[CHANGE PROPOSAL] The securetty file is empty by default
Andrew Lutomirski
luto at mit.edu
Thu Apr 3 22:11:12 UTC 2014
On Thu, Apr 3, 2014 at 2:46 PM, Przemek Klosowski
<przemek.klosowski at nist.gov> wrote:
> On 04/03/2014 10:32 AM, quickbooks office wrote:
>
> "3.1.4.2.2. Disabling Root Logins
>
> To further limit access to the root account, administrators can
> disable root logins at the console by editing the /etc/securetty file.
>
> This is done in the name of accountability, by forcing an administrative
> login through an account attributable to a specific person. This, however,
> only makes sense if there _actually_are_ such individual accounts on the
> system.
>
> Would this proposal be acceptable if it wasn't implemented if 'root' is the
> only account?
>
> I personally don't think even such amended proposal is a reasonable default
> configuration, because systems authenticating against a domain, and having
> only one local (root) account, could lock the admin out if something happens
> to the network or to the domain server.
>
It's worse: the admin could lock themselves out just by creating
another user account.
--Andy
More information about the devel
mailing list