[TriLUG] Mandrake root login problem

Tanner Lovelace lovelace at wayfarer.org
Thu Sep 25 16:31:08 EDT 2003 

Daniel Monjar wrote:
> I just installed a new Mandrake 9.1 box... during setup I chose the 
> 'Higher' security setting (where 1 is least security and 4 is most I 
> picked 3).
> 
> It won't let me login as root from the console.  I can login as a normal 
> user and 'su' to root but I can't login to root directly.  I've never 
> seen this before.  I'm assuming it is part of picking 3, correct?

Yep, welcome to the world of msec, mandrake's modular security
tool.  It slices, it dices.. um, I mean, it has a lot of things
it hardens so as to prevent people from breaking into your
system.  Actually, 5 is the highest level you can go.  At level 5,
everything is locked down and you as the administrator have to
explicitly unlock what you want.  I generally run my internet
connected server at either 4 or 5 with custom modifications.
Note also, that the lowest level is 0, which used to be called
(in earlier mandrake versions) "Hello Crackers!" :-)

One of the things it does is to lock the root account from logging
in.  I believe, it does it by removing everything from
/etc/securetty.  Note, however, that if you add in a tty there,
msec is run periodically out of cron to make sure everything stays
hardened.  If you want to change something, you need to go to
/etc/security/msec/ and make local changes there.  Look at
/usr/share/msec/level.* for examples of what to change, and look at
"man msec" for more info too.

As an example, this is part of what I have in my
/etc/security/msec/level.local file:

   from mseclib import *

   accept_icmp_echo(yes)
   allow_reboot(1)
   set_user_umask('022')

I believe this is just straight python.  The first line imports
all the msec stuff.  The next line says to respond to pings.
The third line says to allow local reboots by pressing ctrl-alt-del.
The last line sets the user's umask.  (You can also set root's umask
with set_root_umask.)

In /etc/security/msec/perl.local I have the following:

   /home/*  current                 711
   /proc    current                 755

This lets things like apache get to the user's public_html directories (711)
and let's anyone see proc.

Overall, msec is a very good way of making and keeping your system
secure.  If anything changes, it *will* change it back the next time
it's run.  That can be a little disconcerting at times, however, if you
don't realize what's happening.

For your situation, if you really do want to allow root to login, you
probably need to add something like this to /etc/security/msec/level.local:

   allow_root_login(yes)
   allow_remote_root_login(yes)

Note that you can also set this:

   allow_remote_root_login(without_password)

to only allow remote root logins with appropriate ssh keys.

Hope that helps some.

Cheers,
Tanner
-- 
Tanner Lovelace | lovelace(at)wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
"What is this talk of "release?"  We do not make software "releases."
Our software "escapes" leaving a bloody trail of designers and quality
assurance people in its wake." - MoncriefJM at gvl.esys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 222 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030925/6d01f514/attachment.pgp>

More information about the TriLUG mailing list