36

Chapter 4. Workstation Security

Method

Description

Effects

Does Not Effect

Changing Edit the

/etc/passwd

file

Prevents access to the root

Programs that do not

the root

and change the shell from

shell and logs the attempt.

require a shell, such as

shell.

/bin/bash

to

The following programs

FTP clients, mail clients,

/sbin/nologin

.

are prevented from

and many setuid

accessing the root

programs.

account:

The following programs

are not prevented from

login

accessing the root

gdm

account:

kdm

sudo

xdm

FTP clients

su

Email clients

ssh

scp

sftp

Disabling An empty

Prevents access to the root

Programs that do not log

root

/etc/securetty

file

account via the console or

in as root, but perform

access

prevents root login on any

the network. The

administrative tasks

via any

devices attached to the

following programs are

through through setuid or

console

computer.

prevented from accessing

other mechanisms.

device

the

The following programs

root account:

(tty).

are not prevented from

login

accessing the root

gdm

account:

kdm

su

xdm

Other network services

sudo

that open a tty

ssh

scp

sftp

Use PAM Edit the file for the target

Prevents root access to

Programs and services that

to limit

service in the

network services that are

are not PAM aware.

root

/etc/pam.d/

directory.

PAM aware.

access to

Make sure the

The following services are

services.

pam_listfile.so

is

prevented from accessing

required for authentication.

the

root account:

See Section 4.4.2.4 for

FTP clients

more details.

Email clients

login

gdm

kdm

xdm

ssh

scp

sftp

Any PAM aware services

Table 4 1. Methods of Disabling the Root Account

4.4.2.1. Disabling the Root Shell

If the administrator does not wish for users to log in directly as root, he can set the root account's shell

to

/sbin/nologin

in the

/etc/passwd

file. This will prevent access to the root account through

commands that require a shell, such as the

su

and the

ssh

commands.