Torrey McMahon wrote: > Joseph Kowalski wrote: >> Bart Smaalders wrote: >>> How will we insure that there are real administrative users present >>> in the password file? >> Are you asserting that installation must create a administrative user >> (as with Ubuntu, Debian, others) or something else? If its "something >> else", >> could you elaborate? >> >> If an administrative user deletes all administrative users from the >> passwd >> file,... well those are the breaks. He got exactly what he wanted. :-) > > Boot off the live CD, mount the image, etc. I guess we should add > something pretty bulletproof to the docs. Perhaps a "fix root access" > utility?
In the case of a single user system, the current architecture suffices, perhaps modulo a missing "sudo" :-). What I'm trying to point out is that the actual problem is that we want to know who did what on the system, which a single root account shared by multiple users thwarts since that account has a single username/password. The proposed replacement is the creation of multiple accounts which have the privilege to become root-like; each belonging to a different administrator so that their actions are clearly attributable. This leverages the current pam modules and provides appropriate logging to see just who was root when the bad thing happened. The result of this, however, is that the same requirements that we make on the root account (local password entry, local home directory, no dependency on network services, etc) now extend to the potentially privileged accounts if they are to be used to repair broken/mis-configured systems. Are there other alternatives to be considered that maintain knowledge of who become root w/o requiring completely separate accounts on each system for each administrator? - Bart -- Bart Smaalders Solaris Kernel Performance barts at cyber.eng.sun.com http://blogs.sun.com/barts "You will contribute more with mercurial than with thunderbird."
