Another solution would be if the network service (NIS, LDAP) client supported some form of local caching when disconnected from a server (sounds like a good RFE :P).
On Fri, Jul 30, 2010 at 4:31 PM, Will Fiveash <[email protected]> wrote: > On Fri, Jul 30, 2010 at 02:05:03PM -0700, David Brodbeck wrote: >> >> On Jul 30, 2010, at 1:33 PM, Kyle McDonald wrote: >> > I actually like root as a role, but it strikes me that by forcing all >> > machines to have a single local user with a pw that everyone knows, >> > you've totally re-opened the hole that this was supposed to close. >> > Anyone can login as that local user, and assume the root role anonymously. >> >> It's essentially a "security through obscurity" measure. There's >> still an account with effective access to root privileges, but it's >> not *called* root, so it's slightly harder to target. Sort of like >> renaming the "Administrator" account on Windows. > > Depends on the config. Read about RBAC: > http://dlc.sun.com/osol/docs/content/SYSADV6/rbac-1.html > If properly configured it is definitely not a "security through > obscurity" measure. > >> On the other hand, there are some accountability advantages if you >> enforce the use of a tool that does logging, like "sudo". If everyone >> has their own account and they have to use "sudo" to exercise rootly >> powers, then you have a useful record of who did what. If someone >> just logs in as root you really don't know which of the people who had >> the root password did it. The tradeoff is each account with sudo >> privileges becomes a potential attack surface, so you need to make >> sure your admins are picking good passwords. > > pfexec and su are both audited so sudo isn't unique in that regard. One > can configure OpenSolaris as you describe using RBAC and privilege > capabilities. > > I will modify what I wrote earlier about about OpenSolaris requiring a > local user account that can assume the primary admin role by stating > that I may have been wrong about this being required. Certainly it can > be useful to have such an account that is not dependent on network > services in case the network is down and someone needs to login to the > system for administration purposes. This does not imply that anyone > should be given the password nor should they. As for normal > administration see RBAC. > > -- > Will Fiveash > Oracle > Note my new work e-mail address: [email protected] > http://opensolaris.org/os/project/kerberos/ > Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ > _______________________________________________ > opensolaris-discuss mailing list > [email protected] > _______________________________________________ opensolaris-discuss mailing list [email protected]
