> I always change any Solaris systems I setup to use > /root for root's > home for this very reason. > > I like being confident that any files created when > logged in as root > will go to a relatively "secure place."
You should never be logged in as root directly, unless you are on the console, in text mode. That is sysadmin 101. > Considering Solaris' rbac capabilities as well, I > look for root to be > extinct in the not too distant future. > > Roles / Profiles are a far better way to accomplish > this. I strongly disagree, for two reasons: 1. if the system engineering has done their job correctly, no interactive logging in of any kind, by either the root or odrinary users should take place on the system - ever 2. RBAC is present only on Solaris and therefore useless in homogenous environments; sudo would have been a much better choice, especially because it makes system administration consistent and homogenous. I do not at all appreciate RBAC. > The days of an all-powerful must end if we are to > embrace security. I disagree, and very strongly at that. A well engineered system will never have either the root user or any other users logging into him interactively, and a correctly secured build will have necessary mechanisms built in and configured to begin with. That is a clearly an architectural issue, not a security issue. A desktop system will be a developer's system, and being a fascist on developers is in my experience extremely counter-productive. Not to mention that it kills morale, which is unacceptable. This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
