[plug] Linux security idea - maybe

[Craig Ringer]

> It seems to me that the Holy Grail of breaking into a computer system is
> to achieve administrative access.   Windows (NT and above) has the
> Administrator account, Unix / Linux has root.   One of the things we are
> encouraged to do with Windows is to create another administrative account,
> assign the original Administrator account a super-obtuse password and then
> disable it.   The reasoning being (MCSE's correct me here) that even if
> someone actually broke the admin password, they could not do anything with
> the account anyway.

Actually, many many more breakins are due to the cracking of daemons 
running as root, and that's the first thing that should be eliminated 
where at all possible. Where not possible, a privelege-separated model 
needs to be used where the root process is very small and simple, using 
only well-documented APIs to communicate with the non-root part of the 
daemon.

> Well, can we do something like that for Unix / Linux?   Would it be
> equally useful?

We can, and it's well-known if less than common practice. Try to get 
"root" on one of my machines :-)

There are a number of problems with this approach, though. A number of 
things will look up the superuser account by the name "root" rather than 
looking for uid 0, causing some breakage if root isn't who they expect.

Also, as you mentioned, it's still uid 0 and still owns everything. Note 
that root need not own everything - I could create a uid, say, bobby 
(65530), that owns most things on the system and it wouldn't be an 
issue. I would want it to have login shell /bin/false and an invalid 
password, though.

It's always easy to discover who the superuser is by checking who uid 0 is.

A simple thing that helps a lot is leaving uid 0 as "root" but creating 
a second uid 0 account (yeah, you can do that) for root logins, named 
whatever you like. That at least prevents a few direct attempts.

Craig Ringer