Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…
34
50
2
95
Daily Linux Forensics Trivia #33 - True or False: The only superuser account that can exist on a Linux system is the "root" account.

Oct 8, 2022 · 3:02 PM UTC

10
3
1
8
Trivia Answer #33 - False. Any account with UID 0 has superuser privileges, and multiple accounts with the same UID are allowed. Attackers will sometimes create additional UID 0 accounts (or change the UID of an existing account) as a back door.
1
2
Shout outs to @DfirNotes, @Jim_Hendrick, and especially to my fellow IRIX sufferer @clarkgaylord
Replying to @hal_pomeranz
False.
Replying to @hal_pomeranz
False, the root group has plenty of space
Replying to @hal_pomeranz
oh gods. root is just a string. Any user in legacy passwd file with id 0 gets power, before we get to MAC / SeLinux and capabilities options. And sudo/ doas can grant power, good call out.
6
Replying to @hal_pomeranz
Remember the Irix behavior of having several UID=0 accounts?
1
Replying to @hal_pomeranz
False?
Replying to @hal_pomeranz
False. Any user (or group) can be granted CAP_SYS_ADMIN.
Replying to @hal_pomeranz @randymarchany
Odd things happen on a running system if there is no UID 0 in the password file. Ahem... so I've heard... :-). And as people have noted, you can have as many users with that (or any other) numeric id as you want.
Replying to @hal_pomeranz
False, other users can also perform administrative tasks through the sudo command and the root group
1
Load more