[Novalug] RHEL question RE service start configuration

Dan Lavu dan@lavu.net
Sun Mar 4 12:59:39 EST 2012


Jay,

They are two major reasons why you should not directly log in as root. Through SSH, you do not want send *the* password across the network if you do not have to. The other reason, root is the super power, administrators could inadvertently change something, susceptible to scripts, viruses if they were idly working and browsing the web. You should only use root when you need to change something. 

Maybe it's old school thinking but I would suggest learning the system through the shell until you get comfortable with it. Understanding the location of the files, how it is structured is priceless. Also xorg is extra overhead on a server *grin*. 

To help you along, read up on pam (pluggable authentication module, It can be a pretty heavy read), this permits you to change the authentication method, where it be a flat db file, shadow passwords (default), ldap, host restrictions, pretty much anything you can think of. You can find the config file in /etc/pam.d/ , each one of those files is a service or command that needs to have access granted, i.e. reboot (you don’t want just any user with the ability to reboot the box right?). 

Last thing, I really hope this is helping but you can two major methods to get to root after you log in as a regular user. If you are using the gui, like a workstation, instead you need root permissions, the system will just prompt you for the password. If you were administering a machine you have the following, 'sudo' and 'su' . I know you added yourself to the wheel group, but now, with pam, check out /etc/pam.d/su  

# Uncomment the following line to require a user to be in the "wheel" group.
auth		required	pam_wheel.so use_uid

sudo is quite a bit better, because you have more control, you can give a specific user the ability to run X command as root, just type in 'visudo' have a ball, again I hope this helps. Oh yea, there is another pam module that allows you to use /etc/security/access.conf to restrict users connecting through ssh and tty so you can have a little more control than just /etc/securetty.

Dan

-----Original Message-----
From: novalug-bounces@calypso.tux.org [mailto:novalug-bounces@calypso.tux.org] On Behalf Of Peter Larsen
Sent: Sunday, March 04, 2012 12:13 PM
To: Jay Hart
Cc: novalug@calypso.tux.org; John Holland
Subject: Re: [Novalug] RHEL question RE service start configuration

On Sun, 2012-03-04 at 11:55 -0500, Jay Hart wrote: 
> <BIG SNIP>
> >
> > Root login should be denied on all boxes. Maybe with the exception 
> > of console login you NEVER EVER need to login as root.
> >
> 
> I've never done this before. How do you do this???

To allow console login, the tty must be listed in /etc/securetty - removing your pty devices from there, and root cannot login.

For SSH you have a setting PermitRootLogin - set that to "no" and root cannot login via ssh. Another common security feature is to turn off password logins completely for ssh.

In addition, you should look at pam. "pam_rootok" can be set or unset to ensure that a service does not allow root login.

This leads you down a road where you can enforce several other security features with pam, and finally wrap it up with selinux to ensure that daemons that do get elevated on boot like httpd, gets a sandbox they cannot break out of (for vsftp, httpd, postfix etc. this is default on Fedora/RHEL/CentOS).

> 
> Jay
> 
> >>
> >> Jay
> >>
> >> _______________________________________________
> >> Novalug mailing list
> >> Novalug@calypso.tux.org
> >> http://calypso.tux.org/mailman/listinfo/novalug
> >
> >
> > --
> > Best Regards
> >   Peter Larsen
> >
> > Wise words of the day:
> > No, that's wrong too.  Now there's a race condition between the rm 
> > and the mv.  Hmm, I need more coffee.
> > 	-- Guy Maor on Debian Bug#25228
> >
> 


--
Best Regards
  Peter Larsen

Wise words of the day:
Hey, what do you expect from a culture that *drives* on *parkways* and
*parks* on *driveways*?
		-- Gallagher




More information about the Novalug mailing list