I have created an EC2 instance with Amazon Linux 2 Image. Access to the instance is only allowed via Session Manager and not via SSH.

I have the following users:

• ec2-user (Created by default)
• ssm-user (Created by default)
• root (Created by default)
• myrootec2-user (My custom root user created by me from Terraform and with password assigned)

I have tried to disable the root user because I only want to be able to perform administrator actions with the user myrootec2-user.

To do so, I have carried out the following steps:

sudo vim /etc/passwd

And then, I have changed:

root:x:0:0:root:/root:/bin/bash
to
root:x:0:0:root:/root:/sbin/nologin

However, depending on the parameter I assign to the sudo command, I can access or not:

sudo su - # Error: This account is currently not available.
sudo -s # OK: Log in to the root user without errors

Why can I log in with the second command? Do you recommend disabling the root user or could I have problems in the future? What alternative would you recommend otherwise, e.g. assigning a password to root?

CodePudding user response：

I have tried to disable the root user because I only want to be able to perform administrator actions with the user myrootec2-user.

You cannot "disable" the root user. You can disable password login and set the root shell to /sbin/nologin, but you'll still need to sudo to run administrative commands.

If you think you can get away without ever running administrative commands, well, that sounds like an interesting challenge. With the right approach to immutable infrastructure you might be able to do it. You would remove all users access to sudo in addition to your stuff, and root would be close to inaccessible at runtime (certain system processes would still use it).

But your system will still need a root user. It's critical to system functionality.