# is it possible to delete root account?



## aquajar (Jun 16, 2021)

is it possible to delete root account on a freebsd system?

I have this virtual machine with freebsd on it. We can't su to it but we can login with out user account. as I was looking around. I notice that `history` is missing

/etc/passwd contain 3 user account, 2 user created by us and another account called toor and the rest of the default account is gone as well and also /bin/su is gone.

that is why I'm asking is it possible to delete root account?

we tried to login as root and no we cant. saying about authentication error.


----------



## Jose (Jun 16, 2021)

It might be possible, but I doubt the system would be usable afterwards. I think what you really want to do is reset the root password. Do you have access to the console? If so, you can boot into single user mode and reset the password for root. Step-by-step instructions at the end of this page:





						Recover FreeBSD root access when you forgot the password
					

Losing your root password is not necessarily the end of the world. Single User Mode offers the solution to a lost root password.




					www.techrepublic.com


----------



## aquajar (Jun 16, 2021)

Jose said:


> It might be possible, but I doubt the system would be usable afterwards. I think what you really want to do is reset the root password. Do you have access to the console? If so, you can boot into single user mode and reset the password for root. Step-by-step instructions at the end of this page:
> 
> 
> 
> ...


Hi thx for the reply. I actually did that as well. but I wasn't able to change its password, it really seems that the root account is gone. I can change the password of the 3 user on my /etc/passwd but not the root, I did this with single user mode.


----------



## jmos (Jun 16, 2021)

aquajar said:


> also /bin/su is gone.


/bin/su isn't gone - it never existed. But /usr/bin/su should exist. Also note that a default user cannot su to root - only users of the group "wheel" are allowed to switch to root.


----------



## aquajar (Jun 16, 2021)

jmos said:


> /bin/su isn't gone - it never existed. But /usr/bin/su should exist. Also note that a default user cannot su to root - only users of the group "wheel" are allowed to switch to root.


oh I see, so that is never gone.

and yes I understand that a regular user should be on wheel and yes 2 of the account that I created is part of wheel. the thing is we are able to use us before without any problem and then after we logout and tried to log in again after 2 hrs we cant su any more.


----------



## richardtoohey2 (Jun 16, 2021)

toor is a recovery account - it’s root backwards. Not sure how it is used, but have a look around the forums e.g. https://forums.freebsd.org/threads/can-toor-be-removed-entirely-and-if-so-how-can-i-remove-it.66894/


----------



## Argentum (Jun 16, 2021)

richardtoohey2 said:


> toor is a recovery account - it’s root backwards. Not sure how it is used, but have a look around the forums e.g. https://forums.freebsd.org/threads/can-toor-be-removed-entirely-and-if-so-how-can-i-remove-it.66894/


I have used it on servers over time as a backup for root with strong password stored somewhere safely.


----------



## Deleted member 30996 (Jun 16, 2021)

richardtoohey2 said:


> toor is a recovery account - it’s root backwards. Not sure how it is used, but have a look around the forums...


I use the `pw userdel toor` command in the thread you referenced.


----------



## covacat (Jun 16, 2021)

most VM providers give you console access so you can boot in single user mode and fix it


----------



## zirias@ (Jun 16, 2021)

richardtoohey2 said:


> toor is a recovery account - it’s root backwards. Not sure how it is used


`passwd toor` to set a password, then it can be used.

A common usage scenario of having two superuser accounts is that one can use a non-base shell without risk to get locked out of the system, as long as the other still uses a shell from base.

In fact, it's not _really_ a second account (same uid 0), but just a second configuration (name, password, shell, ...) of the same account.


----------



## covacat (Jun 16, 2021)

Zirias said:


> `passwd toor` to set a password, then it can be used.


needs a /etc/shells shell too


----------



## Alain De Vos (Jun 16, 2021)

I use toor for recovery. The shell of root I have set to zsh.


----------



## fbsd_ (Jun 16, 2021)

aquajar said:


> is it possible to delete root account on a freebsd system?
> 
> I have this virtual machine with freebsd on it. We can't su to it but we can login with out user account. as I was looking around. I notice that `history` is missing
> 
> ...


Which FreeBSD version are you using?


----------



## olli@ (Jun 16, 2021)

The “toor” accounts exists purely for historic reasons. In my opinion it should be removed, bu that would probably hurt the feelings of BSD oldtimers.

Actually, the reason why the toor account was created is because – in ancient times – some admins preferred the bourne shell, while the C shell was the default login shell for the root account. So the toor account was created, with the bourne shell as its login shell. This is (was) the only difference; both root and toor have the UID 0, so they both have the same privileges.

Today, the login shell of the root (and toor) account is rather meaningless, because you should never log in as root directly. You can safely set root’s login shell to /usr/sbin/nologin and disable the password (set it to “*”), unless you have set the console to “insecure” in /etc/ttys (in this case you need the root password for single-user mode). If you need root privileges, use sudo(1), super(1) or a similar security tool, or open a root shell with “su -m”. If you need to recover in emergency situations, boot in single user mode – In this case, init(8) will ask you for the shell (the default here is /bin/sh). The login shell setting in /etc/passwd is ignored.

Removing the root account completely is probably not a good idea, because it would break all kinds of things. It _might_ be possible to remove it from certain jails, provided that there are no scripts and other things inside the jail that expect a user “root” to be present. Note that, even if you remove the root account, there still can be processes running with root privileges (i.e. with UID 0) and files belonging to UID 0. You just can’t resolve the relationship between name “root” and UID 0 anymore. Although, there might be programs that have root = UID 0 hardcoded so they recognize it even if you remove the account.


----------



## aquajar (Jun 16, 2021)

fbsd_ said:


> Which FreeBSD version are you using?


freebsd 13

I also have no plan on deleting the root, I was surprised that when we login to that vps we can't `su` anymore, we normally can su after logging in to a user account. and even running the command `history` is no longer available to us. I ask this question if it is possible and it looks like it is possible. because we can't login to the root account anymore, even doing it with single-user mode. we end up with toor account and not root anymore. So yeah I end up setting up a password for toor so we can used it and investigate what happen. we are thinking that the vps is possibly got hacked.


----------



## Argentum (Jun 17, 2021)

aquajar said:


> anymore, we normally can su after logging in to a user account. and even running the command `history` is no longer available to us. I ask this question if it is possible and it looks like it is possible. because we can't login to the root account anymore, even doing it with single-user mode. we end up with toor account and not root anymore. So yeah I end up setting up a password for toor so we can used it and investigate what happen. we are thinking that the


And check `grep wheel /etc/group` to see if your user is in the wheel group.


----------



## fbsd_ (Jun 17, 2021)

aquajar said:


> freebsd 13
> 
> I also have no plan on deleting the root, I was surprised that when we login to that vps we can't `su` anymore, we normally can su after logging in to a user account. and even running the command `history` is no longer available to us. I ask this question if it is possible and it looks like it is possible. because we can't login to the root account anymore, even doing it with single-user mode. we end up with toor account and not root anymore. So yeah I end up setting up a password for toor so we can used it and investigate what happen. we are thinking that the vps is possibly got hacked.


Well the best way to fix something happens to vm or pc is re-installing OS but I see you guys using VPS so maybe you can want your VPS providers to reset it and if you have some important files in it they can resque them on runtime if encrypted or at runtime or closed if not encrypted. Whatever, Im not sure there is hackers hacking that perfect and then removing important things. Do you guys were set up a great ssh password? Great other passwords? They can crack with brute force attack very easly... And If its hacked, they could change the SSH and that kinda passwords too. su and sudo works if your user account added to wheel gourp. You can try to boot your system on single user mode if VPS providers letting something like that for securing your data ans adding user to wheel if not.

Or if you wanna play this game crazy you can wait for local root exploits on FreeBSD 13. They already found some exploits for FreeBSD 12.1. People trying to exploit FreeBSD for Netflix and PlayStations. They both using FreeBSD.

You can mount your driver on single user mode. You can use take a loot at this thread for adding wheel group with a sheel on root permissions:








						[INFO] How to avoid from (su: Sorry) error or "message"
					

THERE IS THE COMMAND: sudo pw group mod wheel -m !username_here!




					forums.freebsd.org
				




At the end:
-> Make sure your user account added to wheel group on setup.
-> if you have data to recover try to boot on single user mode. It must stop SSH but it opens a shell and lets to change any root and normal file.
-> if you have data to recover contact your VPS provider or wait for root exploits.
-> if you dont have data to recover contact your VPS providers for formating your pc or do it yourself if VPS provider gives an admin panel to do something like that.

Good luck


----------



## rawthey (Jun 17, 2021)

aquajar said:


> even doing it with single-user mode. we end up with toor account and not root anymore..


So it looks like user 0 exists but there's nothing linking it to a username of 'root'.

Try `grep root /etc/passwd /etc/master.passwd` to check that the entries for root are correct. If they look OK run `/usr/sbin/pwd_mkdb -p /etc/master.passwd` to recreate the password database in case it has been corrupted.

If that doesn't fix the problem try `/usr/sbin/vipw` to correct or add the details for root.


----------



## covacat (Jun 17, 2021)

check /var/backups  for a previous version of master.passwd


----------



## SirDice (Jun 17, 2021)

Both /etc/passwd and /etc/master.passwd can be generated from information in /etc/spwd.db. See pwd_mkdb(8).


----------

