[CHANGE PROPOSAL] The securetty file is empty by default

quickbooks office quickbooks.office at gmail.com
Thu Apr 3 14:32:38 UTC 2014


This change will not affect logging into the console using the local
account and then doing su to get root privileges.

Is there a problem with logging into the local user account and then
typing su and the root password?

You are as such prompted to make a local user account when doing an
install from the Live CD.


"3.1.4.2.2. Disabling Root Logins

To further limit access to the root account, administrators can
disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to log into. If
the file does not exist at all, the root user can log in through any
communication device on the system, whether via the console or a raw
network interface. This is dangerous, because a user can log in to his
machine as root via Telnet, which transmits the password in plain text
over the network. By default, Fedora's /etc/securetty file only allows
the root user to log in at the console physically attached to the
machine. To prevent root from logging in, remove the contents of this
file by typing the following command:

echo > /etc/securetty

Warning

A blank /etc/securetty file does not prevent the root user from
logging in remotely using the OpenSSH suite of tools because the
console is not opened until after authentication. "


The change will NOT affect: "Programs that do not log in as root, but
perform administrative tasks through setuid or other mechanisms...The
following programs are NOT PREVENTED from accessing the root account:
su, sudo, ssh, scp, sftp"

On Thu, Apr 3, 2014 at 6:06 AM, Simo Sorce <simo at redhat.com> wrote:
> On Wed, 2014-04-02 at 19:15 -0400, Matthew Miller wrote:
>> On Wed, Apr 02, 2014 at 02:12:50PM -0400, Simo Sorce wrote:
>> > How does someone express strong disagreement to this change ?
>>
>> Posting here is a good start. You can also add a note in the FESCo ticket
>> for approval once one is filed, and if you are incredibly passionate you can
>> come to the FESCo meeting (although I'm hoping we can make those meetings
>> more efficient, so that's not a good place for back and forth -- if possible
>> we should work out the issues before the meeting).
>
> Ticket number ?
>
>> > This change makes it very hard to do necessary maintenance. I can
>> > understand blocking SSH login as root with password by default, but I do
>> > not understand what is the point of blocking console login as root.
>>
>> I assume that it's for a kiosk or public (or at least managed) lab
>> situation. It makes sense for that, but I'm not convinced of a benefit
>> otherwise, and I don't think that situation is the default....
>
> I am not even sure it makes sense in a kiosk, unless people want to use
> "password" as their root password. But even if it made sense in that
> situation it is far from being a useful *default*. This kind of severely
> restricting measure is best left to hardening manuals.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct


More information about the devel mailing list