The file /etc/securetty controls the devices that the root user can log in upon.
It is usually desirable to have root be able to log in from the console, so add the basename of the serial console device to /etc/securetty.
Almost anyone can now dial into the modem and attempt to guess the root password. Normally we do not allow root to log in from a remote site, rather we have a normal user log in and then use su or sudo to become root. This gives some traceability.
Unfortunately, the root user needs to be able to log in from the console to fix a full disk. Disk subsystems typically reserve 5% of their space for root's exclusive use.[1] This is enough space for the root user to log in and start deleting the files that filled the disk.
securetty and Red Hat's kudzu | |
---|---|
kudzu automatically adds the device being used as the console to securetty. |
[1] | This is not as inefficient as it may appear. The last 5% of a disk formatted with a general purpose filesystem always performs poorly and is best left empty. |