This change will not affect logging into the console using the local account and then doing su to get root privileges.
Is there a problem with logging into the local user account and then typing su and the root password? You are as such prompted to make a local user account when doing an install from the Live CD. "3.1.4.2.2. Disabling Root Logins To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to his machine as root via Telnet, which transmits the password in plain text over the network. By default, Fedora's /etc/securetty file only allows the root user to log in at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command: echo > /etc/securetty Warning A blank /etc/securetty file does not prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication. " The change will NOT affect: "Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms...The following programs are NOT PREVENTED from accessing the root account: su, sudo, ssh, scp, sftp" On Thu, Apr 3, 2014 at 6:06 AM, Simo Sorce <s...@redhat.com> wrote: > On Wed, 2014-04-02 at 19:15 -0400, Matthew Miller wrote: >> On Wed, Apr 02, 2014 at 02:12:50PM -0400, Simo Sorce wrote: >> > How does someone express strong disagreement to this change ? >> >> Posting here is a good start. You can also add a note in the FESCo ticket >> for approval once one is filed, and if you are incredibly passionate you can >> come to the FESCo meeting (although I'm hoping we can make those meetings >> more efficient, so that's not a good place for back and forth -- if possible >> we should work out the issues before the meeting). > > Ticket number ? > >> > This change makes it very hard to do necessary maintenance. I can >> > understand blocking SSH login as root with password by default, but I do >> > not understand what is the point of blocking console login as root. >> >> I assume that it's for a kiosk or public (or at least managed) lab >> situation. It makes sense for that, but I'm not convinced of a benefit >> otherwise, and I don't think that situation is the default.... > > I am not even sure it makes sense in a kiosk, unless people want to use > "password" as their root password. But even if it made sense in that > situation it is far from being a useful *default*. This kind of severely > restricting measure is best left to hardening manuals. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
