Gary Winiger wrote:
> The discussion seems to have wandered off from what the case
> proposes. Many comments are interesting, don't appear to be this
> case, and could be interesting other cases for some other project
> team to pursue.
>
> The project proposed by this case is to 1) maintain compatibility
> with existing Solaris Roles, Rights Profiles and related mechanisms.
> 2) permit an administrator to configure root to be a no login (passwd
> -N) account should they wish to do so. A side effect, even without
> making root a no login account, is the ability to grant users the
> ability to boot single without the need to share the root password.
Earlier in this thread, I suggested the following change to this part of
the proposal. For single-user login, you don't really need a new
authorization. Instead, sulogin could allow single-user access if the
user authenticates and is allowed to assume the root role. The ability
to assume the root role conveys the same information you would with the
solaris.system.maintenance authorization, and it doesn't require the
administrator to take two separate actions to configure a user with root
access.
I don't believe the project team has responded, either to accept or
reject this minor amendment to the proposal.
Scott
