← Rules Catalog
highaccess-controlverified

Ensure root is the only GID 0 account

root-only-gid0 · RHEL ≥ 8 · 1 impl

Description

Only the root account should have GID 0 as its primary group. Other accounts with GID 0 have root group privileges.

Rationale

Having multiple accounts with GID 0 complicates accountability and may grant unintended root group access to files and resources.

Check → Remediate

Checkcommand
# Find accounts with GID 0 that are not root
gid0_users=$(awk -F: '$4 == 0 && $1 != "root" { print $1 }' /etc/passwd)
if [ -n "$gid0_users" ]; then
  echo "FAIL: Non-root accounts with GID 0: $gid0_users"
  exit 1
fi
echo "OK: Only root has GID 0"
exit 0
expected_exit:
0
Remediatemanual
note:
Change primary GID for non-root accounts with GID 0

Framework references

CIS

rhel9 5.4.2.2rhel8 5.4.2.2rhel10 5.4.2.2

NIST 800-53

AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#root#gid#accounts#privilege