-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/30/2010 4:24 PM, Will Fiveash wrote: > On Fri, Jul 30, 2010 at 12:44:43PM -0700, David Brodbeck wrote: >> >> On Jul 30, 2010, at 12:26 PM, Will Fiveash wrote: >>> I'm in total agreement from a security aspect (recall that OpenSolaris's >>> roots are in the enterprise server world and not wide open desktop >>> land). I would ask you why root shouldn't be a role? Hopefully the >>> answer won't involve convenience. >> >> It can be awkward if you're using LDAP or NIS and the server is down >> or the client is incorrectly set up. >> >> This *can* be worked around by making sure every machine has a valid >> local user with access to the root role -- sort of. pfexec becomes >> extremely slow if you have incorrectly configured LDAP -- as in >> several minutes of waiting to run a single command. I suspect it >> tries to look up userIDs via LDAP first and has a long timeout. Best >> to su to root in that situation. > > This is a variant of the convenience argument. Systems with root as a > role require a local user account with Primary Administrator role. When > I installed OpenSolaris it did the right thing and created such an > account that does not depend on NIS or LDAP and is thus insulated from > issues with those servers. That user account should only have local > paths in the PATH and a local home directory for greater reliability. >
I actually like root as a role, but it strikes me that by forcing all machines to have a single local user with a pw that everyone knows, you've totally re-opened the hole that this was supposed to close. Anyone can login as that local user, and assume the root role anonymously. Isn't there anything that can be done so that these local accounts aren't needed? -Kyle -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) iQEcBAEBAgAGBQJMUzcqAAoJEEADRM+bKN5wL00H/RDHf/o3lNk+v2ZbVTXWkS4w P5IWdJkQvCiHoegL579MwHXgNIqgVQITIzOn5p+SHRLgErxnZNKATBJ3Aivo1+ta ddmPfMIgyaN3V14O2Y85EMF4+8EhhyUh1i7BuaOZTcqJr8i5K934mv6DCw8Ifnhy L/lVB5mci3imoBL7Kk/7XbExf4eNu+1YDYR4ZIDg8AVy+1SdsS5fpjB0p/bdPcdj 5noKc1IMsThX5iwig9fxnO81YUUpFNb60/yA1GrgO/3vMoplGI+YjPfZEbP46Okh 048NRxNolIKDN27+Xx+uWL1MUG2xy4VhMwCrEojlsEIZWQR611Vmi0iSyWZ7mPw= =AL0w -----END PGP SIGNATURE----- _______________________________________________ opensolaris-discuss mailing list [email protected]
