-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2014 11:01 AM, John Hodrien wrote:
> On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
> 
>> Yes, it is "my" job, not sssd's. Currently sssd dictate that no
>> system ever should be allowed to login as root, no matter what.
> 
> SSSD dictates that no system should be allowed to login as root
> via SSSD, and that's not quite the same.  You're a corner case
> where you're working against standard practice, but I can see why
> you think it should be possible to configure SSSD to allow it,
> given that you can strip away these sanity checks from PAM.
> 


Just to reiterate what I said elsewhere in this thread (without CCing
Joakim, sorry):

There are two reasons why SSSD refuses to handle root:

1) If SSSD was to crash, only root is capable of restarting it,
debugging it or otherwise fixing the problem. So if you hit a bug and
SSSD was the mechanism you used to log in as root, it cannot be fixed
short of a reboot (and if the bug happens on every run because there
was a regression in an update, your system is hosed.)

2) Without root in /etc/passwd and /etc/shadow, it's impossible to
boot into single-user mode to fix any issues with the early boot process.

These are the reasons that SSSD doesn't handle the root user. It's not
a matter of a default, it's a matter of protecting users from an
inevitable catastrophe. No matter how hard we try, bugs will always
creep in. If you can't get in to fix them, then a bug becomes a disaster.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQkNmgACgkQeiVVYja6o6O/MQCffI/GNic0XVAKazJkMeDv4aDU
TIYAn0tZLUHAYFUiW1xoNKBITVCJRUdg
=amSE
-----END PGP SIGNATURE-----
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to