7.1. Allow root to login from serial console

The file /etc/securetty controls the devices that the root user can log in upon.

It is usually desirable to have root be able to log in from the console, so add the basename of the serial console device to /etc/securetty.

Figure 7-1. Alter securetty to allow root to log in from the serial console

ttyS0

Almost anyone can now dial into the modem and attempt to guess the root password. Normally we do not allow root to log in from a remote site, rather we have a normal user log in and then use su or sudo to become root. This gives some traceability.

Unfortunately, the root user needs to be able to log in from the console to fix a full disk. Disk subsystems typically reserve 5% of their space for root's exclusive use.[1] This is enough space for the root user to log in and start deleting the files that filled the disk.

Notesecuretty and Red Hat's kudzu
 

kudzu automatically adds the device being used as the console to securetty.

Notes

[1]

This is not as inefficient as it may appear. The last 5% of a disk formatted with a general purpose filesystem always performs poorly and is best left empty.