John Sonnenschein wrote: > > On 10-Jul-07, at 12:28 AM, Doug Scott wrote: > >> John Sonnenschein wrote: >>> >>> On 9-Jul-07, at 11:23 PM, Tim Bray wrote: >>> >>>> On Jul 9, 2007, at 7:28 PM, Richard Elling wrote: >>>> >>>>>> Minor point, we don't need to use something as braindead as sudo, >>>>>> we're Solaris, we can use RBAC. >>>> >>>> Remember, every time you take something out that people are used to >>>> and seemed to work, you increase the Solaris barrier to entry. I've >>>> been using sudo for years and, silly me, it seemed pretty secure and >>>> pretty useful. So if you're not going to provide it, there needs to >>>> be an instantly-accessible explanation of how to achieve the same >>>> effect with RBAC. -Tim >>> >>> I understand that we want to eliminate some barriers to entry, but >>> why ought we shovel rubbish in to the distribution to do so ? >> John, >> Can you expand on your definition of rubbish. Can you list it's >> defects so we can have a valid reason to exclude it rather than an >> emotional anti-Linux rhetoric. I have used both RBAC and sudo on >> Solaris over the years. Both have their good points and bad points. I >> do not think there is a valid reason to leave either out. > > well, for one, sudo makes every user's password as valuable to an > attacker as root's.
That depends on how sudo is configured as to what it actually runs. If you have the need for that level of security, then you can implement a two factor security policy with PAM. You could also say that a having a shared role password is a problem of RBAC. It would be nice improvement in RBAC if a role granted to several users could have a separate password for each user. > There's also the problem that a slightly misconfigured sudo can give > full root access to a potentially malicious user. for example, > allowing access to something which can in some cases spawn a shell > essentially makes that user root. Yes, and the same can be done with RBAC. > RBAC on the other hand allows you to grant far more well-verified, and > infinitely finer grained ( for example, ACL's granting write > permissions to individual files ) privileges to a user. Yes it can be very fine-grained, it can also be very broad. It depends on the amount of effort you put into configuration. > To be honest, I think doing away with the root account altogether and > replacing it with a half dozen administrative accounts would be ideal. While this is an excellent solution for an enterprise, it is extreme over-kill for a home user. You are just making it more difficult to administer their system. Do you have examples of roles that would be good for a home user? > Once the initial shock of the new way of doing things was over, it > would be an ideal and wonderful change for both home users and > enterprise users over the 30 year old paradigm of (user | superuser) I do not think shock treatment is an effective encouragement. They will just hate the whole of Solaris and not use it! None of the above is actually a reason to exclude sudo from Nevada, they are just good arguments to give to a Solaris convert to try RBAC. If they like it then great. If they don't, then they are still a Solaris user. Doug _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
