Hi On Fri, Nov 15, 2013 at 7:02 AM, Thomas Bächler <tho...@archlinux.org> wrote: > Am 15.11.2013 15:55, schrieb Anatol Pomozov: >> The "correct" way to disable root completely is to make it expired >> "usermod --expiredate DATE_IN_PAST root". I tried it on my machine and >> found that pacman is broken. I believe it uses "su" before running >> install scripts. > > Nothing about disabling the root account is "correct".
Disabling root account is typical practice on multi-user machines. "sudo" is much better solution as it allows fine-grained control to super-user abilities. > If you disable > the account, both 'su' and 'sudo' cannot function. You _need_ the root > account. "--expiredate" differs from "disabling login" that "--expiredate" does not allow to "sudo su" and does not allow any other authentication method (such as ssh keys). Note that "sudo foo" still works even if root account is expired (sudo ignores expiration date of the destination account).
