on Thu May 28 2009, Martin Bochnig <martin-AT-martux.org> wrote: > On Thu, May 28, 2009 at 7:58 AM, Fajar A. Nugraha <[email protected]> wrote: >> On Thu, May 28, 2009 at 12:36 PM, Martin Bochnig <[email protected]> wrote: >>> On Thu, May 28, 2009 at 2:30 AM, David Abrahams <[email protected]> wrote: >>>> >>>> Coming from other unices I find this strange pfexec thing being used in >>>> some places where sudo or su might have been used otherwise, and I'm >>>> trying to figure out its proper application. Can anyone offer a helpful >>>> pointer? >>> >>> >>> In addition to being much more fine-grain-controllable, RBAC offers >>> you the convenience, that you do not need to re-type the password >>> every time you run pfexec. >> >> Note that sudo and su still works as well. >> If you prefer to login directly as root (which is disabled by >> default), you can use pfexec to set root password and edit >> /etc/user_attr and remove "type=role;" from root. >> >> -- >> Fajar > > > Yes, good that you mention. Of course sudo still works and is already > available as IPS package. Search it with "pfexec pkg search -r sudo".
I have already been using it, thanks. It's not that I prefer sudo; I'm just trying to understand the proper place of pfexec in the system. It's a little odd to issue admin commands without ever issuing a password, but I guess sudo doesn't really offer more security since an intruder has probably already got your password if he's logged in as you? > And there is a 3rd option as well: In a failsafe scenario you can boot > whatever other medium (fail-safe mode, another bootable zpool, another > bootenv, a USB stick, LiveCD, NET, whatever ... ) and have root access > from there. > Or, 4th way, just: In single user mode root is not yet a role and a > direct login to the text console is always possible from there. Sure, I'm not at a loss for avenues to root privs. I'm just trying to figure out if there are any guidelines about what to use and when. Thanks, -- Dave Abrahams BoostPro Computing http://www.boostpro.com _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
