Re: [osol-discuss] Re: Re: SXCR Build 55 available
On Thu, 25 Jan 2007, John Plocher wrote: > fills the directory with all sorts of turds; with /root, at least they > are all my invisible turds :-) Never underestimate the value of invisible turds! :-) -- Rich Teer, SCSA, SCNA, SCSECA, OpenSolaris CAB member President, Rite Online Inc. Voice: +1 (250) 979-1638 URL: http://www.rite-group.com/rich ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
James Carlson wrote: But I think you have to be in the bad habit of logging in as root first. First time install will do that for you - there are no other users. That gets you 19 entries in / ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
Personally, I have my jumpstart create /root (root:root 700) and modify root's homedir to /root. I leave the root shell alone since I do most of my work with RBAC or sudo. Interestingly, many security auditors like to see root's home directory in /root so that users/hackers can't see root's "." files. I agree this is a good security measure and makes sense. I have not seen any applications have issues over the years because of this. As for daemons or processes owned by daemon, sys, etc.. I don't think they should be dumping anything into / for the same reasons. Do they need their own home dir? I don't know. I haven't seen anything in / that shouldn't be. Then again, most sites disable most of the services for security reasons. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Octave J. Orgeron Solaris Systems Engineer http://www.opensolaris.org/os/community/sysadmin/ http://unixconsole.blogspot.com [EMAIL PROTECTED] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* - Original Message From: Darren J Moffat <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: opensolaris-discuss@opensolaris.org; James Carlson <[EMAIL PROTECTED]> Sent: Thursday, January 25, 2007 9:49:19 AM Subject: Re: [osol-discuss] Re: Re: SXCR Build 55 available [EMAIL PROTECTED] wrote: >> Brian McCafferty writes: >>> Can someone tell me what the reason is for the creation of /root? >>> Why do you make the root home directory no longer the root? I'm a >>> little confused what purpose this serves. >> It seems to be a Linicism. >> >> If you log into your system as root, you'll eventually end up with a >> lot of trash littering the / directory. That's unattractive, so >> hiding it away under some directory (still on the root file system) is >> a plus. >> >> But I think you have to be in the bad habit of logging in as root >> first. > > > To me, it also goes against the grain of Unix; one of the reasons why root > is called root is because he lives there. For consistency, we should have > renamed the superuser account to "slashroot" So why do, daemon, sys, nobody, and noaccess cohabitate with him ? Is the real "bug" here that they all use "/" as their home dir ? -- Darren J Moffat ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
[EMAIL PROTECTED] wrote: Brian McCafferty writes: Can someone tell me what the reason is for the creation of /root? Why do you make the root home directory no longer the root? I'm a little confused what purpose this serves. It seems to be a Linicism. If you log into your system as root, you'll eventually end up with a lot of trash littering the / directory. That's unattractive, so hiding it away under some directory (still on the root file system) is a plus. But I think you have to be in the bad habit of logging in as root first. To me, it also goes against the grain of Unix; one of the reasons why root is called root is because he lives there. For consistency, we should have renamed the superuser account to "slashroot" So why do, daemon, sys, nobody, and noaccess cohabitate with him ? Is the real "bug" here that they all use "/" as their home dir ? -- Darren J Moffat ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
[EMAIL PROTECTED] wrote:
* Lots of system daemons do chdir("/") as part of their startup. If
they use libraries that try and read config files from the users home
dir then they can end up reading the ones for the root user, that might
not be desirable.
Please name one example; I think you're just making this up. Are you
suggesting that libraries exist which read config files from the current
directory?
Badly phrased rather than making it up. This actually has nothing to do
with the current working directory (so the chdir("/" is bogus - sorry I
was doing too many things at once).
Things running as daemon often do a chdir("/"), but the important bit is
the home directory of daemon is ? "/" the same as root.
~/.ssh for root and daemon resolve to the same place.
~/.sunw/pkcs11_softtoken/ - which is an encrypted keystore resolve to
the same place.
Now proper default permissions ensure there isn't a security problem
here but it means that root and daemon can't have separate
configurations for these things. For the pkcs11_softtoken case it
actually means that for the daemon user by default their can't be a
persistent keystore because root already staked out that namespace.
* because the root user can have personal config files and the existence
of those files should not be available to unprivileged users, or for
tidyness.
* consistency with other systems
* because we can and there is no downside to doing so
I'm sure there's stuff which breaks because ~root no longer expands to
/
Yes there probably is but that code would be broken on other systems
that do this as well!
BTW the PSARC case for this is already approved, it just hasn't been
implemented for this exact reason. There are Solaris test suites that
are known to break because of assumptions like this.
--
Darren J Moffat
___
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
>* Lots of system daemons do chdir("/") as part of their startup. If
>they use libraries that try and read config files from the users home
>dir then they can end up reading the ones for the root user, that might
>not be desirable.
Please name one example; I think you're just making this up. Are you
suggesting that libraries exist which read config files from the current
directory?
>* because the root user can have personal config files and the existence
>of those files should not be available to unprivileged users, or for
>tidyness.
>
>* consistency with other systems
>
>* because we can and there is no downside to doing so
I'm sure there's stuff which breaks because ~root no longer expands to
/
Casper
___
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
>Brian McCafferty writes: >> Can someone tell me what the reason is for the creation of /root? >> Why do you make the root home directory no longer the root? I'm a >> little confused what purpose this serves. > >It seems to be a Linicism. > >If you log into your system as root, you'll eventually end up with a >lot of trash littering the / directory. That's unattractive, so >hiding it away under some directory (still on the root file system) is >a plus. > >But I think you have to be in the bad habit of logging in as root >first. To me, it also goes against the grain of Unix; one of the reasons why root is called root is because he lives there. For consistency, we should have renamed the superuser account to "slashroot" Casper ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
James Carlson wrote: Brian McCafferty writes: Can someone tell me what the reason is for the creation of /root? Why do you make the root home directory no longer the root? I'm a little confused what purpose this serves. It seems to be a Linicism. If you log into your system as root, you'll eventually end up with a lot of trash littering the / directory. That's unattractive, so hiding it away under some directory (still on the root file system) is a plus. But I think you have to be in the bad habit of logging in as root first. Even if you never directly login as root there are unfortunately files and directories that can appear in there. -- Darren J Moffat ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
Brian McCafferty writes: > Can someone tell me what the reason is for the creation of /root? > Why do you make the root home directory no longer the root? I'm a > little confused what purpose this serves. It seems to be a Linicism. If you log into your system as root, you'll eventually end up with a lot of trash littering the / directory. That's unattractive, so hiding it away under some directory (still on the root file system) is a plus. But I think you have to be in the bad habit of logging in as root first. -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
Brian McCafferty wrote: Can someone tell me what the reason is for the creation of /root? Why do you make the root home directory no longer the root? I'm a little confused what purpose this serves. This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org My reasons: I keep system configuration notes, .files from programs run as root, etc in the /root directory so as to manage the namespace better. Things found in / are generally things the system creates and manages, things in /root are "mine" and I know that nothing uses them. And, whatever names I choose, they won't conflict with automounter mount points, system files and directories, etc. Oh, and by setting permissions tightly, nobody can snoop thru the stuff. Besides, If I happen to login as root on the graphical console, GNOME fills the directory with all sorts of turds; with /root, at least they are all my invisible turds :-) -John ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: SXCR Build 55 available
Brian McCafferty wrote:
Can someone tell me what the reason is for the creation of /root? Why do you
make the root home directory no longer the root? I'm a little confused what
purpose this serves.
Multiple reasons:
* Lots of system daemons do chdir("/") as part of their startup. If
they use libraries that try and read config files from the users home
dir then they can end up reading the ones for the root user, that might
not be desirable.
* because the root user can have personal config files and the existence
of those files should not be available to unprivileged users, or for
tidyness.
* consistency with other systems
* because we can and there is no downside to doing so
--
Darren J Moffat
___
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
[osol-discuss] Re: Re: SXCR Build 55 available
Can someone tell me what the reason is for the creation of /root? Why do you make the root home directory no longer the root? I'm a little confused what purpose this serves. This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
[osol-discuss] Re: Re: SXCR Build 55 available
> > I also went ahead and changed the default shell > from "sh" to "bash" > > even for root (& created /root for its home > directory). While this used > > to be a big no-no, I was told it is OK after > Solaris 10. Is this > > advice correct? Thanks. > > Well, the technical reasons for not changing root's > shell have become > moot with Solaris 10, but depending on your > organisation, changing it > might not be very friendly to other admins. And if > you're the only > admin, then that problem goes away. > > Naturally, your root shell and home dir should be on > the root filesystem > (so none of this antiquated (IMHO) practice of > splitting out /usr). > > Me? I change root's dir to /root (mode 600), but > leave root's shell > alone, running ksh from root's .profile. > > -- > Rich Teer, SCSA, SCNA, SCSECA, OpenSolaris CAB member > > President, > Rite Online Inc. > > Voice: +1 (250) 979-1638 > URL: http://www.rite-group.com/rich > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org > Thanks. Build 55b also provides a GUI tool to change user privileges, thus, bringing Solaris more agreeable to Linux users. Another improvement, which I consider to be CRITICAL, involves USB printers. I have an HP 1012 printer, which, if left "on" when the system is booted up, will spit out garbages (evidently the printer driver was not loaded). Every time I needed to use this printer, I had to reconfigure it. This problem is solved in Build 55b. (However I need to point out that since I only have Build 52 on the machines connected to that printer, I don't know if the problem was already solved in Build 54.) This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
[osol-discuss] Re: Re: SXCR Build 55 available
> Interesting; briefly, in your eyes, what has changed > in b55 over b54 > (which I'm currently using)? > > -- > Rich Teer, SCSA, SCNA, SCSECA, OpenSolaris CAB member > > President, > Rite Online Inc. > > Voice: +1 (250) 979-1638 > URL: http://www.rite-group.com/rich > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org > "For your eyes only", plse see the attached screenshot: Oops, just realized that I am not allowed to post an attachment. But it's the default home page of the Firefox browser (file:///usr/share/doc/soldevex/html/developer_guide.html). This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
