On Dec 2, 2007 5:22 PM, Josh Lange <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > On Dec 2, 2007 7:40 AM, UNIX admin < [EMAIL PROTECTED]> wrote: > > > > > > > > > This is debatable ... Can you provide pros and cons > > > > for this from your > > > > point of view? > > > > > > For example, I have a package that delivers /.cshrc, /.login and > /.logout. Determining root's home directory via public interfaces is > unreliable, namely because such public interfaces aren't well defined. I > could look directly into /etc/passwd, but as "Indiana" clearly shows now, > there is no guarantee whatsoever, that home directory field will be at a > fixed position. I could also use `finger`, but there's no guarantee that the > output won't change, thereby breaking my regex parser for it. For crying out > loud, they broke the output of `uname -a`. > > > > > > > > > > "getent passwd root" should be a little more reliable, this works if the > user is in ldap/nis. > > > > > > > > > > > > > > > > > And so what if there are a few /.*rc files laying around in /? How is > that a problem? But moving root's home account around does break customer's > software. > > > > In our case, we have several public solaris 10 shell servers. We have been > changing the path of root, to /root so we have a secure place to put files > we don't want to give users access to (rsa keys, etc, before they are > installed). It's a lot cleaner than setting the umask, and safer than > remembering to check file permissions every time (not to mention cluttering > "/").
I always change any Solaris systems I setup to use /root for root's home for this very reason. I like being confident that any files created when logged in as root will go to a relatively "secure place." Considering Solaris' rbac capabilities as well, I look for root to be extinct in the not too distant future. Roles / Profiles are a far better way to accomplish this. The days of an all-powerful must end if we are to embrace security. -- Shawn Walker, Software and Systems Analyst http://binarycrusader.blogspot.com/ "We don't have enough parallel universes to allow all uses of all junction types--in the absence of quantum computing the combinatorics are not in our favor..." --Larry Wall _______________________________________________ opensolaris-discuss mailing list [email protected]
