[CHANGE PROPOSAL] The securetty file is empty by default

Andrew Lutomirski luto at mit.edu
Thu Apr 3 22:11:12 UTC 2014

On Thu, Apr 3, 2014 at 2:46 PM, Przemek Klosowski
<przemek.klosowski at nist.gov> wrote:
> On 04/03/2014 10:32 AM, quickbooks office wrote:
> " Disabling Root Logins
> To further limit access to the root account, administrators can
> disable root logins at the console by editing the /etc/securetty file.
> This is done in the name of accountability, by forcing an administrative
> login through an account attributable to a specific person. This, however,
> only makes sense if there _actually_are_ such individual accounts on the
> system.
> Would this proposal be acceptable if it wasn't implemented if 'root' is the
> only account?
> I personally don't think even such amended proposal is a reasonable default
> configuration, because systems authenticating against a domain, and having
> only one local (root) account, could lock the admin out if something happens
> to the network or to the domain server.

It's worse: the admin could lock themselves out just by creating
another user account.


More information about the devel mailing list