On Fri, Jul 30, 2010 at 12:44:43PM -0700, David Brodbeck wrote: > > On Jul 30, 2010, at 12:26 PM, Will Fiveash wrote: > > I'm in total agreement from a security aspect (recall that OpenSolaris's > > roots are in the enterprise server world and not wide open desktop > > land). I would ask you why root shouldn't be a role? Hopefully the > > answer won't involve convenience. > > It can be awkward if you're using LDAP or NIS and the server is down > or the client is incorrectly set up. > > This *can* be worked around by making sure every machine has a valid > local user with access to the root role -- sort of. pfexec becomes > extremely slow if you have incorrectly configured LDAP -- as in > several minutes of waiting to run a single command. I suspect it > tries to look up userIDs via LDAP first and has a long timeout. Best > to su to root in that situation.
This is a variant of the convenience argument. Systems with root as a role require a local user account with Primary Administrator role. When I installed OpenSolaris it did the right thing and created such an account that does not depend on NIS or LDAP and is thus insulated from issues with those servers. That user account should only have local paths in the PATH and a local home directory for greater reliability. -- Will Fiveash Oracle Note my new work e-mail address: will.five...@oracle.com http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
