On 02/03/16 11:51, Scott Bonds wrote:
> I thought I was being clever by doing all of:
> 
> * disabling root's password

ok.

> * disabling SSH login by root

ok.

> * setting root's shell to /sbin/nologin

no.  don't do that.

> ... but I figure I should take the hint that su is
> assumed to work, and if it doesn't, its possible other subtle
> breakages in the system will happen.
> 
> Thought I'd share.

yep.

There are an infinite number of ways to break a system, or at least a
much larger number of ways to break than to improve things.  You found one.

Even the disabling the root password, something I've been doing for well
over ten years on OpenBSD turned out to have some risks when doas
replaced sudo, as the upgrade would break sudo, but doas wasn't
configured yet.

Nick.

Reply via email to