Someone said to me in private email: > For a laptop or other single user device this is all completely > moot. If only one person knows the root password ever, roles > don't matter. If the machine has multiple users, roles make > sense.
I replied directly but I think it is useful for everyone to see the reply (though it isn't necesseary for people to know who made that statement to me). This is a slightly revised version of what I replied with. There is a reason we don't allow root to login over the network (telnet,rlogin and ssh) by default on Solaris and hasn't done so for a very long time So root is already partly a role, it is just that that part is enforced by an older bit of code in Solaris. Also consider that MacOS X does effectively makes the root account a role by marking it as disabled and NOT assigning it a password. Roles are NOT just about ensuring only those with the password can authenticate to it but also about ensuring that they can't directly login. We shouldn't be encouraging people to directly login as root on the console - especially graphically. Developer or not. Also it is a wrong assumption to assume that a laptop or workstation in an non network nameservice environment only has one user and that they are all equal. Consider the fast-user switching functionality in Windows, MacOS X, Linux that we will be getting really soon too with the virtual-consoles project. In that case it is common to have accounts on the laptop for Dad (the admin), Mum (also an admin), and the kids (not the admins) - or depending on the household reverse the roles :-) MacOS X and Windows Vista (even XP to an extend) both now strongly lead you this way during initial installation. In MacOS X (and I believe in Vista - certainly in XP) you need to be explicitly tagged as being an account allowed to use admin functionality. In Solaris one of the ways we do that is make root a role. Also consider that in many companies laptops are centrally configured deployed with local accounts for the users they are given to. Those users aren't allowed to have admin access to those laptops. This is good practice even for Solaris. While it doesn't fit the developer model it doesn't mean it isn't valid and since it is the more secure way it should be the default. Finally making root a role on a single user account laptop if that single user account has the root role only changes one thing. The ability to login directly as root - something that we shouldn't (and don't) encourage users to do anyway. -- Darren J Moffat
