Creat a super User ID with root previllage

Latest response

 

Dear All,

 

I have a RHEL V5 server , as per our security policy , the root user ID password should be protected in a sealed envelope and should not be used for administrative purposes, Can you please help me in how to create another user ID with root privilege on the RHEL

 

in other UNIX flavor, I used to change the ID of the new user to 0 , is this concept apply in RHEL

MA
Log in to join the conversation

Responses

rh Red Hat Expert 890 points
7 June 2011 9:30 AM

 

Have you considered using sudo?. Using sudo is the recommended method if want to share administrative previleges. 

eg:
 
# visudo
 
and add
 
<user_name>  ALL=(ALL) ALL
 
so this user can do all administrative jobs(same as root) by simply prefixing sudo and entering his own password ( or use "<user>  ALL=(ALL)  NOPASSWD: ALL" if u dont want to enter passwd).  
 
 
I don't think creating another user with uid=0 is a good practice(and not sure whether it'll have any side effects), but it will work.
TJ Guru 1883 points
7 June 2011 12:49 PM

Most of the places this policy comes from seem to be places that have a high concentration of Windows server (where it's long been standard practice to kill the Administrator account and replace it with local administrator-level accounts). Also tend to see it in shops that have run "Trusted" verions of their operating system - Sun maintained a "Trusted Solaris" version up through Solaris 8, then switched to including RBAC in Solaris 9 and 10.

 

In general, due to the world-readable nature of /etc/passwd in UNIX systems, simply changing UID 0's account name from "root" to some other username (I've seen "toor" at a number of sites) isn't terribly useful. If I can log into a system as a regular user, I can see who the UID 0 account is and I can start my efforts to break into that account. With that non-advantage in place, changing "root" to some other userid can create breakage in poorly-coded scripts and programs. I've seen more than a few programs, over the years that, when they check to see if the super-user is calling the app/script, check for the username "root" rather than the userid "0".

 

All that aside, it's fairly normal to use things like sudo to delegate privileged operations to other user accounts. Once you've delegated those operations, it's possible to (effectively) lock-out the root account to prevent interactive logins. With applications like SSH you can lock it out in the application's config files. If you feel like messing around with the PAM subsystem, you can lock out direct root access in each and every application or tool that references PAM. Once you've done all that, all your root ops are done through delegation systems like sudo.

 

With all that set up, you can set a nice, complex root password and then either lock it in a vault somewhere or forget it. With normal RHEL, if you boot a system to single user, you're not prompted for root's password (so, make sure you've got a grub password in place!). If you harden the system, you can STILL get in with privileged access by rebooting with 'init=/bin/bash'. So, whether you have the root user's password documented somewhere or not, you still have recovery avenues available. Just remember that, when you lock down the root account, you ensure that root's password doesn't expire (things like cron stop working if that happens).