disabling root and olpc passwords
Albert Cahalan
acahalan at gmail.com
Sun Jan 13 20:45:50 EST 2008
Bernardo Innocenti writes:
> Albert Cahalan wrote:
>> Bernardo Innocenti writes:
>>
>>> What we're actually doing is just to disable them in the
>>> default installation so that malicious activities cannot
>>> login as root or olpc and basically own the system.
>>
>> This is NOT needed at all.
>>
>> I wrote and tested an /etc/pam.d/su modification that will
>> prohibit all non-wheel users from getting su to work.
>
> What use is it if an application can login, su or sudo as
> user olpc with no password and _then_ su to root?
No use, but the application can't do that, so the point is moot.
That rule will block an "su" to/from any UID. Note that I
did not use pam_wheel, which fails to protect user "olpc".
I used pam_succeed_if to require the wheel group.
This is even easier:
chown root:wheel /bin/su
chmod 4550 /bin/su
More information about the Devel
mailing list