LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-31-2009, 12:38 AM   #1
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Rep: Reputation: 32
"only one root login"


Hi all,
I just want to know How can i setup my linux system to allow only one root login ??? i.e. say if a user is logged in as root on system A, then irrespective of whether it is a telnet session or ssh or local login or any other terminal, we should not allow another root login if there is one already...
how can i do this ?
 
Old 03-31-2009, 01:14 AM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Ummm ... that's a silly idea. What do you do if that one
session gets hung? Reboot the machine?


Cheers,
Tink


P.S.: Please change your font, it's too fat and ugly ;}
 
Old 03-31-2009, 01:29 AM   #3
maxy7710
Member
 
Registered: Jan 2008
Location: Mumbai, india
Distribution: REDHAT, FEDORA,SUSE, UBUNTU, ORACLE ENTERPRISE LINUX & SOLARIS 10
Posts: 130

Rep: Reputation: 17
well if u get stuck then there will be no other option other than reboot, do it wisely.

for red hat distro

first hash out all entries in /etc/securetty except tty1, so that u can login via root only on one tty1 on the console connected to server/machine.

remove suid bit from /usr/bin/sudo, /bin/su, /usr/bin/sudoedit so that no other user can switch user to root via su or sudo if sudoers enabled.

In /etc/ssh/sshd_login remove hash from PermitRootLogin & make it no, so that root cannot login to machine via ssh.

if you do all this then root can login only via tty1 on console connected to server/machine.

i hope this helps.
 
Old 03-31-2009, 02:12 AM   #4
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Original Poster
Rep: Reputation: 32
Thanks for the replies,
yes i had thought of that situation.. in that case what i had thought of an option is to give sudo permission to only one special user which is known only to admin to kill that terminal.. may be i am wrong.. are there any specific way or specific config file that tells about number of root login restrictions ?

@maxy7710
and one more thing is if we disable root login in sshd config file ( or remove suid bit from /usr/bin/sudo, /bin/su ) .. and if the root terminal is logged out then it will not be possible for the ssh user or any other user to login as root even though there is no root logged in ? how to solve this problem ?

Last edited by culin; 03-31-2009 at 02:13 AM. Reason: un impressive fonts
 
Old 03-31-2009, 02:24 AM   #5
maxy7710
Member
 
Registered: Jan 2008
Location: Mumbai, india
Distribution: REDHAT, FEDORA,SUSE, UBUNTU, ORACLE ENTERPRISE LINUX & SOLARIS 10
Posts: 130

Rep: Reputation: 17
As i said if u follow the 3 steps i've told, then u can only login thru tty1 via console attached to server.

if the tty1 hangs then only one option left, which to reboot the server.

but if u want u can make one sudo user & give it root permissions in /etc/sudoers & do not remove suidf bit from /usr/bin/sudo.

this would be better option.
 
Old 04-01-2009, 05:04 AM   #6
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 675

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by maxy7710 View Post
As i said if u follow the 3 steps i've told, then u can only login thru tty1 via console attached to server.

if the tty1 hangs then only one option left, which to reboot the server.

but if u want u can make one sudo user & give it root permissions in /etc/sudoers & do not remove suidf bit from /usr/bin/sudo.

this would be better option.
What's the point of allowing only one root login ?
Once root is logged he can change all those things back.
 
Old 04-01-2009, 05:14 AM   #7
maxy7710
Member
 
Registered: Jan 2008
Location: Mumbai, india
Distribution: REDHAT, FEDORA,SUSE, UBUNTU, ORACLE ENTERPRISE LINUX & SOLARIS 10
Posts: 130

Rep: Reputation: 17
root is the system admin & if the roots password is not compromised than having a single root login comes in handy, cos risk of anonymous user tampering u r system minimizes.
 
Old 04-01-2009, 05:30 AM   #8
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 675

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by maxy7710 View Post
root is the system admin & if the roots password is not compromised than having a single root login comes in handy, cos risk of anonymous user tampering u r system minimizes.
I know that root is system admin, but anyway I can't see what's a point.

If root password IS compromised than one should reinstall the system
If root password IS NOT compromised then only real sys admin can log as root.

Once root is logged in there is nothing preventing him from logging again
(include undoing any changes that prevent login).

And how is it different logging twice on different virtual consoles and say login only once and open two xterm ?
 
Old 04-01-2009, 05:37 AM   #9
maxy7710
Member
 
Registered: Jan 2008
Location: Mumbai, india
Distribution: REDHAT, FEDORA,SUSE, UBUNTU, ORACLE ENTERPRISE LINUX & SOLARIS 10
Posts: 130

Rep: Reputation: 17
if the system admin wants only one root login then why would he reverts the changes after logging.
if remote root login is disabled then he wont even be able to open a single virtual console for user root.
 
Old 04-01-2009, 07:25 AM   #10
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 675

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by maxy7710 View Post
if the system admin wants only one root login then why would he reverts the changes after logging.
if remote root login is disabled then he wont even be able to open a single virtual console for user root.
That's what I don't get - why sysadmin will want to limit his own options in such way
 
Old 04-01-2009, 07:31 AM   #11
maxy7710
Member
 
Registered: Jan 2008
Location: Mumbai, india
Distribution: REDHAT, FEDORA,SUSE, UBUNTU, ORACLE ENTERPRISE LINUX & SOLARIS 10
Posts: 130

Rep: Reputation: 17
Quote:
Originally Posted by Valery Reznic View Post
That's what I don't get - why sysadmin will want to limit his own options in such way
for security

i.e

servers are kept in server rooms & limited people have access to it.

people who have access are mostly considered trustworthy.

so we are minimizing risk of exposing normal users connecting to server or servers exposed to internet.

i hope you understand.
 
Old 04-01-2009, 08:37 AM   #12
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 675

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by maxy7710 View Post
for security

i.e

servers are kept in server rooms & limited people have access to it.

people who have access are mostly considered trustworthy.

so we are minimizing risk of exposing normal users connecting to server or servers exposed to internet.

i hope you understand.
Not really. What "exposing normal users connecting to server" have do with a root login ?

The only thing I can think about when it can be somehow useful - preventing two sysadmins from simultaniosly working on one server.

But I think it should be solved by administrative means.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"su - root" giving incorrect password but normal root login works. ?? arashi256 Linux - Newbie 10 06-03-2010 04:13 AM
"cant login, login incorrect"init : Id "x" respawning too fast:disabled for 5 minutes allenwoxx Linux - Newbie 1 11-21-2008 11:45 AM
How to disable remore ssh login access of "root" user. ashishshukla Linux - General 3 10-07-2008 09:55 AM
Standard commands give "-bash: open: command not found" even in "su -" and "su root" mibo12 Linux - General 4 11-11-2007 11:18 PM
User Login Problem: "command not found" unless root! DreameR-X Linux - General 15 12-21-2004 12:27 PM


All times are GMT -5. The time now is 11:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration