Re: Solaris, Sudo, and locking the root account

From: Darren Moffat (Darren.Moffat@eng.sun.com)
Date: 09/28/01


Message-Id: <200109281748.f8SHm0aQ678055@jurassic.eng.sun.com>
Date: Fri, 28 Sep 2001 10:48:00 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: Re: Solaris, Sudo, and locking the root account
To: gewasiuk@gnmc.net


>What is the general feeling towards locking the root account on Solaris
>when using sudo? We use sudo on Solaris everwhere and lock the root
>account. This forces all users to sudo -s for a root shell - BUT - after
>an abnormal shutdown, if a filesystem comes up dirty, it might need a
>manual fsck pass. This, of course, requires the root password to enter
>maint. mode.

You might want to consider using RBAC in Solaris 8 and making the root
account a role. This means root can't be directly logged into and only
those people who have been given the password and the role can assume the
role. For all others they run the commands they need as the relevant uid,
via RBAC just as happens with sudo.

With RBAC the root account isn't locked so in single user when sulogin runs
it can still verifiy the password.

--
Darren J Moffat



Relevant Pages

  • Re: history
    ... very easy to setup but Solaris has a much more powerfull utility called RBAC ... one reason I recommened avoid 3rd party tools is because 1) sudo is setuid ... >> I work on Solaris and on theses hosts everybody is root. ...
    (comp.unix.admin)
  • Re: [kde] su identification
    ... Let us also assume that the password for bravo ... and the password for root is master. ... the root account and will demand Root account's password ... type in sudo su. ...
    (KDE)
  • Re: (mis)using RBAC...
    ... sudo will not help you on Solaris 10 with the introduction ... updated to have knowledge of the Solaris 10 privilege model. ... with the ability to selectively allocate root ... > user account I can start and restart our webservers. ...
    (Focus-SUN)
  • Re: Root, su, and sudo (was Re: More on Ragostagate
    ... >>>establishing a root account and enabling root account. ... >> I have my root account disabled and I can use sudo. ... >>>When you first power up a virgin Mac, you are asked for your name. ...
    (comp.sys.mac.advocacy)
  • Solaris, Sudo, and locking the root account
    ... Solaris, Sudo, and locking the root account ... What is the general feeling towards locking the root account on Solaris ...
    (Focus-SUN)