[CentOS] Another Fedora decision

[Valeri Galtsev]

On Wed, February 4, 2015 10:18 am, Keith Keller wrote:
> On 2015-02-04, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
>> One might question why *nix distributions insist on providing a known
point of attack to begin with.  Why does user 0 have to be called root?
 Why not beatlebailey, cinnamon or pasdecharge?
>
> That is more or less what OS X does.  User 0 still exists, and it's
labelled as "root", but there is no way (unless the owner goes way out
of his way) to actually log in as root.  The first account created is
given full sudo access, and can choose to grant sudo to subsequently
created users.

Which I consider almost as "security through obscurity" (I said "almost"!)

I'm neutral to sudo (even though I was taught "the smaller number of
SUID/SGID files you have, the better). Yet, I'm considering it less safe
to have regular user who can log in with GUI interface, and likely to be
doing regular user stuff to have almighty abilities. Yes, I know, I know
he has to prepend "sudo"... OK, this seems to be kind of question of taste
in the majority opinion.

> (Users with sudo can still get a root shell, but that's
> not the same as logging in as root.)
>
> I thought Ubuntu did this as well, but I haven't installed Ubuntu for
quite a while.  Anyone know?

Yes, Debian and its clones have full fledged root account, only with empty
password hash (thus making it account for which no password will match).
You can enable it by grabbing root shell using sudo, then using command
passwd to set password. voila.

And they are more or less neutral, they do not insist that having disabled
root account adds security of the machine (which it doesn't) - as far as I
recollect reading their docs.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++