Allowing Root Access; Disallowing Root Access - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
the pam_console.so module.) However, other important system administration tasks, such as
altering network settings, configuring a new mouse, or mounting network devices, are not possible
without administrative privileges. As a result, system administrators must decide how much access the
users on their network should receive.

43.1.4.1. Allowing Root Access

If the users within an organization are trusted and computer-literate, then allowing them root access
may not be an issue. Allowing root access by users means that minor activities, like adding devices or
configuring network interfaces, can be handled by the individual users, leaving system administrators
free to deal with network security and other important issues.
On the other hand, giving root access to individual users can lead to the following issues:
• Machine Misconfiguration — Users with root access can misconfigure their machines and require
assistance to resolve issues. Even worse, they might open up security holes without knowing it.
• Running Insecure Services — Users with root access might run insecure servers on their machine,
such as FTP or Telnet, potentially putting usernames and passwords at risk. These services
transmit this information over the network in plain text.
• Running Email Attachments As Root — Although rare, email viruses that affect Linux do exist. The
only time they are a threat, however, is when they are run by the root user.

43.1.4.2. Disallowing Root Access

If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root
password should be kept secret, and access to runlevel one or single user mode should be disallowed
through boot loader password protection (refer to
information on this topic.)
Table 43.1, "Methods of Disabling the Root Account"
ensure that root logins are disallowed:
Method Description
Changing Edit the /etc/passwd file
the root and change the shell from
shell. /bin/bash to /sbin/
nologin.
Disabling An empty /etc/
root securetty file prevents
612
Section 43.1.2.2, "Boot Loader Passwords"
describes ways that an administrator can further
Effects
Prevents access to the root
shell and logs any such
attempts.
The following programs are
prevented from accessing
the root account:
· login
· gdm
· kdm
· xdm
· su
· ssh
· scp
· sftp
Prevents access to the root
account via the console or
for more
Does Not Affect
Programs that do not
require a shell, such as
FTP clients, mail clients,
and many setuid programs.
The following programs
are not prevented from
accessing the root account:
· sudo
· FTP clients
· Email clients
Programs that do not log
in as root, but perform