How to create a new superuser in Linux

May 17, 2011
By

The administrative account ‘root’ is the most powerful user in Linux and Unix. This account is created by default during installation of the operating system. Most security consultants will recommend that the root account be deleted or renamed. This is to make it harder for a hacker to find out what a valid user account is.

Before you delete or rename the root account it is important that you create a new account with the same privileges as root. This account should have the same capabilities as root, a new superuser account. I will explain the steps to create a new superuser account in Redhat Linux. The steps are similar for Centos, Fedora and most other variants of Linux.

Let’s begin by checking the characteristics of the root account.

# id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

uid=0(root), this indicates that root has a user id of 0.
gid=0, the group id is 0.
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel), these are the groups root belongs to. The numbers signifies the group id numbers, e.g. disk has a group id of 6.

To create a new superuser, it must have the same uid, gid and belong to the same groups as the root account.

You can create a new superuser account using the adduser command.

# adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M andrew

-u 0 –o, this sets the uid to 0.
-g 0, sets the gid to 0.
-G 0,1,2,3,4,6,10, sets the group membership to 0 = root, 1 = bin, 2 = daemon, 3 = sys, 4 = adm, 6 = disk and 10 = wheel.
-M, do not create a home directory.
andrew, new user account name.

Create a password for the new account.

# passwd andrew
Changing password for user andrew:
New UNIX password:
Retype new UNIX password:
Passwd: all authentication tokens updated successfully.

What if you want to promote an existing user to superuser? Then you will need to edit two files, /etc/passwd and /etc/group.

Open /etc/passwd with Vi editor and change the gid and uid to 0 for andrew.

andrew:x:0:0::/home/andrew:/bin/bash

Edit /etc/group and add andrew to the groups root, bin, daemon, sys, adm, disk and wheel.

root:x:0:root,andrew
bin:x:1:root,bin,daemon,andrew
daemon:x:2:root,bin,daemon,andrew
sys:x:3:root,bin,adm,andrew
adm:x:4:root,adm,daemon,andrew
disk:x:6:root,andrew
wheel:x:10:root,andrew

If the user account andrew has and existing home directory such as /home/andrew, then you will need to change the ownership to reflect root.

# chown root:root /home/andrew

Otherwise you will receive the following error message, upon logging in.

User’s $HOME/.dmrc file is being ignored. This prevents the default session and language from being saved. File should be owned by user and have 644 permission. User $HOME directory must be owned by user and not writable by other users.

This is because the uid and gid for andrew has been changed to 0, this is the same as root. Whereas /home/andrew still belongs to the username andrew, which had a uid and gid of 500 or higher number.

Be Sociable, Share!

Tags: , ,

Leave a Reply