Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to lock (disable) root on slim? [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
GOS
Tux's lil' helper
Tux's lil' helper


Joined: 09 Sep 2010
Posts: 93
Location: Germany

PostPosted: Wed Jul 18, 2012 5:08 pm    Post subject: How to lock (disable) root on slim? [SOLVED] Reply with quote

Hello everyone,

i use slim as login manager. Unfortunately it is possible to login as root.

Therefore my question: Is it possible to disable this behaviour, i. e. that root could not login over slim?

Best regards
GOS


Last edited by GOS on Thu Jul 19, 2012 4:43 pm; edited 1 time in total
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6347
Location: /usr/lib64/lv2

PostPosted: Thu Jul 19, 2012 12:54 pm    Post subject: Reply with quote

I don't think that's possible. By definition, root has all rights and you shouldn't disable any rights for root even if you could, as you could end up not being able to fix something if something gets broken. Logging into Xorg as root is discouraged, but that's only because a regular user's permissions won't allow a random program to run away and destroy everything.

Just log in as your regular user and su when you need to. :)
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
pidsley
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jun 2012
Posts: 80

PostPosted: Thu Jul 19, 2012 1:17 pm    Post subject: Reply with quote

There are valid reasons for not allowing root login from the display manager (some people even recommend disabling any root login -- just google "disable root login" for some of the reasons).

I don't know if it's possible to disable root login with slim; I don't use it myself, and I've done some searching and have not come up with anything. I know GDM does not allow root login, and I think LightDM doesn't either, so you could switch to one of those if you can't figure out how to disable slim.


Last edited by pidsley on Thu Jul 19, 2012 1:27 pm; edited 2 times in total
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Thu Jul 19, 2012 1:17 pm    Post subject: Reply with quote

Comment out tty7 from /etc/securetty (see the securetty man page)


Interestingly, a rule in /etc/security/access.conf like

Code:
-:root:tty7


should have the same effect, but I don't know which is preferred.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
GOS
Tux's lil' helper
Tux's lil' helper


Joined: 09 Sep 2010
Posts: 93
Location: Germany

PostPosted: Thu Jul 19, 2012 2:15 pm    Post subject: Reply with quote

Hello,

@pidsley: Unfortunately LighDM doesn't work very well on my machine where slim does. Besides this I don't want to use gnome-stuff anymore. Therefore I chose slim.

@Hypnos: I tried both and it is true that I can disable root login on tty1 to tty6 with both methods. But with slim it's still the same. That means: Slim allows further root-login. Could it be that X has a seperate device in /dev that I have to comment out from access.conf???

Best regards
GOS
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Thu Jul 19, 2012 2:29 pm    Post subject: Reply with quote

Reading the man page, in /etc/security/access.conf try

Code:
- : root : :0


Yet another way may be to edit /etc/pam.d/slim
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Thu Jul 19, 2012 2:32 pm    Post subject: Reply with quote

IIRC you need to block vc/# ttys to block access to X.

so I assume
Code:
-:root:vc/0

in /etc/security/access.conf should be enough. if you are truely paranoid, you can add some more vc.

and as Hypnos already said, the alternative is to edit /etc/securetty, and remove/comment those device where root should not be able to login, (or only the ttys stated there root login is allowed)

V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
GOS
Tux's lil' helper
Tux's lil' helper


Joined: 09 Sep 2010
Posts: 93
Location: Germany

PostPosted: Thu Jul 19, 2012 4:13 pm    Post subject: Reply with quote

Hello again,

root could still login over slim. Nothing worked.

What i found when I'm googleing was the following
http://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty

If this is correct (i assume that) then vc/# is only an other appellation for tty# if one uses devfs instead of udev. So i think that therefore all settings with vc/# couldn't have an effect.

In the man page of access.conf i saw the entry about X with :0 but is :0 also correct if X runs on tty7?

Any other ideas?
Best regards GOS
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Thu Jul 19, 2012 4:17 pm    Post subject: Reply with quote

GOS wrote:
In the man page of access.conf i saw the entry about X with :0 but is :0 also correct if X runs on tty7?

AFAIK, your X TTY is whatever you see with the command "w".
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
GOS
Tux's lil' helper
Tux's lil' helper


Joined: 09 Sep 2010
Posts: 93
Location: Germany

PostPosted: Thu Jul 19, 2012 4:41 pm    Post subject: Reply with quote

the command "w" was a good hint. "w" told to me, that the X Window is :0.0

Therefore I tried
Code:
-:root::0.0
[/code]
and it works :D

Thanks for the help

Best regards
GOS
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum