Restricting Superuser (root) Access on the Console

The superuser account is used by the operating system to accomplish basic functions, and has wide-ranging control over the entire operating system. The superuser account has access to and can execute essential system programs. For this reason, there are almost no security restraints for any program that is run by superuser.

You can protect the superuser account on a system by restricting access to a specific device through the /etc/default/login file. For example, if superuser access is restricted to the console, you can log in to a system as superuser only from the console. If anybody remotely logs in to the system to perform an administrative function, they must first log in with their user login and then use the su command to become superuser. See the following section for detailed instructions.

Restricting superuser login to the console is set up by default when you install the Solaris release.

An alternative to using the superuser account is to setup role-based access control (RBAC). For overview information on RBAC, see Chapter 17, Role-Based Access Control (Overview).

How to Restrict Superuser (root) Login to the Console

1. Become superuser or assume an equivalent role.

2. Edit the /etc/default/login file.

3. Uncomment the following line:

   CONSOLE=/dev/console

   Any users who try to remotely log in to this system must first log in with their user login, and then use the su command to become superuser.

4. Attempt to log in remotely as superuser to this system, and verify that the operation fails.