[CHANGE PROPOSAL] The securetty file is empty by default

Miloslav Trma─Ź mitr at volny.cz
Thu Apr 3 16:53:13 UTC 2014

2014-04-02 20:12 GMT+02:00 Simo Sorce <simo at redhat.com>:

> On Wed, 2014-04-02 at 09:12 -0700, quickbooks office wrote:
> > [CHANGE PROPOSAL] The securetty file is empty by default
> >
> > All the info has been sitting here @
> >
> https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default
> I often install machines with root only as my users are all in my
> FreeIPA/LDAP server and I expect to be able to login as root on the
> console for maintenance purposes.
> This change makes it very hard to do necessary maintenance. I can
> understand blocking SSH login as root with password by default, but I do
> not understand what is the point of blocking console login as root.

In larger organizations there is a legitimate need to be able to attribute
every action as "root" to a specific individual, which is easiest to do by
requiring a login from a non-root account to establish the session, and
then tracking actions done by that session.  OTOH this all works reliably
enough only with a non-default auditing setup, so restricting root logins
by default is alone not at all sufficient.

> Please explain the logic of blocking console logins but allowing SSH
> logins, it is completely backwards.

Of the various problems with the proposal[1], this one seems the easiest to
fix :)

[1] I'm not listing them here; I'd much rather have the Change officially
announced and have the official comment period, instead of starting a
tradition of pre-announcements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140403/3563ff94/attachment-0001.html>

More information about the devel mailing list