> Yes, and it's dogma. There are plenty of situations > where root login is the best > tool for the job.
On your desktop, yes. And even then, not in a GUI. > That seems a weak argument against it. > In homogenous environments users can just 'alias > sudo=pfexec'. > RBAC is the sysadmins job problem, not the users, > and and sudo is a > blunt instrument compared to RBAC. > > Funny that you don't worry too much about homogenous > environments when > it comes to > roots home directory or shell :) I meant heterogenous environments, not homogenous, which is my mistake. I do worry about root's home directory, and root's shell; and on all real UNIX systems, that shell is `/sbin/sh`, and the home directory is /, and all software works, and doesn't break. Funny, isn't it? > I'm not sure how that applies to e.g. my laptop, or Even OS X uses `sudo`. It would have been great to be able to reuse some of the code OS X has for `sudo`, or even *gasp* Linux sudo scripts, which I'm sure many have running. But you can't, can you? RBAC won't use those. RBAC tries to reinvent hot water. > why you are > worried about sudo vs. rbac when no-one is going > to login to your machines anyway? Because I have Linux systems from a sister company, that calls `make` to generate DNS payload, SSHes that payload over to my Solaris and HP-UX systems, then uses `make` there, which calls `sudo` to automatically generate and deploy a Solaris System V package resp. an HP-UX SD-UX product. For example. And I've got such examples coming out of the wazoo. We're talking highly automated, almost intelligent processes, which require no human interaction. On thousands of systems. So don't think such things are for a single user hacking away om his system, or a sysadmin scurrying around from system to system. > This seems to contradict your earlier statement. No. It's just that many people don't make a distinction between a Development, Integration Test, Product Test & Acceptance, and Production environments; I however do. This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
