On Fri, 15 Nov 2013 08:33:33 -0800 Anatol Pomozov <anatol.pomozov@xxxxxxxxx> wrote: > Hi > > On Fri, Nov 15, 2013 at 7:02 AM, Thomas Bächler <thomas@xxxxxxxxxxxxx> wrote: > > Am 15.11.2013 15:55, schrieb Anatol Pomozov: > >> The "correct" way to disable root completely is to make it expired > >> "usermod --expiredate DATE_IN_PAST root". I tried it on my machine and > >> found that pacman is broken. I believe it uses "su" before running > >> install scripts. I need to check pacman src, but I find this unlikely. If pacman called su(1) wouldn't there be an entry in auth.log? Besides, calling external binaries is a bad practice -- that's what shared libraries are for. > > > > Nothing about disabling the root account is "correct". > > Disabling root account is typical practice on multi-user machines. > "sudo" is much better solution as it allows fine-grained control to > super-user abilities. I don't know what you mean by "typical", but I am yet to see a rootless supercomputer (as you know, these machines usually have ~100 users logged in at the headnode). The _only_ scenario in which disabling root is useful is when you require audit logs of every administration-related operation, so you use sudo. Everything else sounds like a false sense of security to me... Cheers, -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Attachment:
signature.asc
Description: PGP signature
