Jim C said: > > Really? I mean if you create an admin user can't you then restrict root > from ever logging on?
What do you mean by "create an admin user?" Root is root. For some things, you've *got* to be root to make them work. As to restricting root login, that's easy. Your sshd config file has an option called "PermitRootLogin" (or something similar). Set that to "no," and a direct root login will fail, even if they get the password right. For myself, I only allow members of group "wheel" to be able to su to root once they've logged in. That way, if someone takes advantage of some exploit in the web server to to end up in a shell as the apache user (as an example), they can try su'ing all day and even if they were to already know the root password, they wouldn't be able to get in. "sudo" is your friend. :-) Someone else mentioned simply setting /bin/su to group and owner executable with permissions turned off for "other," and then making it part of group wheel to do this, but I like limiting it to using sudo - that way, I've got a log entry of who did it and when. Not that I distrust any user that I would give root access to (if I did, they wouldn't get it :), but it's always nice to know when someone does something like that. --Dave
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com