[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

UID = 0 , and GID = 0

Posted on 2006-05-06
12
Medium Priority
?
1,689 Views
Last Modified: 2012-08-13
I knew that root is : UID = 0 and GID = 0
Suppose that If I want to add another user than has the same abilitiy/priviledge as root.

Should
1) I assign <newuser> with UID = 0 and GID = 0 too?

2)  What is the different between <newUser> -> UID = 0 and GID = not 0
with <newUSER> -> UID = not 0 and GID 0

What is the implication of both case?
0
Comment
Question by:kecoak
  • 4
  • 2
  • 2
  • +2
12 Comments
 
LVL 22

Expert Comment

by:pjedmond
ID: 16620995
1.     Yes - Assigning another user with UID and GID as 0 will give them root privileges.

2.    It is the UID of 0 that grants 'root' status and it can read any file, whereas the GID of 0 only (having just tried it out) to provide 'root' group status (i.e access to files where root the root group is the owner and has access priviledges, and therefore will not be able to access files owned by say user1 where there is no permission for GID 0 to read them.

Effectively, that means that your user with UID of say 501 and GID of zero could carry out some administrative tasks, but would be unable to view files of rwx------ belonging to someone else.

HTH:)
0
 

Author Comment

by:kecoak
ID: 16621115
Can you confirm this
Say I have the following user : XYZ , UID = 0 , GID = 520, it will have the same priviledge as Root(UID:0, GID =0)??
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16621193
Yes it will for editing and accessing files.........but if an application changes the running permission of the process to the GID of the user, rather than the UID of the user, then there may be some interesting issues here. For example:

The shutdown command on my system is UID 6, GID 0 - Not sure about the actual code internally, but if it decides to take the GID of the person issuing a command to it, and then try and shutdown as GID 520, then I suspect that the end result will not be as expected.

You'd have to have a good look at the source code in order to find all the potential issues.

I have to confess that I've never seen a need to do this. It might be worth having a good look to see if there are better ways of doing what you want. In particular, you may wish to have a look at Security Enhanced Linux, where you can define exactly what a user can and cannot do in a much more fine grained manner:

http://www.securityenhancedlinux.com/

It's included in the newer redhat distros.

HTH:)
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 51

Expert Comment

by:ahoffmann
ID: 16621924
> Should 1) I assign <newuser> with UID = 0 and GID = 0 too?
no
even this works in most situations, all programs which reliy on UID will fail
If you want to have users to have the same permissions as root, then use sudo

> 2)  What is the different between <newUser>
silly question, silly answer: the number
UID, GID 0 is reserved for root, and should not be assign to any other user/group, for obvious security reason
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 2000 total points
ID: 16622162
The answer is yes.   Assigning a user  UID = 0   will give them privileges equivalent to root.
Assigning a different GID will cause files they create to have that GID, it could in theory
(very implausible) cause permission-related problems for them, in the strange case of
an application that drops user privileges and expects to use group read privileges.

However, it's moot, because with UID = 0, the user can always change their own group by
editing the password file.

The reason it's never done on a real system is from an accountability and security point of view,
There can be unexpected side effects of having two users assigned to the same UID -- it's something that
the login program generally accepts -- but it's problematic, because it doesn't really create an actual
additional user, as far as the system is concerned, if you login to a user with UID=0, then you are the
exact same user as anyone else with UID=0 --- when the additional user that  you have set to UID 0 logs
in, they will not have their own identity, once login is done they will appear as root to the system,
and there  won't be any way to tell the difference between anything that user does and something root does.

Your additional user will be indistinguishable from root.

Normally this is just attractive to hackers, and seeing two users assigned UID, without *'ed passwords is
a sure sign of system compromise.

A situation in which it is good to assign two users UID 0, is where the first to appear in the file is named "root"
and has a *'ed password, and the second is your REAL name for the root account in actual practice.

(This means the username will appear as the root's username on IDENT service, the ls command, anonymous
FTP, and other methods will be "root", since it appears earlier in the password file, but you actually use a
different username to access root.)

Having two indistinguishable accounts would mean you have no accountability -- and now, there are two
different passwords a hacker could compromise and appear as the same person; in theory, you have
increased their chances of guessing at least one valid root password, substantially -- and the account is only
as secure as the lesser secure of the two passwords.

It's normally better to just setup a regular account for the person and give them the root password, to access
it with the "SU" command.

Or if one wanted to keep a root password for some odd reason, despite that the other UID 0 user could always
change that password with root access -- then install the  SUDO package.

You can always create an "admin" group by doing:    groupadd admin
Run  visudo, to add lines like this to the sudoers file....

# Allow members of the admin group to gain root privileges
%admin ALL=(ALL) ALL

And again... at a command line         gpasswd -a  <user>  <admin>


The advantages of giving them the Root password or using SUDO  instead of creating another account
with UID 0 is...

(1) They will clearly login as themselves -- the logs will clearly show who logged in, and when you view
logged in users, you will be able to tell how they got in.

(2) If you use  "SU", you can in fact disable direct root login, since users must login as a regular user first,
they must know two passwords to get root access over a shell.
If you use "SUDO", in advanced configurations, you can in fact, select which commands can be run,
normally each command would be logged to, unless they did something like  "sudo /bin/bash"

(3) By using either SU or SUDO, the user will login as a normal user at first; if the task they're about to
run doesn't require root privileges -- they don't have to enable the privileges, which reduces unnecessary
risk to the system.

0
 
LVL 3

Expert Comment

by:root_start
ID: 16675281
Hi kecoak,

Be carefull when giving UID and GID as 0 because when you change this user's password, the root password will be also changed.

I would suggest you to use "sudo", it is more secure and you will have control of what which user is executing.

I hope it helps. =0)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16675291
> Be carefull when giving UID and GID as 0 because when you change this user's password, the root password will be also changed.
no!
yes, sometimes, somehow!

see my comment http:#16621924
0
 
LVL 3

Expert Comment

by:root_start
ID: 16675429
Sorry, but yes or no?

I have already had this problem.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16677185
> Sorry, but yes or no?
depends
As I said (see comment) it depends on the programs, hence I'd never recommend using 0 for anything else than root. It's a dirty hack for people who 101% know what they do and who 101% know what might happen.
0
 

Author Comment

by:kecoak
ID: 16682636

The advantages of giving them the Root password or using SUDO  instead of creating another account
with UID 0 is...

(1) They will clearly login as themselves -- the logs will clearly show who logged in, and when you view
logged in users, you will be able to tell how they got in.
-----------------
I agree with this bit, but there is no point having good audit logs in here since if you were root you can modify the logs file anyway? Therefore there is no accountability.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16702475
> Therefore there is no accountability.
that's why SELinux have been mentioned already
other possibilities are grsecurity or App Amor
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 16702705
>I agree with this bit, but there is no point having good audit logs in here since if you were root you can modify the logs file >anyway? Therefore there is no accountability.

False.  

1. That root can modify the logs is no reason not to have them in the first place -- the fact that root CAN
modify them does not mean that root deliberately forges them.

Depending on the circumstances, the other root may not know about all the logging that is done.

Accountability is partly about having an idea and having information about what goes on normally,
when other roots are well behaved too.


2. A considerable effort would be required to modify the logs enough to make them useless.
3. Modifying the logs can itself leave a trail.
4. The logs could be stored on a different machine, or multiple backups could be made by the time the
other user could attempt to modify them.

--

Just because it is theoretically possible for someone to forge your signature on a document, does not
make contracts and othe such documents useless.

By the same token, just because it's possible for someone to maliciously forge, alter, or erase
a log entry, does not make system logging useless.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month17 days, 17 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question