Regarding sudo, I know of plenty of Solaris shops that did not switch from using sudo to rbac when it was introduced into Solaris. (Mine included). Sudo does allow commands to be run as "NOEXEC", meaning that it will exit if the command tries to make an exec call. (This closes many of the "holes" with sudo.) Sudo can use any form of PAM authentication, including SecureID tokens. Sudo data can be stored in LDAP.
I would strongly encourage people to consider allowing both methods, as we won't really be encouraging RBAC use if we don't include sudo. People will just grumble and download and install sudo themselves. If we include sudo, we are leading this, and can modify it going forward to integrate with RBAC, if we wish. (I would consider keeping sudo as an unstable interface, to allow us to make these changes going forward). Finally, if we are to include it, I would encourage people to look at the 1.7 release, which will soon be available as a "beta". Another advantage of Sudo is that it is cross platform . In heterogeneous shops, it will most likely be the primary tool deployed. (Sudo is not a static target, so keep this in mind when making blanket statements regarding it's suitability.) -Brian P.S. - The statement should be sudo and RBAC, not sudo or RBAC.
_______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
