On 8/3/10 10:49 PM, Darren Reed wrote:
On 3/08/10 10:21 PM, Scott Rotondo wrote:
On 8/3/10 7:26 PM, Darren Reed wrote:
Last time I tried, I could not su to root because it was a role.
You are mistaken. When root is a role, su is the *only* way to log in
to that account. Of course, your user account must be authorized to
assume that role.
My recollection is that when I tried to do "su" from the created account
it failed with an error that was the same as when I tried to login to the
root account - i.e. that it was not permitted because root was a role.
You must have tried this from a user account that does not have root in
its list of allowed roles. Try running roles(1) first.
As you and I discussed last week, the same message appears in two
situations: trying to log into a role directly, and trying to assume a
role for which the user is not authorized. We can improve that situation
somewhat, but there are cases where the PAM module doesn't have enough
information to resolve the ambiguity.
In any case, someone might read your message and infer that su no longer
works because root is a role. That's simply untrue.
Scott
--
Scott Rotondo
Senior Principal Engineer, Solaris Core OS Engineering
President, Trusted Computing Group
Phone: +1 650 786 6309 (Internal x86309)
_______________________________________________
security-discuss mailing list
[email protected]
