disabling root and olpc passwords

[Albert Cahalan]

Bernardo Innocenti writes:
> Albert Cahalan wrote:
>> Bernardo Innocenti writes:
>>
>>> What we're actually doing is just to disable them in the
>>> default installation so that malicious activities cannot
>>> login as root or olpc and basically own the system.
>>
>> This is NOT needed at all.
>>
>> I wrote and tested an /etc/pam.d/su modification that will
>> prohibit all non-wheel users from getting su to work.
>
> What use is it if an application can login, su or sudo as
> user olpc with no password and _then_ su to root?

No use, but the application can't do that, so the point is moot.

That rule will block an "su" to/from any UID. Note that I
did not use pam_wheel, which fails to protect user "olpc".
I used pam_succeed_if to require the wheel group.

This is even easier:

chown root:wheel /bin/su
chmod 4550 /bin/su