On Fri, Jul 30, 2010 at 07:37:43PM -0400, Kyle McDonald wrote: > On 7/30/2010 4:54 PM, Will Fiveash wrote: > > On Fri, Jul 30, 2010 at 04:33:47PM -0400, Kyle McDonald wrote: > >> On 7/30/2010 4:24 PM, Will Fiveash wrote: > >>> On Fri, Jul 30, 2010 at 12:44:43PM -0700, David Brodbeck wrote: > >>>> > >>>> On Jul 30, 2010, at 12:26 PM, Will Fiveash wrote: > >>>>> I'm in total agreement from a security aspect (recall that OpenSolaris's > >>>>> roots are in the enterprise server world and not wide open desktop > >>>>> land). I would ask you why root shouldn't be a role? Hopefully the > >>>>> answer won't involve convenience. > >>>> > >>>> It can be awkward if you're using LDAP or NIS and the server is down > >>>> or the client is incorrectly set up. > >>>> > >>>> This *can* be worked around by making sure every machine has a valid > >>>> local user with access to the root role -- sort of. pfexec becomes > >>>> extremely slow if you have incorrectly configured LDAP -- as in > >>>> several minutes of waiting to run a single command. I suspect it > >>>> tries to look up userIDs via LDAP first and has a long timeout. Best > >>>> to su to root in that situation. > >>> > >>> This is a variant of the convenience argument. Systems with root as a > >>> role require a local user account with Primary Administrator role. When > >>> I installed OpenSolaris it did the right thing and created such an > >>> account that does not depend on NIS or LDAP and is thus insulated from > >>> issues with those servers. That user account should only have local > >>> paths in the PATH and a local home directory for greater reliability. > >>> > >> > >> I actually like root as a role, but it strikes me that by forcing all > >> machines to have a single local user with a pw that everyone knows, > >> you've totally re-opened the hole that this was supposed to close. > >> Anyone can login as that local user, and assume the root role anonymously. > > > > Just because a system has a local user account doesn't imply that > > everyone should know the password. > > Well, 'everyone' in my statement refered to 'all admins' or 'all people > who traditionally would have had access to the traditional root pw. > > Granted, in this config it could be limited furhter, to the 'core > admins', but I doubt any enterprise would want only one person to know > this password, and once 2 people know it, there is no knowing for sure > who did what.
If the local account password is limited to only a few and only used in special circumstances like the network being down then this is still much better than a root account with a password known to many. In addition the system could have a separate local account for each admin but the bigger question is the whether the auditing can be tampered with. > >> Isn't there anything that can be done so that these local accounts > >> aren't needed? > > > > Actually, it may be possible to configure a system with no local user > > accounts but if the network or nameservice is down it may be a hassle to > > login to that system and may require booting off the install DVD. > > Yes, I was asking if there was some way to eliminate that hassle without > requiring adding a single local account. > > One person has suggested making NIS or LDAP cache userinfo locally for > use when the directory can't be contacted. Windows does a form of this I > beleive. > > In theory this cacheing could be controlled or limited to a subset of > users I suppose. I do not know about this, perhaps others can enlighten. -- Will Fiveash Oracle Note my new work e-mail address: [email protected] http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ _______________________________________________ opensolaris-discuss mailing list [email protected]
