On Fri, 15 Nov 2013 08:33:33 -0800 Anatol Pomozov <anatol.pomozov@gmail.com> wrote:
Hi
On Fri, Nov 15, 2013 at 7:02 AM, Thomas Bächler <thomas@archlinux.org> wrote:
Am 15.11.2013 15:55, schrieb Anatol Pomozov:
The "correct" way to disable root completely is to make it expired "usermod --expiredate DATE_IN_PAST root". I tried it on my machine and found that pacman is broken. I believe it uses "su" before running install scripts.
I need to check pacman src, but I find this unlikely. If pacman called su(1) wouldn't there be an entry in auth.log? Besides, calling external binaries is a bad practice -- that's what shared libraries are for.
Nothing about disabling the root account is "correct".
Disabling root account is typical practice on multi-user machines. "sudo" is much better solution as it allows fine-grained control to super-user abilities.
I don't know what you mean by "typical", but I am yet to see a rootless supercomputer (as you know, these machines usually have ~100 users logged in at the headnode). The _only_ scenario in which disabling root is useful is when you require audit logs of every administration-related operation, so you use sudo. Everything else sounds like a false sense of security to me... Cheers, -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D