Re: Solaris, Sudo, and locking the root account

From: Blair Barrett (bbarrett@nyis.net)
Date: 09/29/01


Date: Fri, 28 Sep 2001 21:15:05 -0400
From: "Blair Barrett" <bbarrett@nyis.net>
To: focus-sun@securityfocus.com
Subject: Re: Solaris, Sudo, and locking the root account
Message-ID: <GKEGT500.D03@mta01.nyis.net>

I tried locking the root account. I could still log in from the console
in single user mode, text mode, and using CDE. It didn't make any
difference.

I normally remove the setuid bit from /bin/su and /usr/bin/su (chmod 500
allows only the owner (root) to execute su). Then edit /etc/sudoers and
set up access to the /bin/su to members of the sysadmin and/or some
other group and/or specific accounts. Be careful with machines connected
to the Internet especially if you aren't using SSH due to passwords
being transmitted in clear text.

Cheers!