LinuxSA Mailing list archives

  From: Richard Russell <richardrussell@mail.com>
  To  : Richard Sharpe <sharpe@ns.aus.com>
        Andrew Halliday <andrew@recalldesign.com>
        <linuxsa@linuxsa.org.au>
  Date: Mon, 29 Jan 2001 18:40:11 +1030

RE: Changing the root user

> At 09:48 AM 1/29/01 +1030, Andrew Halliday wrote:
> >   Okay, heres an interesting proposition that may  prove quite
> >controversial but I just want to see how possible it is  first.
>    Then I
> >thought - "So what if they hacked root  and root wasnt the root user?".
>
> Most of the remote attacks you see, eg buffer overflow attacks, are after
> UID 0.
>
> You cannot change the superuser account from UID 0, it is hard coded into
> the kernel in many places.
>
> You could change the name of that account from root to something else, and
> only a few things would care probably, but that won't help you against the
> attacks that will get you.

of course, there's another trick that this can be used for -- you can make
root's password unremebered and unrecorded line noise, and add a user "fred"
with UID of 0, and log in as "fred" with fred's passwd, and you will
actually be root... This way, anyone snooping your ether for "login:" and
"root" followed by "password:" will be foiled... of course, this is, in
reality, pretty useless, but it can be a cool backdoor in systems, and it
works on NIS as well... (so if you have control over the NIS server, you can
get root access (although this _may_ be blockable)...)

> > a way that this would be unretrenchably embedded in the system, since

/me looks up unretrenchably... hmmm:

-----
re.trench (r-trnch)
v. re.trenched, re.trench.ing, re.trench.es.
v. tr.

1. To cut down; reduce.
2. To remove, delete, or omit.
-----

fair enough :)

rr

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject