2014-04-02 20:12 GMT+02:00 Simo Sorce <s...@redhat.com>:
> On Wed, 2014-04-02 at 09:12 -0700, quickbooks office wrote:
> > [CHANGE PROPOSAL] The securetty file is empty by default
> >
> > All the info has been sitting here @
> >
> https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default
>
> I often install machines with root only as my users are all in my
> FreeIPA/LDAP server and I expect to be able to login as root on the
> console for maintenance purposes.
>
> This change makes it very hard to do necessary maintenance. I can
> understand blocking SSH login as root with password by default, but I do
> not understand what is the point of blocking console login as root.
>
In larger organizations there is a legitimate need to be able to attribute
every action as "root" to a specific individual, which is easiest to do by
requiring a login from a non-root account to establish the session, and
then tracking actions done by that session. OTOH this all works reliably
enough only with a non-default auditing setup, so restricting root logins
by default is alone not at all sufficient.
> Please explain the logic of blocking console logins but allowing SSH
> logins, it is completely backwards.
>
Of the various problems with the proposal[1], this one seems the easiest to
fix :)
Mirek
[1] I'm not listing them here; I'd much rather have the Change officially
announced and have the official comment period, instead of starting a
tradition of pre-announcements.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
