[arch-general] Initramfs fallback render

Anatol Pomozov anatol.pomozov at gmail.com
Fri Nov 15 11:33:33 EST 2013


On Fri, Nov 15, 2013 at 7:02 AM, Thomas Bächler <thomas at archlinux.org> wrote:
> Am 15.11.2013 15:55, schrieb Anatol Pomozov:
>> The "correct" way to disable root completely is to make it expired
>> "usermod --expiredate DATE_IN_PAST root". I tried it on my machine and
>> found that pacman is broken. I believe it uses "su" before running
>> install scripts.
> Nothing about disabling the root account is "correct".

Disabling root account is typical practice on multi-user machines.
"sudo" is much better solution as it allows fine-grained control to
super-user abilities.

> If you disable
> the account, both 'su' and 'sudo' cannot function. You _need_ the root
> account.

"--expiredate" differs from "disabling login" that "--expiredate" does
not allow to "sudo su" and does not allow any other authentication
method (such as ssh keys). Note that "sudo foo" still works even if
root account is expired (sudo ignores expiration date of the
destination account).

More information about the arch-general mailing list