OpenSuSE 12.1 - Stock kernel, Gnome, several packages (seemingly unrelated to GDM, or anything to do with login) were updated from 12.1 update repos.
Is there a way to turn off root from logging in locally? I checked the /etc/sysconfig editor, and saw that ‘DISPLAYMANAGER_ROOT_LOGIN_LOCAL’ was missing, so I edited /etc/sysconfig/displaymanager with vi, and added the string (ofcourse =“no”).
However, despite my efforts, I can still log in to Gnome shell as root
DO NOT WANT, what do? This is a rather critical option methinks.
Please and thank you very much
P.S. This is the description I added to it, for the lulz:
"Do you want to be stupid?
Set to ‘yes’ to make your admin lose hope in humanity."
Am 17.11.2011 23:16, schrieb CommonOddity:
> > Is there a way to turn off root from logging in locally? I checked the
> /etc/sysconfig editor, and saw that ‘DISPLAYMANAGER_ROOT_LOGIN_LOCAL’
> was missing, so I edited /etc/sysconfig/displaymanager with vi, and
> added the string (ofcourse =“no”).
>
I have no gnome 3 here so it is a blind shot. What if you tweak
/etc/pam.d/gdm directly to disallow root access.
auth required pam_succeed_if.so user != root quiet
but I am afraid this is for gnome 2 so I do not know if that works with
gdm 3
–
PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.7.3 |
nVidia ION | 3GB Ram
I tried it, because I need to follow security policy that some dude is enforcing : / It’s a Windows environment, and I’m trying to roll out some SuSE images to spruce up the place.
“Don’t do it” unfortunately doesn’t cut it.
Is there ANYTHING that can be done in order to prevent root from logging in?
You’re right, what was I thinking? lawl
Jokes aside though, this is exactly what I am telling
Welp, I guess I went and answered my question. SOMEBODY BLOODY STICKY THIS THREAD! IT IS DISASTROUS FOR FOLKS TO BE ABLE TO LOGIN AS ROOT, AS DEFAULT, IN OPENSUSE. Seriously guise… Other distributions have how-tos on how to enable this- I’m putting up steps on how to avoid it. That’s not the way it should be. Bloody love my geeko
How to disable Gnome shell ‘root’ login:
Open up terminal.
cd /etc/pam.d
vi gdm
Before the first line where the ‘auth include’ is, paste in the following line:
auth required pam_succee_if.so user != root quiet
For archive purposes…
Add the same line to gdm-password (not sure if required, going to find out and edit post after)
Edit: Relative to #5. I derped up. I realized moments after posting that gdm-password is a sym link to gdm… Likely for backwards compatibility.
On 2011-11-17 23:16, CommonOddity wrote:
> Is there a way to turn off root from logging in locally? I checked the
> /etc/sysconfig editor, and saw that ‘DISPLAYMANAGER_ROOT_LOGIN_LOCAL’
> was missing, so I edited /etc/sysconfig/displaymanager with vi, and
> added the string (ofcourse =“no”).
>
> However, despite my efforts, I can still log in to Gnome shell as root
Report as bug in Bugzilla.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2011-11-18 13:18, DenverD wrote:
> On 11/17/2011 11:16 PM, CommonOddity wrote:
>
>> However, despite my efforts, I can still log in to Gnome shell as root
>
> trick question: How do you know it is possible to log into the Gnome GUI as
> root?
Ha! By testing it. The same way that some organizations pay
hackers^H^H^Hcrackers to try enter their system.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Am 18.11.2011 15:36, schrieb CommonOddity:
>
> Welp, I guess I went and answered my question. SOMEBODY BLOODY STICKY
> THIS THREAD! IT IS DISASTROUS FOR FOLKS TO BE ABLE TO LOGIN AS ROOT, AS
> DEFAULT, IN OPENSUSE. Seriously guise… Other distributions have
> how-tos on how to enable this- I’m putting up steps on how to avoid it.
> That’s not the way it should be. Bloody love my geeko
>
> H o w t o d i s a b l e G n o m e s h e l l ’ r o o t ’ l
> o g i n :
>
> 1. Open up terminal.
> 2. cd /etc/pam.d
> 3. vi gdm
> 4. Before the first line where the ‘auth include’ is, paste in the
> following line:
>
>> auth required pam_succee_if.so user != root quiet
>
> 5. Add the same line to gdm-password (not sure if required, going to
> find out and edit post after)
>
> And BAM. No more root login. Nomnomnom.
>
>
I told you tht yesterday.
–
PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.7.3 |
nVidia ION | 3GB Ram
Am 18.11.2011 16:26, schrieb CommonOddity:
>
> Wow I am thick. I can’t believe I missed your post mate. My bad.
>
> Credit goes to you then.
>
It is not about credit.
I find it just sad that you lost endless hours now, but of course I am
glad you found the solution yourself, so the credit is of course yours
for figuring out
–
PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.7.3 |
nVidia ION | 3GB Ram
On 11/18/2011 04:26 PM, CommonOddity wrote:
> Credit goes to you then.
no, i get the credit! do NOT give the root password out!!
problem solved!!! (if you can yourself follow the rule to not log into
the GUI as root—which is an admitted problem, huh?)
–
DD
openSUSE®, the “German Automobiles” of operating systems
Ahh, if only life were that simple. One size does not fit all, friend. Were it up to me, that would be the case. However, looking at the hierarchy at my workplace, this is rather impossible. Our NOC department requires a shared box for myriad uses; were I not around and something that requires root access (something as simple as putting in a CD/DVD- since I’ve locked down the machine and instilled strict policies) were needed, my cohorts would be screwed. Plain and simple.
Overall, this is not the problem. I have to respect corporate policy (that I do not dictate). In this situation, what would you do?
Actually, this is hilarious. I just re-read your post, and realize how you call me out on not me being able to follow my own rule by logging in to the GUI (Gnome Shell) as root… What a terrible argument.
And the alternative is? I don’t log in, assume (which, if you were to recall, could make an ass out of you, and some other fellow) that everything is fine until I am met with a surprise later?
No. You test. You check. Just because the cute little checkbox is checked != everything is fine.
Either you troll adequately sir or you fail at logic. Take your pick.
> Ahh, if only life were that simple. One size does not fit all, friend.
> Were it up to me, that would be the case. However, looking at the
> hierarchy at my workplace, this is rather impossible. Our NOC department
> requires a shared box for myriad uses; were I not around and something
> that requires root access (something as simple as putting in a CD/DVD-
> since I’ve locked down the machine and instilled strict policies) were
> needed, my cohorts would be screwed. Plain and simple.
Yes, you may need doing things as root, that is expected. But you do not
need login as root into a graphic session. That is absolutely not needed.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
NOT give out the root password to anyone not smart enough to not log
into the GUI as root (and that means only The Administrator(s) get it,
right)
set up sudo to allow the “corhorts” to put in a CD/DVD…and any
other of the security settings you have implemented to keep the system
safe (but at the same time are willing to let the “cohorts” do those
things anyway–does that really make sense? lock everything down and then give them the key??)…
surely you can make a list of the things you want them to be able to do,
and the things you do not want them to be able to so, and set up sudo to
allow one and not the other…otherwise (the way you have it now)
there is no security other than trusting them to follow your
rules—and, if you trust them to do that then what is the problem ??
i mean, you gave them the root pass and told them not to log in as
root, right?
(so trust them to not…or, don’t give them the pass key)
I don’t understand why I am getting misunderstood this much.
For the sake of clarity:
It was NEVER MY INTENTION TO WANT, FIND OUT HOW TO, OR PROMOTE LOGGING IN TO THE GUI AS ROOT. If anything, if you take the time and re-read all my posts, you will find that I’ve been asking how to turn OFF this feature so that NOBODY CAN HAVE THE ABILITY to login as root via GUI.
@ DenverD, I do trust them, but it doesn’t mean that a new hire that I might not be able to train myself (since my position requires I juggle multiple responsibilities and generally places me everywhere at once) would necessarily restrain himself. It doesn’t have to be malicious necessarily… Just a newbie mistake someone might make. So let me ask you, this:
You have plants in your home. You are not always to be at home. Nobody else lives there. HOWEVER, your home has a door. You have a key to this door, and have the ability to share it with others. You’re telling me you would not take extra precautions to make sure nobody can enter your room, despite having to trust complete strangers (well, co-workers that might quality as ‘acquaintances’) with a key to the house? That is just silly.
Your alternative suggests I simply do not share this key. Ahh… Yes. Simple, right? No. It’s bloody not. Because now the plants are dead.
Think about what you are suggesting here.
The only thing I’ve done is test, on a test box, whether it is possible to login as root to the GUI, and whether there was an easy way (by changing a variable like usual in Gnome 2.x, yast’s /etc/sysconfig editor) to remove the ‘feature’. Why is it that I was suddenly accused of not following sane practice? That’s retarded on so many levels. You’re telling me you would not penn test your network because you trust your default security policy that can be rolled out by <insert vendor’s name here>? Where is the logic in that?
Sigh. It’s not about my “cohorts” (a term which either you’ve attempted to demonstrate as a chiding instrument or you’ve a sudden affinity for), but rather locking it down for EVERYONE ELSE. That is how anything should be locked down. Absolute control should be limited to very few people, I agree- but that itself doesn’t fix everything. Sudo bit, I completely agree with- but arguing my locking the system down is just… Good lord. I think I’m having a mental hernia from trying to understand your approach here man. You’re telling me I shouldn’t worry about any shmuck that might be able to gain physical access? You do everything you can to prevent providing an easy-to-hack target in that scenario. Or maybe you just believe this is unnecessary?
I guess all companies are immune to social engineering (including security companies, right?).
This is silly on many levels.
For that matter, why would you come off as so abrupt in your initial explanations to the point where you’re almost berating a fellow community member asking for some help/questions in general? It’s almost rude. No, I don’t need proper etiquette with regards to something like this, but would it kill you to at least attempt it without coming off as disgustingly arrogant/*******-ish?
THIS IS EXACTLY WHAT CAUSES PEOPLE TO STEER AWAY FROM WONDERFUL FL/OSS COMMUNITIES! Unnecessarily snide remarks and elitism in the face of someone coming to you for help. And before you even use the tired ‘oh well, people ask stupid questions all the time’ rhetoric, bloody save it. I worked in a call center for some time before moving up the food chain. I know the deal. But I still do my best to not be a prick by the end of the day to someone that just doesn’t know/understand, and asks something.
On 11/22/2011 08:06 PM, CommonOddity wrote:
> But I still do my best to not be a prick by the
> end of the day to someone that just doesn’t know/understand
i do not know how to keep a person with the root password from logging
into KDE, GNOME etc as root…it is that simple.
if i offended you it is simply because i do not know how give the
administrative pass to everyone and then secure the system.
sorry. and, sorry i tried to help you.
i hope when you figure out how to do what you wish you will post the
how-to back to this thread so it will have some value to those who
google in…
and, by the way i used the term “cohorts” because you did.
> i do not know how to keep a person with the root password from logging into
> KDE, GNOME etc as root…it is that simple.
Setting DISPLAYMANAGER_ROOT_LOGIN_LOCAL to no was enough in 11.4 or
thereabouts. Aparently it doesn’t work in 12.1. If that is so, I would
report the bug in bugzilla.
> if i offended you it is simply because i do not know how give the
> administrative pass to everyone and then secure the system.
That is true.
Even if that setting works, they can change it, and enter on purpose.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
