Thursday, February 7, 2008

Locking Down Root

Having an active root user is generally not a good thing. If the machine is used by lots of people and several individuals do superuser tasks under the root user, you have no way to track who did what in the event that someone decides to get evil. And of course, hackers like to get root access, because it lets the do anything that they want. You don't want that, so let's lock root up.

First, make sure that you have super user abilities when root is locked. If you don't already have sudo access, use root now to add yourself into the /etc/sudoers file. (I'll write an article about that soon. In the meantime, use man sudo to learn more.)

Now, lock root. Get out of root, if you are in it already, and as a user with sudoers privileges type
sudo passwd -l root
Check your work with
sudo passwd -S root
You should see something like
$ root L 09/11/2007 0 99999 7 -1

The option -S gives you the status of a user. It gives you the user name, then the status (L = locked, NP = no password, P = password), the date of the last change, and then the minimum age, maximum age, warning period and inactivity period for the password.*

Root is now locked. You can't log into root directly any more, and will have to run superuser tasks through sudo. There is still a cheater way around it, though. You can
sudo su
and then you will be root again. (I'll explain how to fix that in the sudo article.)

* Minimum age for a password says that you can only change the password ever so many days. Maximum age says that you have to change your password every so many days. Warning period is how long before maximum age is reached that the system should start warning you that you have to change your password. Inactivity period is how long after a password is expired that the login should be completely locked out. If you don't change your password before maximum age is reached, then the system will generally let you log in and immediately change your password before moving on. Once you've hit the days in inactivity period, though, you don't get a chance. It just won't let you in at all at that point. All of these ages are expressed as a number of days.

No comments: