On 02/03/16 11:51, Scott Bonds wrote: > I thought I was being clever by doing all of: > > * disabling root's password
ok. > * disabling SSH login by root ok. > * setting root's shell to /sbin/nologin no. don't do that. > ... but I figure I should take the hint that su is > assumed to work, and if it doesn't, its possible other subtle > breakages in the system will happen. > > Thought I'd share. yep. There are an infinite number of ways to break a system, or at least a much larger number of ways to break than to improve things. You found one. Even the disabling the root password, something I've been doing for well over ten years on OpenBSD turned out to have some risks when doas replaced sudo, as the upgrade would break sudo, but doas wasn't configured yet. Nick.