Darren J Moffat wrote: Maybe I'm the only one that thinks this way, but:
Reading about this topic (turn root account into a RBAC) and some others (like the discussions in the SMF list about putting almost all information into the SMF repository) it seems to me that Solaris is going the "Windows way" to make life complicated. Fortunately Solaris is still Unix and should not try to mimic another OS. SMF and RBAC are very useful but plain Solaris should continue to be a Unix so that all the people that know Unix can use it without learning all new from the beginning. Only my 2cnt regards Bernd > In the brave new installer world I believe there will be the ability > during interactive install to create (normal) users. > > From a security perspective this is a perfect opportunity to turn the > root account into an RBAC role so that only that user can become root. > > Having the root account as a role means it can't login directly on the > console and it can only be su'd to by authoirised users. > > The other thing we might want to consider is giving the user that is > created the "Primary Administrator" RBAC profile - this allows them to > use pfexec(1) a lot like other systems use a default sudo rule to run > any command as uid = 0. It also gives the user all Solaris > authorisations so they can do things like restarting services as > themselves, and setting WiFi WEP/WPA keys. > > I think however only one question about this should be asked and we > should choose if answering this with a yes means make root a role and > given the account "Primary Administrator" rights. > > I'd suggest for discussion the following text to guide the user if > they wish this behaviour or not, the default should be to do this > (better security option by default): > > "[X] This is the primary or only system administrator account. > > Tooltip/Help: > > This account will be able to administer the system and create other > accounts. Selecting this option will also make the 'root' account > a role, this means that only this user (and any future ones explicitly > authorised) will be able to authenticate as the root user even if they > know the password; the root account will not be able to login directly. > > This is the recommended configuration or a laptop or standalone > desktop/workstation. > -- Bernd Schemmer, Frankfurt am Main, Germany http://home.arcor.de/bnsmb/index.html M?s temprano que tarde el mundo cambiar?. Fidel Castro
