1

I'm new to a lot of things Linux, so this might be basic stuff. We're thinking about setting up a wheel group and removing permissions from root. Not even sure that's possible. We are having a security issue with a brute force attack and want to disable root or remove permissions if they are able to get in. Is there a better method for handling this?

Gilles 'SO- stop being evil'
  • 829,060
Darth_Tom
  • 13
  • You can remove root login, root password etc. You can reduce root privilages only with se-linux, and similar. root normally has all privileges. You can give some of root's capabilities to other users and programs. Users in group wheel, will be able to su to root, if they have the password (Gnu su, does not do this check, the only Gnu tool I know of that is less capable than other variants). – ctrl-alt-delor Apr 15 '15 at 19:01
  • What kind of brute force attack are you talking of? – michas Apr 15 '15 at 19:06
  • @richard "GNU su" (it isn't actually a GNU project, AFAIK) does whatever permission checks—including membership in wheel—you tell it to in the PAM config. At least on Debian, there is even a commented out example in /etc/pam.d/su on how to do that... Other than that, please post your answer as an answer instead of a comment. – derobert Apr 15 '15 at 19:15
  • @derobert The copyright for that says "Some parts substantially in src/su.c derived from an ancestor of su for GNU", so I doubt Debian's su is the same as GNU su. – muru Apr 15 '15 at 19:18
  • 1
    @muru true, I'm not sure if there are any Linux distros using GNU coreutils su. Especially if it doesn't support PAM! – derobert Apr 15 '15 at 19:20

1 Answers1

2

On Root privileges

You can remove root login, root password etc. You will then need some other way to get admin things done: such as

  • adding users to groups
  • configuring sudo to give fine-grained permissions
  • giving users and programs capabilities. root has recently been broken into a number of capabilities, so where you read that you need root to do something, you will now need probably only one capability. To give a program capabilities you use setcap, see What are the different ways to set file permissions etc on gnu/linux , it is like setuid root, but fine-grained. To give users capabilities, have a look at PAM ( I have no idea ).

You can reduce root privileges with mandatory access control such as se-linux and similar. These are also new, they limit what a process or user can do. This limitation is in addition to the traditional file permissions and “am I root”/capabilities.

On wheel

Users in group wheel, will be able to su to root, if they have the password (Gnu su, does not do this check, the only Gnu tool I know of that is less capable than other variants). Adding user to sudo/sudoers (depending on configuration) is often preferable.

Community
  • 1
ctrl-alt-delor
  • 27,993