Hello, I have to disagree that having Primary Administrator was a blunder. How it is used is a blunder. Primary administrator should never be assigned to a user account. In reality, no special privileges should be assigned to user accounts. Privileges/Profiles/Authorizations/Rights should only be assigned to Roles, and users account assigned Roles.
In a high security environment, no one person is completely trusted. Administration of a server is separated between at least two people, a system administrator and a security administrator. The root account does not allow this separation of access and control. At least two Roles would be created each with the appropriate rights. Then at least two users accounts would be created, one for each person. if a persons job is security, their account would be assigned the security Role, and if they were an administrator, the admin Role. If a person changed roles with in the organization, the Roles assigned to their user account would be changed. The root account would almost never be used, and the password would be highly controlled by a select few. This is the idea behind RBAC. Role Based Access Control. Security and convenience, Pick One. Michael Stapleton On Sun, 2011-11-27 at 20:07 -0300, Ignacio Marambio Catán wrote: > On Sun, Nov 27, 2011 at 7:56 PM, Matt Connolly > <matt.connolly...@gmail.com> wrote: > > > > On 28/11/2011, at 1:35 AM, Bill Sommerfeld wrote: > >> On 11/27/11 04:36, Matt Connolly wrote: > >>> This still didn't help. But again, setting the root user password with > >>> `sudo passwd root` enables me to authenticate to the root role using that > >>> root password. (not my user password, as I would use with sudo). > >>> > >>> Any reason why the installer would not give the "Primary Administrator" > >>> profile to the first user on the machine? > >> > >> A user account granted the "Primary Administrator" profile becomes > >> equivalent to root -- any process running as that uid can "pfexec rm -rf > >> /usr" or anything more destructive. > >> > >> > If the first user can't do it, who can? > >> > >> Primary Administrator is too powerful to grant to a "use every day" user > >> account. > > > > Granted. Although I would think an option during the install process to > > grant "Primary Administrator" role to that first user (perhaps with an > > appropriate warning) would be fine. (As far as risk goes, the first user is > > given access to root via sudo anyway). > > > > I'm happy using sudo because it asks to confirm password (which pfexec > > doesn't), but I see two caveats with that: > > 1. no support for role based auditing > > 2. all the existing system panels use the role/profile approach. > > > I do not know how sudo is compiled in openindiana but sudo has proper > support for BSM, patches have been submitted for that in 2008 > seriously, the primary administrator thing was an extremely bad idea. > Oracle fixed that particular blunder with solaris 11 making su work > like sudo for the most part > > > > >> > >>> If it wasn't for sudo, you'd have to boot into single mode to change > >>> anything! > >> > >> the folks who made the opensolaris installer grant the first regular user > >> the "primary administrator" role, and then splattered pfexec all over the > >> documentation, made a terrible mistake; the installer has only been > >> corrected recently, after too many opensolaris users have been mistrained > >> to use pfexec the wrong way. > > > > And finally, just to clarify one more thing, when you use those system > > panels (like SMF Services, etc) that ask you to authenticate as root role, > > should it be the root password or your user password? > > to login to a role, you need the role password > > > > > Thanks, > > Matt > > > > > > _______________________________________________ > > OpenIndiana-discuss mailing list > > OpenIndiana-discuss@openindiana.org > > http://openindiana.org/mailman/listinfo/openindiana-discuss > > > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
