m (Replaced content with "<!--This page is supposed to be a troll page, the owner name is a troll first, and I can't see what will be improved after the change>") |
|||
| Line 1: | Line 1: | ||
<!-- | |||
= The securetty file is empty by default = | |||
== Summary == | |||
The securetty file is empty by default | |||
== Owner == | |||
* Name: [[User:quickbooks| John Doe ]] | |||
* Email: quickbooks.office@gmail.com | |||
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> | |||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | |||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | |||
--> | |||
<!--- UNCOMMENT only if this Change aims specific product, working group (Cloud, Workstation, Server, Base, Env & Stacks) | |||
* Product: | |||
* Responsible WG: | |||
--> | |||
== Current status == | |||
* Targeted release: [[Releases/21 | Fedora 21 ]] | |||
* Last updated: March 20, 2014 | |||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | |||
Bugzilla states meaning as usual: | |||
NEW -> change proposal is submitted and announced | |||
ASSIGNED -> accepted by FESCo with on going development | |||
MODIFIED -> change is substantially done and testable | |||
ON_QA -> change is code completed and could be tested in the Beta release (optionally by QA) | |||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | |||
--> | |||
* Tracker bug: <will be assigned by the Wrangler> | |||
== Detailed Description == | |||
Per: [https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account] it states: | |||
=== Method === | |||
Disabling root access via any console device (tty). | |||
=== Description === | |||
An empty /etc/securetty file prevents root login on any devices attached to the computer. | |||
=== Effects === | |||
Prevents access to the root account via the console or the network. The following programs are '''prevented''' from accessing the root account:'''login, gdm, kdm, xdm, Other network services that open a tty''' | |||
=== Does Not Affect === | |||
Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. | |||
The following programs are '''not prevented''' from accessing the root account: '''su, sudo, ssh, scp, sftp''' | |||
=== More Details === | |||
To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to his machine as root via Telnet, which transmits the password in plain text over the network. By default, Fedora's /etc/securetty file only allows the root user to log in at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command: echo > /etc/securetty | |||
Warning: A blank /etc/securetty file does not prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication. | |||
== Benefit to Fedora == | |||
Fedora will become more secure by default, out of the box, especially for people who don't read the documentation. | |||
== Scope == | |||
<!-- What work do the developers have to accomplish to complete the change in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | |||
* Proposal owners: implement the change | |||
* Other developers: None | |||
* Release engineering: None | |||
* Policies and guidelines: The Security Document mentioned above will need to be updated. [https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account] | |||
== Upgrade/compatibility impact == | |||
This change should be only for new installs, that is the Fedora 21 ISO images. | |||
== How To Test == | |||
1. vi /etc/securetty | |||
2. Make sure it is empty | |||
== User Experience == | |||
One less work to secure Fedora after a fresh install. | |||
== Dependencies == | |||
NO | |||
== Contingency Plan == | |||
* Contingency mechanism: No Change | |||
* Contingency deadline: Beta Release | |||
* Blocks release? No | |||
* Blocks product? | |||
== Documentation == | |||
The Security Document mentioned above will need to be updated. [https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account] | |||
== Release Notes == | |||
The Security Document mentioned above will need to be updated. [https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account] | |||
[[Category:ChangeReadyForFesco]] | |||
<!-- When your change proposal page is completed and ready for review and announcement --> | |||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | |||
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) --> | |||
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete--> | |||
[[Category:SystemWideChange]] | |||
Revision as of 10:35, 30 June 2014
The securetty file is empty by default
Summary
The securetty file is empty by default
Owner
- Name: John Doe
- Email: quickbooks.office@gmail.com
- Release notes owner:
Current status
- Targeted release: Fedora 21
- Last updated: March 20, 2014
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Method
Disabling root access via any console device (tty).
Description
An empty /etc/securetty file prevents root login on any devices attached to the computer.
Effects
Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account:login, gdm, kdm, xdm, Other network services that open a tty
Does Not Affect
Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. The following programs are not prevented from accessing the root account: su, sudo, ssh, scp, sftp
More Details
To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to his machine as root via Telnet, which transmits the password in plain text over the network. By default, Fedora's /etc/securetty file only allows the root user to log in at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command: echo > /etc/securetty
Warning: A blank /etc/securetty file does not prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication.
Benefit to Fedora
Fedora will become more secure by default, out of the box, especially for people who don't read the documentation.
Scope
- Proposal owners: implement the change
- Other developers: None
- Release engineering: None
- Policies and guidelines: The Security Document mentioned above will need to be updated. https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account
Upgrade/compatibility impact
This change should be only for new installs, that is the Fedora 21 ISO images.
How To Test
1. vi /etc/securetty 2. Make sure it is empty
User Experience
One less work to secure Fedora after a fresh install.
Dependencies
NO
Contingency Plan
- Contingency mechanism: No Change
- Contingency deadline: Beta Release
- Blocks release? No
- Blocks product?
Documentation
The Security Document mentioned above will need to be updated. https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account
Release Notes
The Security Document mentioned above will need to be updated. https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account