What is the ‘toor’ user on FreeBSD?

What is the ‘toor’ user on FreeBSD?

Linux and *BSD systems have by default a root user installed. As it has a user ID of zero (0), it gains the highest level of permissions from the kernel. On FreeBSD systems, there is also the ‘toor’ user, with the equal high-level user ID of zero. It is simply the reversed version of ‘root’, and installed as a backup account. By default, it has no shell assigned, so it can’t log in.

Screenshot of /etc/passwd file with toor user entry in it

The toor user shares the same ID as root

Why keep the toor user?

Some BSD users strongly suggest keeping the toor user, as it can be used during system recovery. Others actually use this user instead of root and apply hardening to the root user, so that is only can be used on the console.

Tip: be careful with using bash or other shells on your high-privilege users. If the upgrade of such shell fails, you might be locked out. For that reason, it might be good to keep it at the default C shell.

Is there a good reason to remove it?

If you don’t use the toor user at all, simply remove it. A healthy security mantra says: everything unused should preferably be removed from the system. This helps to reduce the so-called attack surface of a system. Use vipw to edit your password file and remove the related entry.

Conclusion

The toor user is a piece of history on FreeBSD systems. Some people like it, others think it is unneeded. If you don’t use it, simply remove it.

 

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.