Re: Solaris, Sudo, and locking the root account

From: Darren Moffat (Darren.Moffat@eng.sun.com)
Date: 09/28/01


Message-Id: <200109281748.f8SHm0aQ678055@jurassic.eng.sun.com>
Date: Fri, 28 Sep 2001 10:48:00 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: Re: Solaris, Sudo, and locking the root account
To: gewasiuk@gnmc.net


>What is the general feeling towards locking the root account on Solaris
>when using sudo? We use sudo on Solaris everwhere and lock the root
>account. This forces all users to sudo -s for a root shell - BUT - after
>an abnormal shutdown, if a filesystem comes up dirty, it might need a
>manual fsck pass. This, of course, requires the root password to enter
>maint. mode.

You might want to consider using RBAC in Solaris 8 and making the root
account a role. This means root can't be directly logged into and only
those people who have been given the password and the role can assume the
role. For all others they run the commands they need as the relevant uid,
via RBAC just as happens with sudo.

With RBAC the root account isn't locked so in single user when sulogin runs
it can still verifiy the password.

--
Darren J Moffat