On Saturday 14 November 2009 07:01:19 Joshua Murphy wrote: > On Fri, Nov 13, 2009 at 7:24 PM, Mick <michaelkintz...@gmail.com> wrote: > > On Thursday 12 November 2009 23:08:18 Iain Buchanan wrote: > >> On Thu, 2009-11-12 at 22:18 +0000, Mick wrote: > >> > On Thursday 12 November 2009 22:09:01 Alan McKinnon wrote: > >> > > Gdm itself has a config option to disallow root logins > >> > > >> > Ahh, unfortunately I can only access it remotely via ssh at this > >> > stage. Hopefully the pam method will work fine. > >> > >> You don't need anything more to configure gdm than ssh access - this is > >> Linux after all & a good program has text based configurations :) > >> > >> Edit /etc/X11/gdm/custom.conf > >> > >> In the section [security] add: > >> AllowRoot=false > > > > Thanks for this! :-) > > > >> You may then have to restart xdm. > >> > >> However, if someone has the root password to log in to X, then what's to > >> stop them changing anything you do now? > > > > Know how? > > -- > > Regards, > > Mick > > Approach security a little more sanely and don't give untrusted users > root access? If you have to take steps to restrict the root account, > you need to rethink who has use of it. Preventing damage in the event > that the system *does* get compromised is one thing, but trying to > control someone who is *given* access to root on the software side is > the wrong approach, in my incredibly non-humble opinion.
You are right of course, but in this particular case the guy who *pays* wants to have root access. So, I'm just trying to find an easy way to protect him from himself. Initially I implemented SELinux, but had to pull that back because I couldn't in any quick way get Nagios cgi working with it. One day I may find some time to get back to it. Thanks again. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
