Hi Joe,
Le 11 déc. 08 à 18:56, Moore, Joe a écrit :
What's the difference between a normal user (jack) being able to
passwordlessly pfexec a root-privileged tar command, vs. having
remote root logins enabled?
If pfexec (or sudo or your root-gaining program of choice) requires
a password, that will eat the beginning of stdin, and you won't have
a valid tar to extract.
There is a huge difference in the AAA model !
When jack is pfexecing root, we could find back that Jack has
pfexecing.
When "somebody coming from IP address x.y.z.a" is logged as
root.......nobody could affirm that the action was made by Jack !
It may, or may not, make a difference when "somebody" is a hacker
coming from outside.
In 80% of cases, issues are coming from inside the company and....the
sole fact that people have to do things with their own login decreases
some types of problems.
The last, but not the least, it's a really basic policy to ensure that
"nobody" doesn't exist in any way on an information system.
Nicolas
_______________________________________________
sysadmin-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
