Gentoo Archives: gentoo-user

From: Joshua Murphy <poisonbl@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Block root user from login on xorg GUI
Date: Sat, 14 Nov 2009 08:12:11
Message-Id: c30988c30911132307t691d1891t1d25d4a40534feea@mail.gmail.com
In Reply to: Re: [gentoo-user] Block root user from login on xorg GUI by Joshua Murphy
1 On Sat, Nov 14, 2009 at 2:01 AM, Joshua Murphy <poisonbl@×××××.com> wrote:
2 > On Fri, Nov 13, 2009 at 7:24 PM, Mick <michaelkintzios@×××××.com> wrote:
3 >> On Thursday 12 November 2009 23:08:18 Iain Buchanan wrote:
4 >>> On Thu, 2009-11-12 at 22:18 +0000, Mick wrote:
5 >>> > On Thursday 12 November 2009 22:09:01 Alan McKinnon wrote:
6 >>> > > Gdm itself has a config option to disallow root logins
7 >>> >
8 >>> > Ahh, unfortunately I can only access it remotely via ssh at this stage.
9 >>> > Hopefully the pam method will work fine.
10 >>>
11 >>> You don't need anything more to configure gdm than ssh access - this is
12 >>> Linux after all & a good program has text based configurations :)
13 >>>
14 >>> Edit /etc/X11/gdm/custom.conf
15 >>>
16 >>> In the section [security] add:
17 >>> AllowRoot=false
18 >>
19 >> Thanks for this!  :-)
20 >>
21 >>> You may then have to restart xdm.
22 >>>
23 >>> However, if someone has the root password to log in to X, then what's to
24 >>> stop them changing anything you do now?
25 >>
26 >> Know how?
27 >> --
28 >> Regards,
29 >> Mick
30 >
31 > Approach security a little more sanely and don't give untrusted users
32 > root access? If you have to take steps to restrict the root account,
33 > you need to rethink who has use of it. Preventing damage in the event
34 > that the system *does* get compromised is one thing, but trying to
35 > control someone who is *given* access to root on the software side is
36 > the wrong approach, in my incredibly non-humble opinion.
37 >
38 > --
39 > Poison [BLX]
40 > Joshua M. Murphy
41
42 And, a quick note on the case that the intent is to prevent the level
43 of damage in the event of a compromised root account, give this a
44 quick read over and google any terms you're not certain of the meaning
45 of:
46
47 Linux.com :: Securing Linux with Mandatory Access Controls
48 http://www.linux.com/archive/feature/113941
49
50 --
51 Poison [BLX]
52 Joshua M. Murphy