-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/30/2010 4:54 PM, Will Fiveash wrote: > On Fri, Jul 30, 2010 at 04:33:47PM -0400, Kyle McDonald wrote: >> On 7/30/2010 4:24 PM, Will Fiveash wrote: >>> On Fri, Jul 30, 2010 at 12:44:43PM -0700, David Brodbeck wrote: >>>> >>>> On Jul 30, 2010, at 12:26 PM, Will Fiveash wrote: >>>>> I'm in total agreement from a security aspect (recall that OpenSolaris's >>>>> roots are in the enterprise server world and not wide open desktop >>>>> land). I would ask you why root shouldn't be a role? Hopefully the >>>>> answer won't involve convenience. >>>> >>>> It can be awkward if you're using LDAP or NIS and the server is down >>>> or the client is incorrectly set up. >>>> >>>> This *can* be worked around by making sure every machine has a valid >>>> local user with access to the root role -- sort of. pfexec becomes >>>> extremely slow if you have incorrectly configured LDAP -- as in >>>> several minutes of waiting to run a single command. I suspect it >>>> tries to look up userIDs via LDAP first and has a long timeout. Best >>>> to su to root in that situation. >>> >>> This is a variant of the convenience argument. Systems with root as a >>> role require a local user account with Primary Administrator role. When >>> I installed OpenSolaris it did the right thing and created such an >>> account that does not depend on NIS or LDAP and is thus insulated from >>> issues with those servers. That user account should only have local >>> paths in the PATH and a local home directory for greater reliability. >>> >> >> I actually like root as a role, but it strikes me that by forcing all >> machines to have a single local user with a pw that everyone knows, >> you've totally re-opened the hole that this was supposed to close. >> Anyone can login as that local user, and assume the root role anonymously. > > Just because a system has a local user account doesn't imply that > everyone should know the password.
Well, 'everyone' in my statement refered to 'all admins' or 'all people who traditionally would have had access to the traditional root pw. Granted, in this config it could be limited furhter, to the 'core admins', but I doubt any enterprise would want only one person to know this password, and once 2 people know it, there is no knowing for sure who did what. > >> Isn't there anything that can be done so that these local accounts >> aren't needed? > > Actually, it may be possible to configure a system with no local user > accounts but if the network or nameservice is down it may be a hassle to > login to that system and may require booting off the install DVD. Yes, I was asking if there was some way to eliminate that hassle without requiring adding a single local account. One person has suggested making NIS or LDAP cache userinfo locally for use when the directory can't be contacted. Windows does a form of this I beleive. In theory this cacheing could be controlled or limited to a subset of users I suppose. -Kyle > Note that I have not tried such a config. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) iQEcBAEBAgAGBQJMU2JGAAoJEEADRM+bKN5wX1IH/1Mh0vPhcczeB78WayBpUZhR 90Ti7bhBmm0oWQfpdQeehfi49MpBG/v54Mfq33H51dFarwXrO2TmLGicE9nDmA1i Iv6Y2yFZ0TpwNEM6g6wLr4fZfFwZiwu2jFbhYuYSzBa8sp5phr7qhOOVcn7DdYY0 JCw+jvesAwFH0ggHBhcOU/J/cxCPGVLNElo8Jf8IqLQLe0tht6ZLfOM8el3EfK1i nCjD54sCcrv12bp0kChBMhxHXMFjrgKQtX30plfhQlRkNe1v3fD/nBbGlFPnz88S 8hESjB9s+easwQxOEUXC+gYYbwc5Dp5hyxz0kqZva797VFvadjJCa9O0D6dlJy4= =ZlXl -----END PGP SIGNATURE----- _______________________________________________ opensolaris-discuss mailing list [email protected]
