43.1.4.2. Disallowing Root Access

43.1.4.2. Disallowing Root Access

If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret, and access to runlevel one or single user mode should be disallowed through boot loader password protection (refer to Section 43.1.2.2, “Boot Loader Passwords” for more information on this topic.)

Table 43.1, “Methods of Disabling the Root Account” describes ways that an administrator can further ensure that root logins are disallowed:

Method Description Effects Does Not Affect
Changing the root shell. Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.
Prevents access to the root shell and logs any such attempts.
The following programs are prevented from accessing the root account:
· login
· gdm
· kdm
· xdm
· su
· ssh
· scp
· sftp
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs.
The following programs are not prevented from accessing the root account:
· sudo
· FTP clients
· Email clients
Disabling root access via any console device (tty). An empty /etc/securetty file prevents root login on any devices attached to the computer.
Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account:
· login
· gdm
· kdm
· xdm
· Other network services that open a tty
Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms.
The following programs are not prevented from accessing the root account:
· su
· sudo
· ssh
· scp
· sftp
Disabling root SSH logins. Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.
Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account:
· ssh
· scp
· sftp
This only prevents root access to the OpenSSH suite of tools.
Use PAM to limit root access to services. Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.[a]
Prevents root access to network services that are PAM aware.
The following services are prevented from accessing the root account:
· FTP clients
· Email clients
· login
· gdm
· kdm
· xdm
· ssh
· scp
· sftp
· Any PAM aware services
Programs and services that are not PAM aware.

Table 43.1. Methods of Disabling the Root Account



Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.