Perhaps some of the confusion comes because the OpenSolaris install sets the initial user account to be Primary Administrator and there are lots of examples of administration with pfexec like "pfexec pkg image-update"
-- joe On Mar 28, 2009, at 7:42 AM, Glenn Faden <Glenn.Faden at sun.com> wrote: > Fredrich Maney wrote: >> On Fri, Mar 27, 2009 at 6:05 PM, Glenn Faden <Glenn.Faden at sun.com> >> wrote: >> [...] >> >> >>> It is a mistake to be telling users to constantly use pfexec. It >>> was not >>> designed for that purpose. We should be telling people to assume >>> roles, via >>> su, or to use sudo. >>> >> >> I'm in the process of taking the root password away from several >> users >> that shouldn't have it (application administrators). Since we are an >> all Solaris shop (at least on the Unix side), I had planned on using >> roles and judicious use of 'pfexec' to also remove our dependency on >> 'sudo' at the same time. Is there some reason I shouldn't do that? >> >> fpsm >> > When you say that you are taking the root password away from users, > I assume you mean that you will change it and not tell them. > However, if you make root a role, then they can't su to root even if > they know the password. When roles are assigned RBAC-aware shells, > like pfsh, they don't need to call pfexec directly; it's done by the > shell. > > Having normal users invoke pfexec directly presents the risk that > any user application could also invoke it without the user's > knowledge. It could be buried in a shell script, for example. That's > why it is safer to use roles. > > --Glenn > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org
