[OpenIndiana-discuss] oi151 clean install - root role problem
michael.stapleton at techsologic.com
Mon Nov 28 03:50:20 UTC 2011
I have to disagree that having Primary Administrator was a blunder. How
it is used is a blunder. Primary administrator should never be assigned
to a user account. In reality, no special privileges should be assigned
to user accounts. Privileges/Profiles/Authorizations/Rights should only
be assigned to Roles, and users account assigned Roles.
In a high security environment, no one person is completely trusted.
Administration of a server is separated between at least two people, a
system administrator and a security administrator. The root account does
not allow this separation of access and control. At least two Roles
would be created each with the appropriate rights. Then at least two
users accounts would be created, one for each person. if a persons job
is security, their account would be assigned the security Role, and if
they were an administrator, the admin Role. If a person changed roles
with in the organization, the Roles assigned to their user account would
be changed. The root account would almost never be used, and the
password would be highly controlled by a select few.
This is the idea behind RBAC. Role Based Access Control.
Security and convenience, Pick One.
On Sun, 2011-11-27 at 20:07 -0300, Ignacio Marambio Catán wrote:
> On Sun, Nov 27, 2011 at 7:56 PM, Matt Connolly
> <matt.connolly.au at gmail.com> wrote:
> > On 28/11/2011, at 1:35 AM, Bill Sommerfeld wrote:
> >> On 11/27/11 04:36, Matt Connolly wrote:
> >>> This still didn't help. But again, setting the root user password with `sudo passwd root` enables me to authenticate to the root role using that root password. (not my user password, as I would use with sudo).
> >>> Any reason why the installer would not give the "Primary Administrator" profile to the first user on the machine?
> >> A user account granted the "Primary Administrator" profile becomes equivalent to root -- any process running as that uid can "pfexec rm -rf /usr" or anything more destructive.
> >> > If the first user can't do it, who can?
> >> Primary Administrator is too powerful to grant to a "use every day" user account.
> > Granted. Although I would think an option during the install process to grant "Primary Administrator" role to that first user (perhaps with an appropriate warning) would be fine. (As far as risk goes, the first user is given access to root via sudo anyway).
> > I'm happy using sudo because it asks to confirm password (which pfexec doesn't), but I see two caveats with that:
> > 1. no support for role based auditing
> > 2. all the existing system panels use the role/profile approach.
> I do not know how sudo is compiled in openindiana but sudo has proper
> support for BSM, patches have been submitted for that in 2008
> seriously, the primary administrator thing was an extremely bad idea.
> Oracle fixed that particular blunder with solaris 11 making su work
> like sudo for the most part
> >>> If it wasn't for sudo, you'd have to boot into single mode to change anything!
> >> the folks who made the opensolaris installer grant the first regular user the "primary administrator" role, and then splattered pfexec all over the documentation, made a terrible mistake; the installer has only been corrected recently, after too many opensolaris users have been mistrained to use pfexec the wrong way.
> > And finally, just to clarify one more thing, when you use those system panels (like SMF Services, etc) that ask you to authenticate as root role, should it be the root password or your user password?
> to login to a role, you need the role password
> > Thanks,
> > Matt
> > _______________________________________________
> > OpenIndiana-discuss mailing list
> > OpenIndiana-discuss at openindiana.org
> > http://openindiana.org/mailman/listinfo/openindiana-discuss
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
More information about the OpenIndiana-discuss