5 Replies Latest reply on Oct 21, 2008 10:50 AM by Mr.Flibble

    Rename "root" username.

    Rsant Novice

       

      Hi All,

       

       

      Is there any way to rename the "root" username for security reasons? If yes, how can I do this?

       

       

      How can this impact the VMware ESX 3.5 environment?

       

       

       

       

       

      Regards,

       

       

      Renan Santiago

       

       

       

       

       

        • 1. Re: Rename "root" username.
          aremmes Enthusiast

          Short answer: there is no way to change the root password.

           

          Long answer: In theory, it'd be a simple matter of changing the /etc/passwd, /etc/group, and /etc/shadow to replace all occurrences of 'root' with something else, specially if the OS is not authenticating logins against NIS/LDAP/Kerberos/whathaveyou, since by definition the superuser is whoever has a user ID of 0. I did this once on an old Slackware box and changed the superuser name to 'god'. I was able to login, but the change broke all kinds of daemons and libraries that had 'root' hard-coded in them. Fixing the breakage was impossible short of grepping the source code for all of the packages in the computer to update them with the new superuser name. I ended up undoing the change, which required booting into single-user mode.

           

          Simply put, don't do it. A better solution would be to create a new user account and adding it to /etc/sudoers, and disabling SSH root logins.

          • 2. Re: Rename "root" username.
            Enthusiast

            The name "root" can be changed to a multitude of things. But you are not solving any problems.

            Changing root to Ro0T will still give you full access without logging,  I find that root and password should be made and placed in a safe (break-glass only). There are many ways that users can access and will allow for logging (see sudo), along with the roles and permissions with the VCS and ESX host.

            I think you are looking to solve a problem that does not exist (or that have  better work-arounds)

            CS

            • 3. Re: Rename "root" username.
              Leafy911 Expert

               

              Have a read of this document, it will give you pointers as to what you should do:

               

               

              http://www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf

               

               

               

              Regards

              Leafy911

               

              (Dont forget you recieve points when you award points)

               

               

              • 4. Re: Rename "root" username.
                Texiwill Guru
                vExpertUser Moderators

                Hello,

                 

                Well you can change the root password.

                 

                Well you can change the username root to some other username, however the UID must always be set to 0 with a group id of 0. Many programs, attacks ignore username completely and just use the UID of 0. Which is what you really want to change, but that will never be possible with GNU/Linux.

                 

                You want to enable SUDO, and rotate passwords as expected. BTW, this same issue about UserID exists in windows. It is trivially easy to find all users with a userid of 500 in windows as it is to find all users with the uid of 0.

                 

                So while you can do as you desire. It is just not recommended as it does not protect anything. In addition, all VC/VIC actions are delegated to the root user most likely using UID 0, but if they use the name 'root' in the code, which I doubt, things will start to break

                 

                You really want to enable SUDO and other logging to audit the infrastructure and not implement arbitrary items that are just not worth doing.

                 


                Best regards,

                Edward L. Haletky

                VMware Communities User Moderator

                ====

                Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

                As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

                • 5. Re: Rename "root" username.
                  Mr.Flibble Hot Shot

                   

                  It is common practice in the windows world to rename the administrator account to improve security.

                   

                   

                  In the Unix world, you can rename the root user but it serves no real purpose.

                   

                   

                  The reason for this is Unix uses a setting called "User ID" (UID). Usually, a user has a UID above 500 on a Unix system. However, any user that has a UID of "0" is automatically root. Thus, if you can change the UID of a user called "jimbo" to zero, jimbo is now root. For the same reason, there is no reason to change the username of the root user. Because, once you have access to a Unix system, you can start looking for the users who are UID zero (and thus root). So, in short, changing the name of the root user does not add to the level of security as it does in windows because it is the UID that sets the "godlike" permissions of root, not the name root itself.

                   

                   

                  So, while you can change the name of the root user, it does cause certain scripts to break, and anyone with basic Unix skills will see through the name change instantly.