On Fri, Jul 30, 2010 at 02:05:03PM -0700, David Brodbeck wrote: > > On Jul 30, 2010, at 1:33 PM, Kyle McDonald wrote: > > I actually like root as a role, but it strikes me that by forcing all > > machines to have a single local user with a pw that everyone knows, > > you've totally re-opened the hole that this was supposed to close. > > Anyone can login as that local user, and assume the root role anonymously. > > It's essentially a "security through obscurity" measure. There's > still an account with effective access to root privileges, but it's > not *called* root, so it's slightly harder to target. Sort of like > renaming the "Administrator" account on Windows.
Depends on the config. Read about RBAC: http://dlc.sun.com/osol/docs/content/SYSADV6/rbac-1.html If properly configured it is definitely not a "security through obscurity" measure. > On the other hand, there are some accountability advantages if you > enforce the use of a tool that does logging, like "sudo". If everyone > has their own account and they have to use "sudo" to exercise rootly > powers, then you have a useful record of who did what. If someone > just logs in as root you really don't know which of the people who had > the root password did it. The tradeoff is each account with sudo > privileges becomes a potential attack surface, so you need to make > sure your admins are picking good passwords. pfexec and su are both audited so sudo isn't unique in that regard. One can configure OpenSolaris as you describe using RBAC and privilege capabilities. I will modify what I wrote earlier about about OpenSolaris requiring a local user account that can assume the primary admin role by stating that I may have been wrong about this being required. Certainly it can be useful to have such an account that is not dependent on network services in case the network is down and someone needs to login to the system for administration purposes. This does not imply that anyone should be given the password nor should they. As for normal administration see RBAC. -- Will Fiveash Oracle Note my new work e-mail address: [email protected] http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ _______________________________________________ opensolaris-discuss mailing list [email protected]
