Is it possible to disable root user completely?

[nycoe]

Hi,

Thank you for making CentOS available on WSL It is working great and fits well in my environment. I'm running the latest version 7 converted to WSL2 in Windows 10.

I had one question that I've not been able to resolve. I need to setup WSL on behalf of various users and it needs to be locked down such that a non-root user is all they're able to run under wsl.

I've created two users:
admin and regular
I've given sudo access to admin account. This is working fine
I've set the default user to "regular" in /etc/wsl.conf
When windows user runs wsl they now get "regular" which is a good start,
But they can also run wsl.exe -u root so to counter that, I've set /sbin/nologin as the root shell. This works to stop wsl.exe -u root but it doesn't stop wsl.exe -u root -e bash

So here's where I'm stuck. I can't find information on how wsl gets a shell. I see that when I'm in as root using wsl -u root -e bash that my process tree shows that init is the parent of bash, and I just get a standard pty/X as my TTY.

I tried to setup pam_securetty to prohibit access to root from anything but devices listed in an empty /etc/securetty but this didn't work, I'm still able to get a shell. I also tried pam_listfile to deny based on list of users in a file, but no luck with that either. I've tried both of the pam modules in every single pam.d setup file as using the standard login/password-auth/system-auth files did not do the trick, and I didn't know exactly which PAM config it would use. At this point, I think that whatever WSL is using to get a shell is not PAM aware at all. Does anyone know?

So the end result should be:
default user is 'regular' and that's what the user will run, this user has no password, and is not a sudoer.
admin account is a sudoer, and has a password that the Windows user will not know. Only certain admins will know the password. While the regular windows user can also run wsl -u admin they won't be able to sudo as sudo will prompt them for the admin user's password.
Nobody should be able to run wsl.exe -u root -e bash

Thank you in advance

[yuk7]

WSL instances are containers and cannot use PAM etc.
You can replace, rename, and hide files in the shell, but you can't prevent the root itself from running.