Re: Solaris, Sudo, and locking the root account

From: Blair Barrett (bbarrett@nyis.net)
Date: 09/29/01 

Date: Fri, 28 Sep 2001 21:15:05 -0400
From: "Blair Barrett" <bbarrett@nyis.net>
To: focus-sun@securityfocus.com
Subject: Re: Solaris, Sudo, and locking the root account
Message-ID: <GKEGT500.D03@mta01.nyis.net>

I tried locking the root account. I could still log in from the console
in single user mode, text mode, and using CDE. It didn't make any
difference.

I normally remove the setuid bit from /bin/su and /usr/bin/su (chmod 500
allows only the owner (root) to execute su). Then edit /etc/sudoers and
set up access to the /bin/su to members of the sysadmin and/or some
other group and/or specific accounts. Be careful with machines connected
to the Internet especially if you aren't using SSH due to passwords
being transmitted in clear text.

Cheers!

Relevant Pages

  • Re: SINGLE_USER
    ... > Why in single-user mode I have direct acces to the root account? ... Because it is useful to be able to log in as root in single user mode. ...
    (freebsd-questions)
  • Re: Password Aging and System Accounts
    ... On MacOS X the root account is locked by default! ... > the system in single user mode anyway. ... root's password aging pilicies are ignored in Darwin/MACOSX... ... Robert Frank ...
    (comp.unix.admin)
  • Re: Password Aging and System Accounts
    ... On MacOS X the root account is locked by default! ... > the system in single user mode anyway. ... root's password aging pilicies are ignored in Darwin/MACOSX... ... Robert Frank ...
    (comp.security.unix)
  • Re: password recovery
    ... Follow a similar procedure to boot to single user mode, ... field from the root account. ... See "man edauth" and "man prpasswd". ...
    (comp.unix.tru64)