VMware Cloud Community
Rsant
Contributor
Contributor
Jump to solution

Rename "root" username.

Hi All,

Is there any way to rename the "root" username for security reasons? If yes, how can I do this?

How can this impact the VMware ESX 3.5 environment?

Regards,

Renan Santiago

Reply
0 Kudos
1 Solution

Accepted Solutions
Mr_Flibble1
Enthusiast
Enthusiast
Jump to solution

It is common practice in the windows world to rename the administrator account to improve security.

In the Unix world, you can rename the root user but it serves no real purpose.

The reason for this is Unix uses a setting called "User ID" (UID). Usually, a user has a UID above 500 on a Unix system. However, any user that has a UID of "0" is automatically root. Thus, if you can change the UID of a user called "jimbo" to zero, jimbo is now root. For the same reason, there is no reason to change the username of the root user. Because, once you have access to a Unix system, you can start looking for the users who are UID zero (and thus root). So, in short, changing the name of the root user does not add to the level of security as it does in windows because it is the UID that sets the "godlike" permissions of root, not the name root itself.

So, while you can change the name of the root user, it does cause certain scripts to break, and anyone with basic Unix skills will see through the name change instantly.

View solution in original post

Reply
0 Kudos
5 Replies
aremmes
Enthusiast
Enthusiast
Jump to solution

Short answer: there is no way to change the root password.

Long answer: In theory, it'd be a simple matter of changing the /etc/passwd, /etc/group, and /etc/shadow to replace all occurrences of 'root' with something else, specially if the OS is not authenticating logins against NIS/LDAP/Kerberos/whathaveyou, since by definition the superuser is whoever has a user ID of 0. I did this once on an old Slackware box and changed the superuser name to 'god'. I was able to login, but the change broke all kinds of daemons and libraries that had 'root' hard-coded in them. Fixing the breakage was impossible short of grepping the source code for all of the packages in the computer to update them with the new superuser name. I ended up undoing the change, which required booting into single-user mode.

Simply put, don't do it. A better solution would be to create a new user account and adding it to /etc/sudoers, and disabling SSH root logins.

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

The name "root" can be changed to a multitude of things. But you are not solving any problems.

Changing root to Ro0T will still give you full access without logging, I find that root and password should be made and placed in a safe (break-glass only). There are many ways that users can access and will allow for logging (see sudo), along with the roles and permissions with the VCS and ESX host.

I think you are looking to solve a problem that does not exist (or that have better work-arounds)

CS

Reply
0 Kudos
Leafy911
Expert
Expert
Jump to solution

Have a read of this document, it will give you pointers as to what you should do:

Regards

Leafy911

(Dont forget you recieve points when you award points)

Regards Leafy911 (Dont forget you recieve points when you award points)
Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Well you can change the root password.

Well you can change the username root to some other username, however the UID must always be set to 0 with a group id of 0. Many programs, attacks ignore username completely and just use the UID of 0. Which is what you really want to change, but that will never be possible with GNU/Linux.

You want to enable SUDO, and rotate passwords as expected. BTW, this same issue about UserID exists in windows. It is trivially easy to find all users with a userid of 500 in windows as it is to find all users with the uid of 0.

So while you can do as you desire. It is just not recommended as it does not protect anything. In addition, all VC/VIC actions are delegated to the root user most likely using UID 0, but if they use the name 'root' in the code, which I doubt, things will start to break

You really want to enable SUDO and other logging to audit the infrastructure and not implement arbitrary items that are just not worth doing.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Mr_Flibble1
Enthusiast
Enthusiast
Jump to solution

It is common practice in the windows world to rename the administrator account to improve security.

In the Unix world, you can rename the root user but it serves no real purpose.

The reason for this is Unix uses a setting called "User ID" (UID). Usually, a user has a UID above 500 on a Unix system. However, any user that has a UID of "0" is automatically root. Thus, if you can change the UID of a user called "jimbo" to zero, jimbo is now root. For the same reason, there is no reason to change the username of the root user. Because, once you have access to a Unix system, you can start looking for the users who are UID zero (and thus root). So, in short, changing the name of the root user does not add to the level of security as it does in windows because it is the UID that sets the "godlike" permissions of root, not the name root itself.

So, while you can change the name of the root user, it does cause certain scripts to break, and anyone with basic Unix skills will see through the name change instantly.

Reply
0 Kudos