While it is not practical to remove the superuser, it is possible to limit the access the root
user has in the interest of security.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access#sec-Disallowing_Root_Access
I'll include some excerpts, but copying it all would make a large answer, so I'll just give the gist:
The following are four different ways that an administrator can further ensure that root logins are disallowed:
Changing the root shell
To prevent users from logging in directly as root, the system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file.
Disabling root access using any console device (tty)
To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether through the console or a raw network interface. This is dangerous, because a user can log in to their machine as root using Telnet, which transmits the password in plain text over the network.
Disabling root SSH logins
To prevent root logins through the SSH protocol, edit the SSH daemon's configuration file, /etc/ssh/sshd_config, and change the line that reads:
#PermitRootLogin yes
to read as follows:
PermitRootLogin no
Using PAM to limit root access to services
PAM, through the /lib/security/pam_listfile.so module, allows great flexibility in denying specific accounts. The administrator can use this module to reference a list of users who are not allowed to log in. To limit root access to a system service, edit the file for the target service in the /etc/pam.d/ directory and make sure the pam_listfile.so module is required for authentication.
All of the sections have more info that I left out, but can set you onto further reading if it interests you.
SELINUX
selinux
can be used to take away root
privileges on the whole by modifying the selinux context of the service/executable/port/etc. That's getting into a huge topic though, so I'll link the RHEL doc on it rather than going into that a bunch: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index
For a really brutal example restriction, run selinux
in enforcing
and try: semanage login -a -s user_u root
.
This would hand out the standard user permissions to the root user (assuming it even runs, I'm not sure, since I don't have a machine to brick at the moment), and restrict it from doing any "root" like actions.
This however could prevent init
and a bunch of services from starting, so it might require a lot of other selinux
configuration to allow those services to be run as some other user (which could be insanely secure, and insanely difficult to maintain, given that compromising one service wouldn't give any access to others).
/etc/init
that drops its root privileges and creates a shell. The user would be doomed to having console access only, but it's not too different from a non-networked single-user computer from the early 1980's. – Mark Plotnick Jan 31 '18 at 13:26fred
; does that count? Do you want to have multiple users? If so, you pretty much need to have a superuser to be able to run thelogin
program, because it needs to be able to set a process’s UID to any value. Or you could move password verification into the kernel, but there be dragons down that path. Is it OK to have a one-user system, with nologin
and password required, like DOS or Windows 95? … (Cont’d) – G-Man Says 'Reinstate Monica' Feb 01 '18 at 20:23