Re: Detect if root login is disabled?

[Rodolfo kix Garcia <kix@kix.es>]

On Wed, 07 Dec 2011 15:42:12 +0400, Igor Pashev wrote:
> 07.12.2011 12:53, Daniel Hartwig пишет:
> > Hello
> >
> > I am looking at Bug#516854 and wondering:
> >
> > Is there a robust way for a *user* to detect if root login is
> > disabled?  Would like to perform such a check from an instance of
> > aptitude running as a user account.
> >
> > I am aware of the following method which detects the `passwd -l' 
> > style
> > lock, however, it requires read access to /etc/shadow:
> >
> > io:~# passwd -S root | grep " L " > /dev/null; echo $?
> > 1
> > io:~# passwd -l root
> > passwd: password expiry information changed.
> > io:~# passwd -S root | grep " L " > /dev/null; echo $?
> > 0
> >
> > Thanks

IMO you can't evaluate all possible situations. Example:

1. Disabled in /etc/passwd (easy checking)
2. Disabled in /etc/shadow (you don't have read access)
3. Disabled in PAM
4. passwd -S: ( from manpage: only root user).

  -S     This will output a short information about  the  status  of  
the
	 password for a given account. Available to root user only.)
5. Crazy admin option...

Therefore, there are two options:

1. If you are the admin and you disabled the root user, why you click 
on "became root"? why you need that aptitude checks if the root user is 
disabled? Should aptitude print "Eh! your are cool, you disabled the 
root user"?
2. Disable the option "become root" to print "Run me with sudo"? IMO 
No, because is only for users like the option 1.

Probably this bug should be closed. Is an only an ease for "rare" 
situations.

Best Regards,
kix
--
||// //\\// Rodolfo "kix" Garcia
||\\// //\\ http://www.kix.es/