<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">2014-04-02 20:12 GMT+02:00 Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">On Wed, 2014-04-02 at 09:12 -0700, quickbooks office wrote:<br>
> [CHANGE PROPOSAL] The securetty file is empty by default<br>
><br>
> All the info has been sitting here @<br>
> <a href="https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default" target="_blank">https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default</a><br>
<br></div></div>
I often install machines with root only as my users are all in my<br>
FreeIPA/LDAP server and I expect to be able to login as root on the<br>
console for maintenance purposes.<br>
<br>
This change makes it very hard to do necessary maintenance. I can<br>
understand blocking SSH login as root with password by default, but I do<br>
not understand what is the point of blocking console login as root.<br></blockquote><div><br></div><div>In larger organizations there is a legitimate need to be able to attribute every action as "root" to a specific individual, which is easiest to do by requiring a login from a non-root account to establish the session, and then tracking actions done by that session. OTOH this all works reliably enough only with a non-default auditing setup, so restricting root logins by default is alone not at all sufficient.<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Please explain the logic of blocking console logins but allowing SSH<br>
logins, it is completely backwards.<br></blockquote><div><br></div><div>Of the various problems with the proposal[1], this one seems the easiest to fix :)<br> Mirek<br><br></div><div>[1] I'm not listing them here; I'd much rather have the Change officially announced and have the official comment period, instead of starting a tradition of pre-announcements.<br>
</div></div></div></div>