by that reasoning, if you wanted a primary administrator, you'd assign
the root role and be done with it.
On Mon, Nov 28, 2011 at 12:50 AM, Michael Stapleton
<michael.staple...@techsologic.com> wrote:
> Hello,
>
> I have to disagree that having Primary Administrator was a blunder. How
> it is used is a blunder. Primary administrator should never be assigned
> to a user account. In reality, no special privileges should be assigned
> to user accounts. Privileges/Profiles/Authorizations/Rights should only
> be assigned to Roles, and users account assigned Roles.
>
> In a high security environment, no one person is completely trusted.
> Administration of a server is separated between at least two people, a
> system administrator and a security administrator. The root account does
> not allow this separation of access and control. At least two Roles
> would be created each with the appropriate rights. Then at least two
> users accounts would be created, one for each person. if a persons job
> is security, their account would be assigned the security Role, and if
> they were an administrator, the admin Role. If a person changed roles
> with in the organization, the Roles assigned to their user account would
> be changed. The root account would almost never be used, and the
> password would be highly controlled by a select few.
>
> This is the idea behind RBAC. Role Based Access Control.
>
> Security and convenience, Pick One.
>
>
> Michael Stapleton
>
>
>
>
> On Sun, 2011-11-27 at 20:07 -0300, Ignacio Marambio Catán wrote:
>
>> On Sun, Nov 27, 2011 at 7:56 PM, Matt Connolly
>> <matt.connolly...@gmail.com> wrote:
>> >
>> > On 28/11/2011, at 1:35 AM, Bill Sommerfeld wrote:
>> >> On 11/27/11 04:36, Matt Connolly wrote:
>> >>> This still didn't help. But again, setting the root user password with 
>> >>> `sudo passwd root` enables me to authenticate to the root role using 
>> >>> that root password. (not my user password, as I would use with sudo).
>> >>>
>> >>> Any reason why the installer would not give the "Primary Administrator" 
>> >>> profile to the first user on the machine?
>> >>
>> >> A user account granted the "Primary Administrator" profile becomes 
>> >> equivalent to root -- any process running as that uid can "pfexec rm -rf 
>> >> /usr" or anything more destructive.
>> >>
>> >> > If the first user can't do it, who can?
>> >>
>> >> Primary Administrator is too powerful to grant to a "use every day" user 
>> >> account.
>> >
>> > Granted. Although I would think an option during the install process to 
>> > grant "Primary Administrator" role to that first user (perhaps with an 
>> > appropriate warning) would be fine. (As far as risk goes, the first user 
>> > is given access to root via sudo anyway).
>> >
>> > I'm happy using sudo because it asks to confirm password (which pfexec 
>> > doesn't), but I see two caveats with that:
>> > 1. no support for role based auditing
>> > 2. all the existing system panels use the role/profile approach.
>>
>>
>> I do not know how sudo is compiled in openindiana but sudo has proper
>> support for BSM, patches have been submitted for that in 2008
>> seriously, the primary administrator thing was an extremely bad idea.
>> Oracle fixed that particular blunder with solaris 11 making su work
>> like sudo for the most part
>>
>> >
>> >>
>> >>> If it wasn't for sudo, you'd have to boot into single mode to change 
>> >>> anything!
>> >>
>> >> the folks who made the opensolaris installer grant the first regular user 
>> >> the "primary administrator" role, and then splattered pfexec all over the 
>> >> documentation, made a terrible mistake; the installer has only been 
>> >> corrected recently, after too many opensolaris users have been mistrained 
>> >> to use pfexec the wrong way.
>> >
>> > And finally, just to clarify one more thing, when you use those system 
>> > panels (like SMF Services, etc) that ask you to authenticate as root role, 
>> > should it be the root password or your user password?
>>
>> to login to a role, you need the role password
>>
>> >
>> > Thanks,
>> > Matt
>> >
>> >
>> > _______________________________________________
>> > OpenIndiana-discuss mailing list
>> > OpenIndiana-discuss@openindiana.org
>> > http://openindiana.org/mailman/listinfo/openindiana-discuss
>> >
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss@openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss@openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Reply via email to