Alternate Root

kevr
  13 years ago
  18

This will be a short tutorial explaining how to setup an alternate root user and disable the default root user. Note that this tutorial is not for everyone, and is only relevant to people who want an extra step in system security - this can be good for large university networks, or if your local network has the ability to be accessed from the outside. The regular desktop user should probably turn from this page now, but as I always say, the more knowledge the better.

First, an explanation: This method is helpful because most people trying to gain root access to your account will be attempting to get into the user 'root', but, remember that hardcore security penetrators will be able to get past this. How this is integrated is we disable the root user login after giving root ability to another user that we create - preferably with a very weird name.

Do not pass this line unless you know what you are doing, or you know the risks.

There are two methods to doing this, but I will be covering only one of them which is, in my opinion, the easier and quicker method to achieving it.

Things you will need:

Access to root
The program 'sudo' (comes by default on Linux Mint)

Step one: Adding a new user

We need to add a new user with a trivial name to use as our new root access account. First, we should get into direct root for this, then we'll proceed. Execute the following commands:

[user@host]$ su -
Password: (type in your root password)
[root@host]# useradd -m new_root
[root@host]# passwd new_root
Enter new UNIX password: (type in your desired root password)
Re-enter new UNIX password: (type in your desired root password to confirm)
password updated successfully!

Before moving on, please read this. In the example, I used new_root as the new user example. Do not use this! You should replace new_root with a more complex, trivial name. The harder it is to guess, the harder time people have getting access. I would think something along the lines of n3w_rh3toricaLx_R4ndOm0r, okay maybe that's a little overdone but you get the idea. Now let's move on.

Step two: Give your new user root access

Now we need to add your newly created user to the sudoers file. This file controls who can use sudo and what access they will have with it.

First, get into the sudoers file like so:

[root@host]# visudo

This will get you into the sudoers file with the vi editor. This is the recommended way of editing the sudoers file. Inside of it, you will notice there is an entry for root, and an entry for the account you made on installation. For example:

root     ALL=(ALL) ALL

This line is given with the default setup of sudo. It gives the user root complete access to everything. You do not need to delete this line ever! What you do need to do, is add an extra entry to give your new user the same rights that root has. You can do this by adding anywhere in the sudoers file:

new_user     ALL=(ALL) ALL

Now save by pressing ESC after typing, then typing ":w" and ":q" to quit.

Step three: Disabling default root

Now that we've set up a new account and given it root access, we need to disable login for the original root account. This is very simple. First we're going to want to get into our new user, and leave the root shell. You can achieve this by running:

[root@host]# exit
[user@host]$ sudo su - new_root
[new_root@host]$

Now that we're in our new_root shell, we're going to open a file called /etc/shadow. This file holds settings about users on your system and their passwords. So execute the command:

[new_root@host]$ sudo nano /etc/shadow

Now you are in the /etc/shadow file. You will notice on the left there is a list of the users on your system. The format for each line is simply user:hashed_password:UID::::::. It's very easy to disable the login for any account, all you have to do is change the hashed_password section to an exclamation mark.

For example, change:

  root:$1$gpl3jIdS$0l83U8KRodAVvlCfGGpe2:14789::::::

To:

  root:!:14789::::::

After making the changes, save and edit your text editor.  You can go ahead and attempt to login to 'root' user now, only to find out it is inaccessible.  You can now use new_root for your root file system endeavors! This is a very simple task to add an easy step of security to your file system. I hope some of you take advantage.

Happy minting!

Comments
jahid_0903014 10 years ago

thnks


smth 11 years ago

Thank you for your tutorial.
as stated in many other tutorials, make a copy of the file that is being changed before the change. and save the original.


noztox 12 years ago

good tutorial, thanks kevr


Keith 13 years ago

Good post...

Even if you don't make an Alternate Root account the knowledge of how to modify existing user accounts and shadow files is useful.