Disabling logging in as root via kickstart? Advice recommendations?

Alex Mikhaelson asked:

This is a two part question. Firstly, I am just looking to validation, if I am doing this correctly since I am not sure how to test this. The goal is to disallow the login of the root account and have everyone use sudo. To achieve this, I am putting a lock on the root account preventing anyone from logging in as root. If the need should arise, I can always make an account with full permissions and run commands intended for root through sudo. This leads me to my second question, but I will ask that near the end.

The reason I am also looking for validation is because when I did research on the topic and how to achieve this, the discussions were old and suggested that people initially set a password via rootpw in their kickstart file, then write a script in %post that edited the /etc/shadow file to set the password to something else, or use !!. I looked at my Amazon EC2 instance to see what Amazon did for the root account and it looks like this:

root:*LOCK*:14600::::::

I am assuming the reason its locked is because of the * and not the *LOCK*. If my assumption is correct, then would:

root:*LOCK*:14600::::::

Be the same as?:

root:*:14600::::::

That being said, in my kickstart file I edited the line about the rootpw to look like the following:

rootpw --iscrypted *

After the installation, my /etc/shadow file looks like the following:

root:*::0:99999:7:::

Therefore my first question is, would this be a correct way to lock the root account?

Secondly, on the topic I mentioned earlier, not using root. Are there any particular circumstances where this is not recommended? If so why would a full access account with sudo (so you have auditing), not suffice?

My answer:


The defined way of locking the root account in a kickstart is with:

rootpw --lock
  • --lock – If this option is present, the root account is locked by default. This means that the root user will not be able to log in from the console. This option will also disable the Root Password screens in both the graphical and text-based manual installation.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.