RE: Solaris, Sudo, and locking the root account

From: Leon Halford (leon.halford@btinternet.com)
Date: 09/28/01 

From: "Leon Halford" <leon.halford@btinternet.com>
To: <focus-sun@securityfocus.com>
Subject: RE: Solaris, Sudo, and locking the root account
Date: Fri, 28 Sep 2001 19:24:46 +0100
Message-ID: <INECKKNFOEIGFDAADPCNIEMNCHAA.leon.halford@btinternet.com>

I personally wouldnt lock the root account for the very reasons
you suggest. Always leave the console available for emergency
root logins or maintenance (unless it is a workstation).

So, assuming the console is in a secure location,

Either:

Add a PAM module via /etc/pam.conf - a surefire method.

Different modules already exist on the net to either limit
usage of the su command to "wheel" or alternatively
restrict the login device to only "/dev/console" for any
login method listed in pam.conf - the later being the best.
It's quite simple C code to restrict root access to the
console using the PAM framework if you're a programmer.

Or alternatively (if PAM isnt your scene):

set CONSOLE=/dev/console in /etc/default/login
chmod u-s /usr/bin/su
echo "root" >>/etc/ftpusers

You will then find it quite hard to become root on this machine
anywhere apart from the console.

-----Original Message-----
From: Gordon Ewasiuk [mailto:gewasiuk@gnmc.net]
Sent: 27 September 2001 18:27
To: focus-sun@securityfocus.com
Subject: Solaris, Sudo, and locking the root account

Hi All,

What is the general feeling towards locking the root account on Solaris
when using sudo? We use sudo on Solaris everwhere and lock the root
account. This forces all users to sudo -s for a root shell - BUT - after
an abnormal shutdown, if a filesystem comes up dirty, it might need a
manual fsck pass. This, of course, requires the root password to enter
maint. mode.

I've got no problems booting from a CD, mounting the root FS, and
unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny
when I explained it to him.

Is this a standard practice or making more trouble then it's worth?

TIA,

-Gordon

--------------------------------------------------
Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC
The REAL office number is here-----> 703.893.4901
Tired of BSODs, My Computer, and Code Red?
http://www.sun.com/solaris/binaries/
-------------------------------------------------

Relevant Pages

  • Re: Root, su, and sudo (was Re: More on Ragostagate
    ... >>>establishing a root account and enabling root account. ... >> I have my root account disabled and I can use sudo. ... >>>When you first power up a virgin Mac, you are asked for your name. ...
    (comp.sys.mac.advocacy)
  • RE: Solaris, Sudo, and locking the root account
    ... Solaris, Sudo, and locking the root account ... I normally do not lock the root account, but I do restrict who knows the ... and by convention everyone uses "sudo -s" to gain root access. ...
    (Focus-SUN)
  • Re: default root pwd for base system install?
    ... avoid entering user passwd each 10 minutes. ... Generally, sudo is perfect, and more secure than using a root account. ... The last few times I've installed Ubuntu I've used the "expert" mode which allows you to set the root password *and* create a user account. ... However, 19 out of 20 times that I've needed root access since then, I've used sudo. ...
    (Ubuntu)
  • Re: where is the Administor in Ubuntu Linux?
    ... I downloaded the installation file 6.06.1 from KUbuntu from KUbuntu website. ... I found that I could not use "root" to log in ... ... If there were no root account, the system would rapidly scream to a halt. ... you use sudo and/or su ...
    (comp.os.linux.misc)
  • Re: Root user permission
    ... Can someone offers a link of HOWTO about this topic 'root permission' ... You can use sudo if you are part of the sudo group (see the files ... you are part of the admin group. ... On the whole I don't think encouraging new users to set up a root account ...
    (Ubuntu)