Prevent Root GUI Login

DejaCpp · 10-29-2010, 04:30 PM

I am using RH 5 and I am trying to prevent root gui login. I have:

1. deleted contents of /etc/securetty
2. added auth required pam_listfile.so item=user sense=deny file=/etc/root-no-login onerr=succeed to /etc/pam.d/gdm and the root-no-login file contains root
3. added auth required pam_succeed_if.so user != root quiet to /etc/pam.d/gdm
4. added -:root:all to the /etc/access_conf

Number 2 works on my RHEL 4 and 3 works on Fedora. 1 & 2 prevented console login. I didn't try setting the shell to /bin/nologin because I feared I might lock root out. Any ideas. Thanks.

unSpawn · 10-30-2010, 04:52 AM

Quote:

Originally Posted by DejaCpp

2. added auth required pam_listfile.so item=user sense=deny file=/etc/root-no-login onerr=succeed to /etc/pam.d/gdm and the root-no-login file contains root

/etc/pam.d/gdm sources /etc/pam.d/system-auth, so unless your "auth required pam_listfile" line comes first and you have copied required lines over from system-auth, behaviour will be partially controlled there. The only other GDM-related root-login-governing settings I found where 'echo -en "AllowRoot=false\nAllowRemoteRoot=false\n" >> /etc/X11/gdm/gdm.conf-custom'. You should not mess with roots shell, leave it as it is.