Let's learn how to edit the two files mentioned before to apply different restrictions to user access on a Linux system:
- First, we will check the content of the /etc/securetty file using the more command:
more /etc/securetty
As we can see in the preceding screenshot, the file specifies the Terminals on which root is allowed to log in.
- Now, edit the file using any editor of your choice and comment the tty1 entry as shown here:
Save and exit the editor after making the changes mentioned in the preceding step.
- Now, switch to Terminal tty1 by running the command chvt 1. If we try to log in as root now, we will get the following result:
We can see that access was denied to the root account by the system. If we wish to still get root privileges, we have to first log in as a normal user and then use the sudo or su command.
- From the same Terminal, when we try to log in from a normal user account, we get logged in as seen here:
- We have already seen how to use the /etc/securetty file to specify access for the root account from any Terminal. Now, let's see how to allow or deny access to specific users.
- The first thing to do is to modify the /etc/pam.d/login file and add the pam_access.so module. This will allow pam to scan the /etc/security/access.conf file and check for the rules defined by us.
So we open etc/pam.d/login, find the line that states #account required pam_access.so, and remove the # to un-comment the line:
- Next, we will define a rule in /etc/security/access.conf. Open the file in any editor and define a rule according to the following syntax:
permission : users : origins
- If we want to deny access to the root account from Terminal tty1 we use the following rule:
- To deny access to user1 we use the following rule:
- If we want to specify multiple usernames in the same rule, we can do it as shown in this rule: