On Sat, Nov 14, 2009 at 2:01 AM, Joshua Murphy <poiso...@gmail.com> wrote: > On Fri, Nov 13, 2009 at 7:24 PM, Mick <michaelkintz...@gmail.com> wrote: >> On Thursday 12 November 2009 23:08:18 Iain Buchanan wrote: >>> On Thu, 2009-11-12 at 22:18 +0000, Mick wrote: >>> > On Thursday 12 November 2009 22:09:01 Alan McKinnon wrote: >>> > > Gdm itself has a config option to disallow root logins >>> > >>> > Ahh, unfortunately I can only access it remotely via ssh at this stage. >>> > Hopefully the pam method will work fine. >>> >>> You don't need anything more to configure gdm than ssh access - this is >>> Linux after all & a good program has text based configurations :) >>> >>> Edit /etc/X11/gdm/custom.conf >>> >>> In the section [security] add: >>> AllowRoot=false >> >> Thanks for this! :-) >> >>> You may then have to restart xdm. >>> >>> However, if someone has the root password to log in to X, then what's to >>> stop them changing anything you do now? >> >> Know how? >> -- >> Regards, >> Mick > > Approach security a little more sanely and don't give untrusted users > root access? If you have to take steps to restrict the root account, > you need to rethink who has use of it. Preventing damage in the event > that the system *does* get compromised is one thing, but trying to > control someone who is *given* access to root on the software side is > the wrong approach, in my incredibly non-humble opinion. > > -- > Poison [BLX] > Joshua M. Murphy
And, a quick note on the case that the intent is to prevent the level of damage in the event of a compromised root account, give this a quick read over and google any terms you're not certain of the meaning of: Linux.com :: Securing Linux with Mandatory Access Controls http://www.linux.com/archive/feature/113941 -- Poison [BLX] Joshua M. Murphy