[arch-general] Initramfs fallback render

Leonid Isaev lisaev at umail.iu.edu
Fri Nov 15 13:22:56 EST 2013

On Fri, 15 Nov 2013 08:33:33 -0800
Anatol Pomozov <anatol.pomozov at gmail.com> wrote:

> Hi
> On Fri, Nov 15, 2013 at 7:02 AM, Thomas Bächler <thomas at archlinux.org> wrote:
> > Am 15.11.2013 15:55, schrieb Anatol Pomozov:
> >> The "correct" way to disable root completely is to make it expired
> >> "usermod --expiredate DATE_IN_PAST root". I tried it on my machine and
> >> found that pacman is broken. I believe it uses "su" before running
> >> install scripts.

I need to check pacman src, but I find this unlikely.

If pacman called su(1) wouldn't there be an entry in auth.log? Besides,
calling external binaries is a bad practice -- that's what shared libraries
are for.

> >
> > Nothing about disabling the root account is "correct".
> Disabling root account is typical practice on multi-user machines.
> "sudo" is much better solution as it allows fine-grained control to
> super-user abilities.

I don't know what you mean by "typical", but I am yet to see a rootless
supercomputer (as you know, these machines usually have ~100 users logged in
at the headnode). 

The _only_ scenario in which disabling root is useful is when you require
audit logs of every administration-related operation, so you use sudo.
Everything else sounds like a false sense of security to me...

Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20131115/4de322cd/attachment.asc>

More information about the arch-general mailing list