> On Fri, Jul 30, 2010 at 03:49:57PM -0700, David > Brodbeck wrote: > > > > On Jul 30, 2010, at 3:31 PM, Scott Rotondo wrote: > > > Regarding the expansion of the attack surface, > remember that assuming the root role requires logging > in to a user account first and then providing the > root password. > > > > Well, yes and no. It's true that su requires the > root password, and sudo usually requires the password > of the user account before running commands with root > privileges. pfexec does not require any password > entry at all, so an account that's allowed to > exercise root privileges via pfexec is, from a > security standpoint, functionally equivalent to > another root account. > > No, an account that has to either use su or pfexec to > acquire root privs > is not functionally the same as a root user account. > Let's assume there > re several people that require root privs to do their > job. With a root > user account any of them could login as root and > audit records would not > be able to identify which of those people did what as > root. With RBAC > and root as a role and each admin having their own > account, audit > records would show who became root and what commands > they executed as > root. Accountability is definitely enhanced with > root as a role. > > -- > Will Fiveash > Oracle > Note my new work e-mail address: > will.five...@oracle.com > http://opensolaris.org/os/project/kerberos/ > Sent using mutt, a sweet text based e-mail app: > http://www.mutt.org/ > _______________________________________________ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org >
I believe root should be left as a non-role account. Admins that need to perform a subset of root level tasks should be authorized to do so in there account configuration through exec_attr/user_attr. Much the same way that zfs allows users to perform specific tasks through zfs allow. -- This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
