Solaris, Sudo, and locking the root account

From: Gordon Ewasiuk (gewasiuk@gnmc.net)
Date: 09/27/01


Date: Thu, 27 Sep 2001 13:26:46 -0400 (EDT)
From: Gordon Ewasiuk <gewasiuk@gnmc.net>
To: <focus-sun@securityfocus.com>
Subject: Solaris, Sudo, and locking the root account
Message-ID: <Pine.GSO.4.33.0109271319200.6777-100000@enterprise.gnmc.net>

Hi All,

What is the general feeling towards locking the root account on Solaris
when using sudo? We use sudo on Solaris everwhere and lock the root
account. This forces all users to sudo -s for a root shell - BUT - after
an abnormal shutdown, if a filesystem comes up dirty, it might need a
manual fsck pass. This, of course, requires the root password to enter
maint. mode.

I've got no problems booting from a CD, mounting the root FS, and
unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny
when I explained it to him.

Is this a standard practice or making more trouble then it's worth?

TIA,

-Gordon

--------------------------------------------------
Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC
The REAL office number is here-----> 703.893.4901
Tired of BSODs, My Computer, and Code Red?
http://www.sun.com/solaris/binaries/
-------------------------------------------------



Relevant Pages

  • Re: history
    ... very easy to setup but Solaris has a much more powerfull utility called RBAC ... one reason I recommened avoid 3rd party tools is because 1) sudo is setuid ... >> I work on Solaris and on theses hosts everybody is root. ...
    (comp.unix.admin)
  • Re: [kde] su identification
    ... Let us also assume that the password for bravo ... and the password for root is master. ... the root account and will demand Root account's password ... type in sudo su. ...
    (KDE)
  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
    (Fedora)
  • Re: Card Reader
    ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ...
    (rec.photo.digital)
  • Re: hi all..
    ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ...
    (Fedora)