From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N9PCp-0000X9-Ez for garchives@archives.gentoo.org; Sat, 14 Nov 2009 20:26:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 144F0E090B for ; Sat, 14 Nov 2009 20:26:47 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.147]) by pigeon.gentoo.org (Postfix) with ESMTP id 556ADE07F0 for ; Sat, 14 Nov 2009 19:32:59 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 3so1134180eyh.40 for ; Sat, 14 Nov 2009 11:32:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=KRAn2fx4l14lxCRxixSplV1Cy5frEicWtlypR5EhoLA=; b=JcUCF6cKTQOS8btR/a6PIWQg/dBxM+9vrOq8+S3qUm8CsPxhPf/5qpc6NcLCVslGgv iC7dGoMp92NN5PDsAQJt2ZwEdQinJhjAYGkbQWAr7qYBnwnuMWMSI+Bp/xgsVWJj0zgR MbIVd9CfGuRmZ9g+J86gKoHodrrdQ0ymx9quA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=FxEpZzv8tyemgD1X5kfBUsLaTJVgjsMvu3Rg5fcNJP2qnTJ04CdQ1KmyZdzMChcknU pk8bClt79Do91Fl0f6/GceXiCOBWauc+7tGssfq4N9no49B9voBMFl+sQ6rYprynyQfL nsMr2NpaJVmIqDZ6ZonMoJo8F+9CULD+mKlWc= Received: by 10.213.0.144 with SMTP id 16mr3661964ebb.38.1258227178755; Sat, 14 Nov 2009 11:32:58 -0800 (PST) Received: from lappy.localnet (230.3.169.217.in-addr.arpa [217.169.3.230]) by mx.google.com with ESMTPS id 10sm2776811eyz.27.2009.11.14.11.32.57 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 14 Nov 2009 11:32:58 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Block root user from login on xorg GUI Date: Sat, 14 Nov 2009 19:32:39 +0000 User-Agent: KMail/1.12.1 (Linux/2.6.30-gentoo-r8; KDE/4.3.1; i686; ; ) References: <200911122001.57860.michaelkintzios@gmail.com> <200911140025.08967.michaelkintzios@gmail.com> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6393627.r74t4VlN7d"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200911141932.56013.michaelkintzios@gmail.com> X-Archives-Salt: 9b4c194b-9c2b-4716-9a59-733beb8104fb X-Archives-Hash: cf249f7585365ab57479b7abeebf7f1a --nextPart6393627.r74t4VlN7d Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Saturday 14 November 2009 07:01:19 Joshua Murphy wrote: > On Fri, Nov 13, 2009 at 7:24 PM, Mick wrote: > > On Thursday 12 November 2009 23:08:18 Iain Buchanan wrote: > >> On Thu, 2009-11-12 at 22:18 +0000, Mick wrote: > >> > On Thursday 12 November 2009 22:09:01 Alan McKinnon wrote: > >> > > Gdm itself has a config option to disallow root logins > >> > > >> > Ahh, unfortunately I can only access it remotely via ssh at this > >> > stage. Hopefully the pam method will work fine. > >> > >> You don't need anything more to configure gdm than ssh access - this is > >> Linux after all & a good program has text based configurations :) > >> > >> Edit /etc/X11/gdm/custom.conf > >> > >> In the section [security] add: > >> AllowRoot=3Dfalse > > > > Thanks for this! :-) > > > >> You may then have to restart xdm. > >> > >> However, if someone has the root password to log in to X, then what's = to > >> stop them changing anything you do now? > > > > Know how? > > -- > > Regards, > > Mick >=20 > Approach security a little more sanely and don't give untrusted users > root access? If you have to take steps to restrict the root account, > you need to rethink who has use of it. Preventing damage in the event > that the system *does* get compromised is one thing, but trying to > control someone who is *given* access to root on the software side is > the wrong approach, in my incredibly non-humble opinion. You are right of course, but in this particular case the guy who *pays* wan= ts=20 to have root access. So, I'm just trying to find an easy way to protect hi= m=20 from himself. Initially I implemented SELinux, but had to pull that back=20 because I couldn't in any quick way get Nagios cgi working with it. One da= y I=20 may find some time to get back to it. Thanks again. =2D-=20 Regards, Mick --nextPart6393627.r74t4VlN7d Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEABECAAYFAkr/BecACgkQVTDTR3kpaLaYGQCeKOG51kwZ5qWwyLRoj3i7QLkU JrsAnjHKPQRMWCo8tuzpqmK9W6L+e/mE =nb/A -----END PGP SIGNATURE----- --nextPart6393627.r74t4VlN7d--