UID = 0 , and GID = 0

I knew that root is : UID = 0 and GID = 0
Suppose that If I want to add another user than has the same abilitiy/priviledge as root.

Should
1) I assign <newuser> with UID = 0 and GID = 0 too?

2)  What is the different between <newUser> -> UID = 0 and GID = not 0
with <newUSER> -> UID = not 0 and GID 0

What is the implication of both case?
kecoakAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pjedmondCommented:
1.     Yes - Assigning another user with UID and GID as 0 will give them root privileges.

2.    It is the UID of 0 that grants 'root' status and it can read any file, whereas the GID of 0 only (having just tried it out) to provide 'root' group status (i.e access to files where root the root group is the owner and has access priviledges, and therefore will not be able to access files owned by say user1 where there is no permission for GID 0 to read them.

Effectively, that means that your user with UID of say 501 and GID of zero could carry out some administrative tasks, but would be unable to view files of rwx------ belonging to someone else.

HTH:)
kecoakAuthor Commented:
Can you confirm this
Say I have the following user : XYZ , UID = 0 , GID = 520, it will have the same priviledge as Root(UID:0, GID =0)??
pjedmondCommented:
Yes it will for editing and accessing files.........but if an application changes the running permission of the process to the GID of the user, rather than the UID of the user, then there may be some interesting issues here. For example:

The shutdown command on my system is UID 6, GID 0 - Not sure about the actual code internally, but if it decides to take the GID of the person issuing a command to it, and then try and shutdown as GID 520, then I suspect that the end result will not be as expected.

You'd have to have a good look at the source code in order to find all the potential issues.

I have to confess that I've never seen a need to do this. It might be worth having a good look to see if there are better ways of doing what you want. In particular, you may wish to have a look at Security Enhanced Linux, where you can define exactly what a user can and cannot do in a much more fine grained manner:

http://www.securityenhancedlinux.com/

It's included in the newer redhat distros.

HTH:)
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ahoffmannCommented:
> Should 1) I assign <newuser> with UID = 0 and GID = 0 too?
no
even this works in most situations, all programs which reliy on UID will fail
If you want to have users to have the same permissions as root, then use sudo

> 2)  What is the different between <newUser>
silly question, silly answer: the number
UID, GID 0 is reserved for root, and should not be assign to any other user/group, for obvious security reason
MysidiaCommented:
The answer is yes.   Assigning a user  UID = 0   will give them privileges equivalent to root.
Assigning a different GID will cause files they create to have that GID, it could in theory
(very implausible) cause permission-related problems for them, in the strange case of
an application that drops user privileges and expects to use group read privileges.

However, it's moot, because with UID = 0, the user can always change their own group by
editing the password file.

The reason it's never done on a real system is from an accountability and security point of view,
There can be unexpected side effects of having two users assigned to the same UID -- it's something that
the login program generally accepts -- but it's problematic, because it doesn't really create an actual
additional user, as far as the system is concerned, if you login to a user with UID=0, then you are the
exact same user as anyone else with UID=0 --- when the additional user that  you have set to UID 0 logs
in, they will not have their own identity, once login is done they will appear as root to the system,
and there  won't be any way to tell the difference between anything that user does and something root does.

Your additional user will be indistinguishable from root.

Normally this is just attractive to hackers, and seeing two users assigned UID, without *'ed passwords is
a sure sign of system compromise.

A situation in which it is good to assign two users UID 0, is where the first to appear in the file is named "root"
and has a *'ed password, and the second is your REAL name for the root account in actual practice.

(This means the username will appear as the root's username on IDENT service, the ls command, anonymous
FTP, and other methods will be "root", since it appears earlier in the password file, but you actually use a
different username to access root.)

Having two indistinguishable accounts would mean you have no accountability -- and now, there are two
different passwords a hacker could compromise and appear as the same person; in theory, you have
increased their chances of guessing at least one valid root password, substantially -- and the account is only
as secure as the lesser secure of the two passwords.

It's normally better to just setup a regular account for the person and give them the root password, to access
it with the "SU" command.

Or if one wanted to keep a root password for some odd reason, despite that the other UID 0 user could always
change that password with root access -- then install the  SUDO package.

You can always create an "admin" group by doing:    groupadd admin
Run  visudo, to add lines like this to the sudoers file....

# Allow members of the admin group to gain root privileges
%admin ALL=(ALL) ALL

And again... at a command line         gpasswd -a  <user>  <admin>


The advantages of giving them the Root password or using SUDO  instead of creating another account
with UID 0 is...

(1) They will clearly login as themselves -- the logs will clearly show who logged in, and when you view
logged in users, you will be able to tell how they got in.

(2) If you use  "SU", you can in fact disable direct root login, since users must login as a regular user first,
they must know two passwords to get root access over a shell.
If you use "SUDO", in advanced configurations, you can in fact, select which commands can be run,
normally each command would be logged to, unless they did something like  "sudo /bin/bash"

(3) By using either SU or SUDO, the user will login as a normal user at first; if the task they're about to
run doesn't require root privileges -- they don't have to enable the privileges, which reduces unnecessary
risk to the system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
root_startCommented:
Hi kecoak,

Be carefull when giving UID and GID as 0 because when you change this user's password, the root password will be also changed.

I would suggest you to use "sudo", it is more secure and you will have control of what which user is executing.

I hope it helps. =0)
ahoffmannCommented:
> Be carefull when giving UID and GID as 0 because when you change this user's password, the root password will be also changed.
no!
yes, sometimes, somehow!

see my comment http:#16621924
root_startCommented:
Sorry, but yes or no?

I have already had this problem.
ahoffmannCommented:
> Sorry, but yes or no?
depends
As I said (see comment) it depends on the programs, hence I'd never recommend using 0 for anything else than root. It's a dirty hack for people who 101% know what they do and who 101% know what might happen.
kecoakAuthor Commented:

The advantages of giving them the Root password or using SUDO  instead of creating another account
with UID 0 is...

(1) They will clearly login as themselves -- the logs will clearly show who logged in, and when you view
logged in users, you will be able to tell how they got in.
-----------------
I agree with this bit, but there is no point having good audit logs in here since if you were root you can modify the logs file anyway? Therefore there is no accountability.

ahoffmannCommented:
> Therefore there is no accountability.
that's why SELinux have been mentioned already
other possibilities are grsecurity or App Amor
MysidiaCommented:
>I agree with this bit, but there is no point having good audit logs in here since if you were root you can modify the logs file >anyway? Therefore there is no accountability.

False.  

1. That root can modify the logs is no reason not to have them in the first place -- the fact that root CAN
modify them does not mean that root deliberately forges them.

Depending on the circumstances, the other root may not know about all the logging that is done.

Accountability is partly about having an idea and having information about what goes on normally,
when other roots are well behaved too.


2. A considerable effort would be required to modify the logs enough to make them useless.
3. Modifying the logs can itself leave a trail.
4. The logs could be stored on a different machine, or multiple backups could be made by the time the
other user could attempt to modify them.

--

Just because it is theoretically possible for someone to forge your signature on a document, does not
make contracts and othe such documents useless.

By the same token, just because it's possible for someone to maliciously forge, alter, or erase
a log entry, does not make system logging useless.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.