Product SiteDocumentation Site

4.4.2. Disallowing Root Access

If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret and access to runlevel one or single user mode should be disallowed through boot loader password protection (refer to Section 4.2.2, “Boot Loader Passwords” for more on this topic.)
Table 4.1, “Methods of Disabling the Root Account” shows ways an administrator can further ensure that root logins are disallowed:
Method Description Effects Does Not Affect
Changing the root shell. Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.
Prevents access to the root shell and logs the attempt.
The following programs are prevented from accessing the root account:
· login
· gdm
· kdm
· xdm
· su
· ssh
· scp
· sftp
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs.
The following programs are not prevented from accessing the root account:
· sudo
· FTP clients
· Email clients
Disabling root access via any console device (tty). An empty /etc/securetty file prevents root login on any devices attached to the computer.
Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account:
· login
· gdm
· kdm
· xdm
· Other network services that open a tty
Programs that do not log in as root, but perform administrative tasks through through setuid or other mechanisms.
The following programs are not prevented from accessing the root account:
· su
· sudo
· ssh
· scp
· sftp
Disabling root SSH logins. Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.
Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account:
· ssh
· scp
· sftp
This only prevents root access to the OpenSSH suite of tools.
Use PAM to limit root access to services. Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.[a]
Prevents root access to network services that are PAM aware.
The following services are prevented from accessing the root account:
· FTP clients
· Email clients
· login
· gdm
· kdm
· xdm
· ssh
· scp
· sftp
· Any PAM aware services
Programs and services that are not PAM aware.

[a] Refer to Section 4.4.2.4, “Disabling Root Using PAM” for details.

Table 4.1. Methods of Disabling the Root Account

4.4.2.1. Disabling the Root Shell

To prevent users from logging in directly as root, the system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file. This prevents access to the root account through commands that require a shell, such as the su and the ssh commands.

Important

Programs that do not require access to the shell, such as email clients or the sudo command, can still access the root account.