On Fri, Jul 30, 2010 at 04:33:47PM -0400, Kyle McDonald wrote: > On 7/30/2010 4:24 PM, Will Fiveash wrote: > > On Fri, Jul 30, 2010 at 12:44:43PM -0700, David Brodbeck wrote: > >> > >> On Jul 30, 2010, at 12:26 PM, Will Fiveash wrote: > >>> I'm in total agreement from a security aspect (recall that OpenSolaris's > >>> roots are in the enterprise server world and not wide open desktop > >>> land). I would ask you why root shouldn't be a role? Hopefully the > >>> answer won't involve convenience. > >> > >> It can be awkward if you're using LDAP or NIS and the server is down > >> or the client is incorrectly set up. > >> > >> This *can* be worked around by making sure every machine has a valid > >> local user with access to the root role -- sort of. pfexec becomes > >> extremely slow if you have incorrectly configured LDAP -- as in > >> several minutes of waiting to run a single command. I suspect it > >> tries to look up userIDs via LDAP first and has a long timeout. Best > >> to su to root in that situation. > > > > This is a variant of the convenience argument. Systems with root as a > > role require a local user account with Primary Administrator role. When > > I installed OpenSolaris it did the right thing and created such an > > account that does not depend on NIS or LDAP and is thus insulated from > > issues with those servers. That user account should only have local > > paths in the PATH and a local home directory for greater reliability. > > > > I actually like root as a role, but it strikes me that by forcing all > machines to have a single local user with a pw that everyone knows, > you've totally re-opened the hole that this was supposed to close. > Anyone can login as that local user, and assume the root role anonymously.
Just because a system has a local user account doesn't imply that everyone should know the password. > Isn't there anything that can be done so that these local accounts > aren't needed? Actually, it may be possible to configure a system with no local user accounts but if the network or nameservice is down it may be a hassle to login to that system and may require booting off the install DVD. Note that I have not tried such a config. -- Will Fiveash Oracle Note my new work e-mail address: will.five...@oracle.com http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org