From Fedora Project Wiki
(Change Proposal ready for 2014-04-23 FESCo meeting (#1298))
(obsolete)
 
(5 intermediate revisions by 2 users not shown)
Line 90: Line 90:
The Security Document mentioned above will need to be updated.  [https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account]  
The Security Document mentioned above will need to be updated.  [https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account]  


[[Category:ChangeReadyForFesco]]
 
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
[[Category:SystemWideChange]]

Latest revision as of 22:36, 19 January 2015

The securetty file is empty by default

Summary

The securetty file is empty by default

Owner

  • Name: quickbooks
  • Email: quickbooks.office@gmail.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 21
  • Last updated: March 20, 2014
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Per: https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account it states:

Method

Disabling root access via any console device (tty).

Description

An empty /etc/securetty file prevents root login on any devices attached to the computer.

Effects

Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account:login, gdm, kdm, xdm, Other network services that open a tty

Does Not Affect

Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. The following programs are not prevented from accessing the root account: su, sudo, ssh, scp, sftp

More Details

To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to his machine as root via Telnet, which transmits the password in plain text over the network. By default, Fedora's /etc/securetty file only allows the root user to log in at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command: echo > /etc/securetty

Warning: A blank /etc/securetty file does not prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication.

Benefit to Fedora

Fedora will become more secure by default, out of the box, especially for people who don't read the documentation.

Scope

Upgrade/compatibility impact

This change should be only for new installs, that is the Fedora 21 ISO images.


How To Test

1. vi /etc/securetty 2. Make sure it is empty

User Experience

One less work to secure Fedora after a fresh install.

Dependencies

NO

Contingency Plan

  • Contingency mechanism: No Change
  • Contingency deadline: Beta Release
  • Blocks release? No
  • Blocks product?

Documentation

The Security Document mentioned above will need to be updated. https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account

Release Notes

The Security Document mentioned above will need to be updated. https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account