend using sudo...

Why would you want to do this?

jonathanpeter
19th April 2006, 06:38 PM
I want to create user that can do anythings same ROOT user. How to create that user?

Thank you
Creating a user account that can do everything the same as root is easy:

Just change the UID of that account to 0.

I don't recommend you use this as a working account though since it makes you vunerable to viruses, attacks etc...

dillybat
19th April 2006, 06:49 PM
Creating a user account that can do everything the same as root is easy:

Just change the UID of that account to 0.

I don't recommend you use this as a working account though since it makes you vunerable to viruses, attacks etc...

This will really mess up the system!!! :eek:

besides if that is your solution just run as root for the same effect!

nlkrio
19th April 2006, 06:53 PM
don't do it for your own safety :-)

jonathanpeter
19th April 2006, 06:59 PM
This will really mess up the system!!! :eek:

besides if that is your solution just run as root for the same effect!

When I first used Fedora a few years ago? I did it and it worked with no problems at all.

Why, what does it mess up? (out of interest)


*I don't do it now I have to say. I guess it was just getting use to the switch between windows and linux. It was kind of wierd having to type su everytime you wanted to make a system change.

dillybat
19th April 2006, 07:07 PM
When I first used Fedora a few years ago? I did it and it worked with no problems at all.

Why, what does it mess up? (out of interest)


*I don't do it now I have to say. I guess it was just getting use to the switch between windows and linux. It was kind of wierd having to type su everytime you wanted to make a system change.

So you renamed "root" to something else, or did you create another user with the UID of 0 like what you suggest? If you did the later you can reder the system unstable or break the ability to login. If you do the prior then you aren't chaning anything but what "root" is called. This can have some adverse affects but they are rare. There are utils that will check the UID against the name used.

jonathanpeter
19th April 2006, 07:12 PM
I created a new account called "jonathan" and re-UID'ed the account to "0". Had absolutly no problems with system unstabability or problems with logging in - used it for months like this as well.

Confused... how would it cause unstability? How could it effect logging in?

If you deleted the root account and did the above... it would probably cause massive problems. But, I still can't see how it would cause unstability etc.... why, have you tried it? or is this some theory?

Anyway, its certainly not recommendable because of all the security risks.

dhav
19th April 2006, 07:15 PM
creating a second uid 0 account wont render your system unstable. It's a bad idea in the same sense that you shouldn't be a root user doing everyday tasks.

The problem here is that if you don't know how to create a uid 0 account, perhaps you should really reconsider doing it, clearly you're experiance level is still a little low.

All that said, I'm root 90% of the time I'm on systems. I don't follow the whole sudo paradigm but that's me. I HAVE screwed up a few times and deleted stuff I wasn't supposed to, I learned my lessons fairly quickly, you may not be so lucky.

Probably the 'best practice' for what you want to do is to read up on sudo, put this user in sudoers and let him work that way. If you really want to, give him the root password and let him su to root when he needs to. tell him you don't like the idea of him working as root and you feel better doing it this way.

jonathanpeter
19th April 2006, 07:20 PM
creating a second uid 0 account wont render your system unstable. It's a bad idea in the same sense that you shouldn't be a root user doing everyday tasks.

The problem here is that if you don't know how to create a uid 0 account, perhaps you should really reconsider doing it, clearly you're experiance level is still a little low.

All that said, I'm root 90% of the time I'm on systems. I don't follow the whole sudo paradigm but that's me. I HAVE screwed up a few times and deleted stuff I wasn't supposed to, I learned my lessons fairly quickly, you may not be so lucky.

Probably the 'best practice' for what you want to do is to read up on sudo, put this user in sudoers and let him work that way. If you really want to, give him the root password and let him su to root when he needs to. tell him you don't like the idea of him working as root and you feel better doing it this way.

Completely agree with the above. Using su or sudo is vastly vastly better than creating another root account and using it as a working account.

dillybat
19th April 2006, 07:22 PM
I created a new account called "jonathan" and re-UID'ed the account to "0". Had absolutly no problems with system unstabability or problems with logging in - used it for months like this as well.

Confused... how would it cause unstability? How could it effect logging in?

If you deleted the root account and did the above... it would probably cause massive problems. But, I still can't see how it would cause unstability etc.... why, have you tried it? or is this some theory?

Anyway, its certainly not recommendable because of all the security risks.
Both, I have tried, as an experiment, and theory...

The "how wouod this cause unstability" and "how could it effect loggin in" questions are such a broad area of conversation that it would take days to go through the different pieces where it can, and will, cause problems. Needless to say, just take my word for it. I actually build and develope on Linux systems for living... I also play with different distros as a hobby.

dillybat
19th April 2006, 07:25 PM
If you agree then why this previous post?!?!?


Creating a user account that can do everything the same as root is easy:

Just change the UID of that account to 0.

I don't recommend you use this as a working account though since it makes you vunerable to viruses, attacks etc...

jonathanpeter
19th April 2006, 07:27 PM
Just answering the question thats all... like someone gave the same answer to me a long time ago.

dhav
19th April 2006, 07:56 PM
If you agree then why this previous post?!?!?

I think he was agreeing with me...

I'm not buying the whole thing btw. I don't want to start a flamewar or anything like that but you're going to have to give me some information on how having more than one uid 0 account causes problems. I've done this plenty of times on fedora, redhat and slackware. In fact, I think it's interesting you said changing the username of root would be less of an impact that creating a second uid 0 account. I'm not positive but I'm pretty sure there are at least a few aps (I've written plenty of small scripts that do this) that check to make sure $USER is root before allowing to run. Also, if you change the name of the account and not the group, I bet anything that's owned by root will have permission problems if group and world aren't set to the same as owner... Good lord don't try to change the name of the root account...

dhav
19th April 2006, 08:47 PM
some reading:

a bastillie linux hardening guide suggests creating a second uid0 account so that the root account can be monitored:
https://wbt.navsea.navy.mil/SAUnix/prep/hardening/harden/sh022.html

I have a sun admin book here that also suggests creating an account called toor that is uid0

a post on the debian-devel list says it's a reasonable workaround for ssh'ing as root:
http://lists.debian.org/debian-devel/1999/08/msg01323.html

and a posting on the dirvish list that talks about it..
http://www.nabble.com/Permissions-and-access-t62379.html#a169587

that's 5 minutes of googling. I DID find a few pages that talked about specific security issues with having a second uid0 account but these were flaws in a particular software (I think it was all the same ftp software) package. It had nothing to do with the 'system' or stability...

dillybat
19th April 2006, 09:02 PM
I think he was agreeing with me...

I'm not buying the whole thing btw. I don't want to start a flamewar or anything like that but you're going to have to give me some information on how having more than one uid 0 account causes problems. I've done this plenty of times on fedora, redhat and slackware. In fact, I think it's interesting you said changing the username of root would be less of an impact that creating a second uid 0 account. I'm not positive but I'm pretty sure there are at least a few aps (I've written plenty of small scripts that do this) that check to make sure $USER is root before allowing to run. Also, if you change the name of the account and not the group, I bet anything that's owned by root will have permission problems if group and world aren't set to the same as owner... Good lord don't try to change the name of the root account...
Most security related code on Linux is written in C or C++. the proper way to check permissions in these languages is by using the getuid and geteuid functions (check man pages). The integer associated with a user, 0 in this case, is what the system uses for this verification. The username itself is, and should be treated as, just text label for this. If you are using $USER for your scripts, assuming BASH here, I recommend using $UID and/or $EUID instead.

Changing the name of a user in Linux will also change the name associated with the users files. For example, when you do a "ls" in Linux, a file's permissions, which are in integer format, will be checked agaist the passwd file to associate a name with them. the same thing happens with group permissions but the system group file is used. So if you change the name of "fred" to "wilma" in the passwd file, then do an "ls" the files that were owned by "fred" will now be owned by "wilma", which is the same user because the integer value didn't change.

The text string only has validity when logging in. This string is compared to the passwd file as a reference to find out what your UID is. It should take the first match that it finds. Although some versions of login will parse the entire file and error out if there is more than one match. Then the integer value is used through out your login to identify you. As a matter of fact you can spoof the $USER value easier than you can the $UID and $EUID values. See my example...
[prompt ~]$ echo $USER
dtrowbridge
[prompt ~]$ export USER="root"
[prompt ~]$ echo $USER
root
[prompt ~]$ As you can see I just spoofed the $UID on my system. If I don't change this back it can, but may not, depending on what I do and how security minded my distro is, cause problems for me. Some security minded processes actually check all three items $USER, $UID, and $EUID. Hence the having two users with the UID of root can cause problems. If nothing else a username and UID combo should be unique...

This all comes with the caviat of what versions of software you have.

dillybat
19th April 2006, 09:05 PM
some reading:

a bastillie linux hardening guide suggests creating a second uid0 account so that the root account can be monitored:
https://wbt.navsea.navy.mil/SAUnix/prep/hardening/harden/sh022.html

I have a sun admin book here that also suggests creating an account called toor that is uid0

a post on the debian-devel list says it's a reasonable workaround for ssh'ing as root:
http://lists.debian.org/debian-devel/1999/08/msg01323.html

and a posting on the dirvish list that talks about it..
http://www.nabble.com/Permissions-and-access-t62379.html#a169587

that's 5 minutes of googling. I DID find a few pages that talked about specific security issues with having a second uid0 account but these were flaws in a particular software (I think it was all the same ftp software) package. It had nothing to do with the 'system' or stability...instability can be caused by this. It all depends on how well the code that caught it was put together. I have seen code that compared all three fields, $USER, $UID, and $EUID, core dump because just one didn't match up, and I brought down the system.

BTW: this will also cause a system to not pass a gov't audit. Trust me I know...

ezzetabi
19th April 2006, 09:13 PM
Personally I am agaist sudoers ALL ALL ALL, go figure a second root account.
if you trust the person so much for a root power, give him the pass.
If you do not, but he needs some special power, configure sudoer correctly.
If you do not, nor he needs... why bother? This is not WXP...

dhav
19th April 2006, 09:21 PM
ok, I'll buy all that, thanks for the info. Of course it makes sense too, I hadn't thought of it from this point of view (sadly), my focus in writing scripts is to get something done quickly, shortcuts if you will. I'll if [ $USER != root ] to make sure that the script isn't going to fail, not to keep a non-root user from being able to do something. I wouldn't be surprised if other people do this (with as little thought as I do) as well.

BUT

I'm still not buying the idea that having a second uid0 account will cause problems. :)

theophilusmouss
19th April 2006, 09:23 PM
First off, I'v very new to Linux.

That having been said, if you really were determined to have a daily user account with root access, couldn't you add that user to the root GROUP?

or am I misunderstanding how groups work?

dillybat
19th April 2006, 09:39 PM
ok, I'll buy all that, thanks for the info. Of course it makes sense too, I hadn't thought of it from this point of view (sadly), my focus in writing scripts is to get something done quickly, shortcuts if you will. I'll if [ $USER != root ] to make sure that the script isn't going to fail, not to keep a non-root user from being able to do something. I wouldn't be surprised if other people do this (with as little thought as I do) as well.

BUT

I'm still not buying the idea that having a second uid0 account will cause problems. :)It goes back to your distro. If you have a version that doesn't handle the multiple UID in passwd correctly it will fail. If it is a hardened version of Linux it will fail. Just remember not all Linuxes are created equally...

dillybat
19th April 2006, 09:41 PM
No, because that will only give you the group id (GID) of root (0) and not the user id (UID) of root (0). many people can belong to a group but not everyone can by you...