Quicksearch
Disclaimer
The individual owning this blog works for Oracle in Germany. The opinions expressed here are his own, are not necessarily reviewed in advance by anyone but the individual author, and neither Oracle nor any other party necessarily agrees with them.
Get rid of root - or: PSARC/2008/321
Wednesday, July 9. 2008
An interesting PSARC case got it´s approval: PSARC/2008/321 - No Root Login:
Besides of making root a role, this would be another way to get rid of a direct usable root account in Solaris. With this change you can use your own username and password to log into an "root shell" without knowing the root password ... there doesn´t even have to be a root password. You only need the authorization
(via ceri on twitter)
It has been suggested that Solaris should permit "root" to be a no login account.
[...]
Add a "solaris.system.maintenance" authorization. Modify sulogin(1M) toprompt for a username and password. If the username entered is authenticated by the password and has the "solaris.system.maintenance" authorization, enter system maintenance mode. If not, as before this project, deny access.
Besides of making root a role, this would be another way to get rid of a direct usable root account in Solaris. With this change you can use your own username and password to log into an "root shell" without knowing the root password ... there doesn´t even have to be a root password. You only need the authorization
solaris.system.maintenance in your user attributes.(via ceri on twitter)
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Das Leben ist gut!
Das Travelnet buchte mir zwei Nächte im http://de.wikipedia.org/wiki/The_Ritz-Carlton_Berlin
In der Minibar steht ein 2001 Robert Mondavi Cabernet Sauvignon,
Im http://kulturkaufhaus.shop-asp.de/shop/action/?aUrl=90008115 kaufte ich mir eben http://www.welt.de/kultur/article807474/Glamour_Bohme_Netrebko__Villazn_.html
DANKE an Microsoft und Apple für proprietäre Software! Es klingt traumhaft!
Und Jonathan delivers to his promise, JAVA war heute bei 10$
ALLES IST GUT!
Das Travelnet buchte mir zwei Nächte im http://de.wikipedia.org/wiki/The_Ritz-Carlton_Berlin
In der Minibar steht ein 2001 Robert Mondavi Cabernet Sauvignon,
Im http://kulturkaufhaus.shop-asp.de/shop/action/?aUrl=90008115 kaufte ich mir eben http://www.welt.de/kultur/article807474/Glamour_Bohme_Netrebko__Villazn_.html
DANKE an Microsoft und Apple für proprietäre Software! Es klingt traumhaft!
Und Jonathan delivers to his promise, JAVA war heute bei 10$
ALLES IST GUT!
well, this is mad... wtf? why why why?
i see no reason why this would be usefull.
this is ubuntu style bullshit.
i see no reason why this would be usefull.
this is ubuntu style bullshit.
Auditing. Instead of everything being done as root, it's done by individual users (who might have some, but not necessarily all the abilities of root). This means instead of trying to figure out 'who did X as root', it's very apparent who did what.
It's also completely optional, so if you don't like it, don't use it.
It's also completely optional, so if you don't like it, don't use it.
as long as it stays optional im fine with it.
in 2008.05 its not...
ofc i know the reasons, but i also dont need to forbid access to it, just dont give out the root acc...
in 2008.05 its not...
ofc i know the reasons, but i also dont need to forbid access to it, just dont give out the root acc...
This isn´t mad ... it´s an addional way to ensure that nobody can login into the system with an anonymous acicout like root. As Jason wrote: It´s an auditing thing and it´s about the fact that nobody has the root password.
Another example: An admin leaves your team and works for a different team. When this admin was aware of the root password of your system you now have to change the password to lock him out of the systems managed by your team. With this change, you just remove the solaris.system.maintenance authorisation as the user used his own password to to get root privileges before ...
Another example: An admin leaves your team and works for a different team. When this admin was aware of the root password of your system you now have to change the password to lock him out of the systems managed by your team. With this change, you just remove the solaris.system.maintenance authorisation as the user used his own password to to get root privileges before ...
+1
The LKSF book
The book with the consolidated Less known Solaris Tutorials is available for download here
Web 2.0
Contact
Networking
xing.com
LinkedIn
Facebook
My photos
- mail: joerg@c0t0d0s0.org
- icq: 144000169
- Me, myself and I
- openBC
- My del.icio.us
- c0t0d0s0@twitter
- c0t0d0s0@last.fm
- wiki@c0t0d0s0
- Amazon Wishlist
Networking
xing.com
My photos
Comments
about Nanosecond
Wed, 23.05.2012 00:11
I remember this being drummed
into us during Digital Design
at Uni. It's important to cons
ider it when laying out [...]
Mon, 21.05.2012 18:04
Hello Kevin, Im not surprised
with what you are seeing or ha
ve seen when attaching a SSD t
o a USB2.0. USB3.0 helps [...]
Mon, 21.05.2012 04:44
Hi Greg,
With regards to IO
PS I have seen terrible result
s using a 60GB SATA2 SSD with
USB2.0 - USB2 really cho [...]
about ZFS Dedup Internals
Sat, 19.05.2012 09:50
There is no impact to boot/imp
ort times, as the DDT is loade
d as needed ... so the pool is
imported as fast as wit [...]
Buttons
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Germany License
