On 07/30/10 04:59 AM, Mike DeMarco wrote:
Build 134: 1) Could anyone please explain why root has been converted
to a role. I would venture a guess that someone somewhere believes
that it is more secure to run root as a role. The whole "if root can
not log directly into the box than someone can not crack the root
password. Well I agree that root should not be allowed to login from
the net but locking a root account out of console login relies on the
user account always being valid. and how much harder is it to hack
the user then move on to root, especially when the root password is
the same as the users. Having root as a role is causing me many
problems and I am wondering if others are in agreement or
disagreement with this practice?
It has been possible to configure the root account as a role since
Solaris 8, and it has been a recommended security practice for many
years. Accessing the root role, generally via su(1M), requires that you
first log into a user account that includes root in its list of allowed
roles.
The primary security benefit of this arrangement is attribution. In the
common case where multiple people use the root account to administer the
system, a direct login to that account is anonymous in the sense that it
could be done by anyone who knows the account password. When root is a
role, actions can be attributed to the individual user account used to
assume the role.
In addition, even for a system administered by a single user, making the
root account a role encourages the beneficial least-privilege practice
of using the root account only when necessary instead of running with
full privilege all the time.
It would be interesting to hear what problems you have had with root as
a role. You could of course change root to a regular user account by running
rolemod -K type=normal root
but I wouldn't recommend that unless you can't find another solution.
Scott
--
Scott Rotondo
Senior Principal Engineer, Solaris Core OS Engineering
President, Trusted Computing Group
Phone: +1 650 786 6309 (Internal x86309)
_______________________________________________
opensolaris-discuss mailing list
[email protected]
