Jim C said:
>
> Really? I mean if you create an admin user can't you then restrict root
> from ever logging on?
What do you mean by "create an admin user?"
Root is root. For some things, you've *got* to be root to make them work.
As to restricting root login, that's easy. Your sshd config file has an
option called "PermitRootLogin" (or something similar). Set that to "no,"
and a direct root login will fail, even if they get the password right.
For myself, I only allow members of group "wheel" to be able to su to root
once they've logged in. That way, if someone takes advantage of some
exploit in the web server to to end up in a shell as the apache user (as
an example), they can try su'ing all day and even if they were to already
know the root password, they wouldn't be able to get in. "sudo" is your
friend. :-) Someone else mentioned simply setting /bin/su to group and
owner executable with permissions turned off for "other," and then making
it part of group wheel to do this, but I like limiting it to using sudo -
that way, I've got a log entry of who did it and when. Not that I
distrust any user that I would give root access to (if I did, they
wouldn't get it :), but it's always nice to know when someone does
something like that.
--Dave
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
