[BlueOnyx:23720] Re: user root-admin on 5210R

Michael Stauber mstauber at blueonyx.it
Thu Mar 5 13:45:11 -05 2020 

Hi Maurice,

> On both 5209R and 5210R I see a user-account 'root-admin'. I believe
> this is something for blueonyx?
> 
> On 5209R, in /etc/shadow the password hash of this user is the same as
> for the user root.
> On 5210R however, this user seems to be without password (no hash in
> /etc/shadow)
> This remains so even after changing the admin password in the gui.
> 
> Is this correct?

Yes, this is all correct. The user "root-admin" is there by default and
depending on the amount of created "Server Administrator" accounts you
will see more of them. I think this is called "masked accounts". The
naming convention for these accounts is root-<real-user-name>.

Here is an example from one of my test-boxes:

[root at xxxx ~]# cat /etc/passwd|grep root
root:x:0:0:root:/root:/bin/bash
root-admin:x:0:0::/root:/bin/bash
root-mstauber:x:0:0::/root:/bin/bash
root-alter-admin:0:0::/root:/bin/bash

As you can see there: They all use /root as their home directory, too,
and re-use the UID 0 and GID 0.

This server has the "Server Administrator" 'mstauber', who has
root-access and shell access privileges. Hence he gets his
'root-mstauber' accomplice as well.

The "alter-admin" and "root-alter-admin" are created when you send a
"Support Request" via the GUI and tick the checkbox "Allow Access". That
then creates the "alter-admin" account with a randomized password and
grants him server-administrator and root-access privileges. The account
automatically deletes after a specified amount of time.

The whole setup for this goes back to the Cobalt RaQ and Qube days and
solves the issue of how a server owner can share root privileges with
selected few other trusted individuals. Without having to give them the
actual "root" password itself. Linux has several ways to solve this
conundrum and this is just one form of it.

Take the support user "alter-admin" for example. He logs in with the
password from the support ticket. That password is completely different
from the "admin" or "root" password that only the server owner has.

Once in the box, user "alter-admin" is relatively unprivileged. He
cannot use "sudo", as no privileges have been set up for him.

The command "su" to elevate or change his privileges requires
credentials of the target account he wants to switch to. So if he tries
"su root", he *would* need to know the "root"-password. Which he doesn't
know.

But he can become root by using "su root-alter-admin" and entering his
*own* password. Once done so the effective UID and GID will be reported
as '0' and for all practical purposes the user is then "root".

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list