System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

password policy on Linux servers

iinfi1
Super Advisor

password policy on Linux servers

Hi all,
we have sles (suse) servers in production. x86_64 and ia-64.
though OS users consist of only the DBA and myself they have told me to implement strict password policy on the servers including password lockout policy for system accounts.
I am reading this article.
http://www.techrepublic.com/article/enable-password-aging-on-linux-systems/6113711

if a oracle db user gets locked, wont the db stop working? i have seen many sites where there is not lockout policy on system accounts.
what happens if the root user gets locked?

do the password policies in the article apply to root user also?
What happens when root user gets
2 REPLIES
Matti_Kurkela
Honored Contributor

Re: password policy on Linux servers

Locking an account only means that new shell sessions cannot be established for that account using the normal login services. Any existing processes on that account will keep running, unless the administrator explicitly kills them.

The root account can start processes on any account that exists on the system, whether it's locked or not. The system start-up scripts are normally run as root: if a service (like an Oracle database) runs as some other user, then either the start-up script or the service itself includes commands or system calls to switch to the correct account.

For example, even if the "oracle" account is locked, someone (or a system start-up script) running as root will have no trouble running a command like "su oracle /some/place/start-oracle.sh".

System accounts that are dedicated to some specific purpose (like the "oracle" account) should ideally be always locked: all access through them should be through sudo or a similar tool that allows authorized users to access designated accounts *with the user's personal password*, not with the account password.

This is probably why system account lockout policy is unnecessary on some sites: the system accounts are *already* locked (in the sense of "not useable for regular logins").

> what happens if the root user gets locked?

This may or may not be handled as a special case, depending on the PAM library versions used in your Linux distribution. If there is no special case, and there is no tool like sudo to allow access to the root account, you will have to reboot the system to single-user mode to change the root password and restore access.

If a special case exists, it usually allows root logins from the system console (*only*) even though the root account is technically "expired". (In fact, in a security-hardened system, you should normally be prevented from logging in the system as root, unless you are logging in on the system console. You should login as your personal account, then use su or sudo to get root access.)

From the two cases above, you should understand that if you can access the system physically, no password lockout policy can keep you out of the system if you really want in.

The purpose of password policies is to minimize the threat of an unauthorized person getting access to the system.

A lockout policy makes it unlikely for unauthorized person to guess the correct password: after a number of tries, the target account will be locked and even the right password will not work.

A password expiration policy limits the usefulness of passwords recovered by spying: if a password-containing note is found, it will be useless to anyone if it's older than the password expiration time. If you accidentally notice another employee's password, your information will be guaranteed useless after one password expiration cycle, so the temptation to memorize other users' passwords will be minimized.

Running applications on purposely-created, locked accounts (usually called "system accounts") is useful because it allows the sysadmin to restrict what the application can access. If all the applications were run as root, the system would not be very secure: any exploitable bug in any application could allow a malicious person to take control of the entire system. If an application that runs on a separate account is successfully attacked, only the data that is accessible to that account is at risk.

MK
MK
iinfi1
Super Advisor

Re: password policy on Linux servers

thank you Matti for your reply.

our security team was talking about giving another user root access and assigning a complex password to root and keeping it under lock and key.
they want a password lockout policy and password complexity set for non-root users (including the normal user for which root privileges) and nothing for root user.

i dont find a suse document on this. is modifying PAM on a production environment safe without Novell support?