Stephen Potter wrote: ><quote who="Glenn Faden"> > > >>The way this is addressed in Trusted Extensions is that the Fail Safe >>login option is modified to present an su command. If you are authorized >>to assume the root role, and you enter the root password, you have a >>root terminal, even if you're normal login would fail. For example, in >>TX, normal user's can start arbitrary processes in the global zone as >>themselves, but they can still do a Fail Safe login into the global zone >>and su to root. >> >> > >How does TX (and how would this new method) handle centrally administered >accounts when/if the centralized service goes away? If the >LDAP/PowerBroker/KEON/whatever process dies, or the network is not >accessible, and you have to log in as root to fix things. How do you do >that if there are no local accounts? Or, does this mean you always have >to have at least one local account, which in a large corporate >environment, means you might just as well have a root account? > > Yes, it is prudent to have at least one local account that could be used when the nameserver is down. However, this is hardly equivalent to root, since there could be multiple accounts which could assume the root role. The actions would still be audited to the person who assumed the role.
--Glenn
