Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Restricting Root Access

  1. #1

    Restricting Root Access

    Does anyone know what I have to do so that the only way to log on as root is to first login as a regular user and the use the 'su' command? I'm using Mandrake 8.2. Thanks.

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Depends on how you intend to let people log in.

    Traditionally, UNIX has a file /etc/securetty which lists ttys that root is allowed to log in on. On my mandrake box this lists tty1-6.

    However, this is unlikely to affect much as you're probably interested in disallowing root access from various network hosts instead. (securetty refers to ttys which historically corresponded to physical terminals)

    Any daemon which allows remote logins will typically have a config for doing this. Secure shell does in /etc/ssh/sshd_config you can put "PermitRootLogin no" to prevent remote root logins.

    Other protocols have their own - many have root logins disabled by default (I believe FTP typically doesn't allow root; samba denies root by default and telnet may as well)

    I would highly recommend that you continue to allow root logins on the system console, otherwise you could accidentally lock yourself out

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    243
    hehe that would kinda suck, that would be a good idea to allow that though, if you didn't lock yourself out like slarty said, I never thought of that! /me feels ingorant (joke).

    [EDIT] If you wanted to be malicious and gained root to a system and plained of destroying it, wouldn't that be a good way? Deleting all the files except the files required to login and changing this so you couldn't log in to root. [/EDIT]
    Search First Ask Second. www.google.com

  4. #4
    str34m3r
    Guest
    Even if you disallowed all root console access, you could always reboot the machine into run-level 1 to log in, because the system ignores the securetty file for runlevel 1.

  5. #5
    Originally posted here by str34m3r
    Even if you disallowed all root console access, you could always reboot the machine into run-level 1 to log in, because the system ignores the securetty file for runlevel 1.
    Unless you forget your LILO password...

    --Sudo

  6. #6
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    I believe if you install Mandrake at the "Very High" security level, root console login will be disabled by default. However, I don't recommend doing that because Mandrake is pretty dense - if you loosen any of the security settings to use the services you need, Mandrake will reset them to the defaults on the next reboot. Then you get into a configuration nightmare trying to figure out how to stop it.

    What I usually do on my Linux boxes is simply edit /etc/securetty and comment out everything except vc/1 so that root can only login once and only on 1 terminal, and then edit /etc/ssh/sshd_config to "PermitRootLogin no". I don't run any services except ssh unless I'm setting up a server, so that pretty much covers it.

    You might also want to think about enforcing the permissions of the "wheel" group so that only users who are members of that group will be able to su to root. Most Linux distros create the group, but don't enforce it so any user can su. A simple "chown root.wheel /bin/su" followed by "chmod o-x /bin/su" and "usermod -G wheel username" should do the trick on most distros.
    Do what you want with the girl, but leave me alone!

  7. #7
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Perhaps he wants to make sure you cannot log in as root at all with any service (ssh, telnet, ftp, etc..). I would think the easiest way to accomplish that is to * out the password for root in /etc/passwd or /etc/shadow -- just leave the account disabled as problem child mentioned. I don't really see a problem with this if you are using a root management tool like sudo. Just give yourself rights to change the password when necessary. No one would be able to login directly as root from any service, and your system should remain fairly tight. If it became an emergency, you could simply use sudo to change the password, or lower the init to 1 and reset the root passwd. There should already be accounts on your system similar to this. Look for system accounts like daemon or lp. They are setup the same way. Seems to me like this would be the easiest solution to accomplish what you want.
    /* You are not expected to understand this. */

  8. #8
    thats kind of like cisco ios does huh.... you have to use enable to get into privaledged exec mode so you can execute commands....i least i think thats what your getting at right?

  9. #9
    Thanks guys for your replies. I ended up editing /etc/securetty and etc/ssh/sshd_config. I didn't want to totally disallow root logins. I just wanted to know where I had to go to limit it. I do have a question about "wheel" group permissions. Is this the only way to limit who can use the su command?

  10. #10
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    As with most things in Linux, there's more than one way to skin a cat. It can also be done with either sudo or PAM in such a way that a user can su to another ordinary user, but not to root. I don't remember exactly how right off the top of my head, but a quick search on Google should turn it up.

    Here's my theory on root access (not that anybody asked :-). In my experience, physical security of the box is both simpler to effect and easier to verify by visual inspection, especially in a home or SOHO setting, than network security. For that reason, I disallow *all* remote logins for root and I don't add any users to the wheel group. The only way to be root on one of my boxes is to be sitting at the keyboard and do a console login.

    For administration purposes like applying patches and updates, I create a regular user and use sudo to grant just enough privilege to do the necessary tasks. The root account almost never gets used once the box is configured and running. In one case I actually created a user and made it root-equivalent so that root would *never* be used at all. If it's a very high security box like a firewall, you might even go so far as to fire off an e-mail every time somebody logs in as root - sort of like a booby trap on the root account.
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •