Hi,
I find there is some customized linux with application.
When I use login account root and type the password.
It is not allow to login.
But if I login with specified user and password.
Then I use command "su - " and type root passwd.
It allow you to switch to "root" account .
Or if i use "su - root" and type password .it is not allow to login again .
It is strange I cannot login if I specified to use "root" account .
How to make this setting ..
Please advice in detailed.
I have faced similar type of problem .
for me , /etc/passwd file was changed like this
root:x:0:0:root:/root:/bin/false
login shell was changed to /bin/false .
Hi,
I try to change /etc/passw to false at root entry.
I follow your setting.
But I find I cannot login in console with root.
Even I login with other non-root account.
I cannot use "su -" to switch to root again.
it is not my case . my case is .. I can use "su -" to switch to root again.
Please advice ...
Because of /bin/false , it was problem .After changing /bin/false to /bin/bash it was ok for me .
log in with other user and what is the log in shell in /etc/passwd file .
I have given another user a root privilege , so I was able to change file .
I find use below
echo > /etc/securetty
then the login root in console will be not allow .
But I login with other non-root account and use "su - root " .
I is still working ...
I need to make "su - root" not working from other non-root account .
But "su - " is needed to work.
Please advice any method .....
The root user is no regular user.
And for security issues, its not supposed (on any 'real' *nix system != *ubuntu (did suse remove that option yet?)) to login to GUI.
You might have better luck, to remove the users from admin group (adm) so they wont have permission to login root.
Further a closer inspection of /etc/passwd as already suggested seems a good idea.
You dont need to limit root, leave root's values alone, you need to limit the user!
I want to reproduce in normal linux OS.
please advice how I can make this .....
Remove users from the 'admin' or 'wheel' groups if you don't want them to su.
No.the case I want to reproduce is :
I can use "su -" in non-root user account to switch to "root" .But the command "su - root" is disabled.
the login from console with root account is also disable .
please advice how I can make this setting in normal linux OS .
That does not make sense. "su -" and "su - root" do the same thing.
It is true . That is what I find in the strange centos linux OS.
I want to know how to reproduce in normal Centos OS linux ...
Please advice in detailed....
I have a hard time believing that what you say is true. But if it is true the most probably source of the strange behavior is the file /etc/pam.d/su and this is a text file that you can examine and modify with an editor. Compare the file on the strange OS with the file on the normal OS. If they are different try copying the file from the strange to the normal.
If this works please post the contents of the file. It will only be a few lines.
Hi.
I don't know amything about pam , but going with the reply from Perderabo, on a system such as:
OS, ker|rel, machine: Linux, 2.6.32-358.23.2.el6.centos.plus.x86_64, x86_64
Distribution : CentOS 6.4 (Final)
The 2 su's behave similarly:
vm-centos ~ $ su -
Password:
root vm-centos ~ $ pwd
/root
root vm-centos ~ $ exit
logout
vm-centos ~ $ su - root
Password:
root vm-centos ~ $ pwd
/root
And here is the content of file /etc/pam.d/su for comparison:
$ cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
Good luck ... cheers, drl
Hi,
What is function of below line ????
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
If the user running the command has a uid of zero that is enough to succeed.
And these modules should all have man pages. At least they do on RedHat.