Jan, Gary, See my responses below.
On 3/17/2011 12:37 PM, Gary Winiger wrote:
<snip>
No, other than initial user account will remain untouched.
I have tried and changing root to normal account via 'rolemod -K
type=normal root'
does not have an effect of removing root role from other accounts,
but those other accounts would be no longer able to assume root role.
Yes, thanks Jan for the clarification. As long as those remaining user's role
doesn't have negative impact, I guess leaving them there should be OK and users
won't have the ability to assume that role anymore (which is expected).
Once root is not a role, anyone who knows the root password
can su to root.
Yes, thanks for the clarification, Gary.
If so, it might be good to log this clearly since this might affect
some users who have cron jobs, etc. using the role.
I don't follow. If an account root or foo is a role,
only users granted that role (usermod -K role=) can
assume it (su or su foo); the role cannot be directly
logged into. If an account is not a role, it can be
directly logged into or secondarially assumed with su
by knowlege of the account name and authentication information
(usually just the password)
I don't understand the cron jobs, etc. using the role.
What have I missed?
What I meant is it'd be good to explicitly warn/log that some users who
previously had certain role would no longer be able to assume that role anymore.
If the role wes removed, and users who previously had that role happen to have
some automated scripts (via cron or otherwise) that rely on these roles, it
might provide them with an early warning that certain things may not work as
expected since the role was taken away.
Martin
Gary..
_______________________________________________
caiman-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
