Re: Solaris, Sudo, and locking the root account

From: adam morley (adam@gmi.com)
Date: 09/28/01


Date: Fri, 28 Sep 2001 11:21:38 -0700
From: adam morley <adam@gmi.com>
To: focus-sun@securityfocus.com
Subject: Re: Solaris, Sudo, and locking the root account
Message-ID: <20010928112138.O1545@chopin.gmi.com>

On Thu, Sep 27, 2001 at 01:26:46PM -0400, Gordon Ewasiuk wrote:
> Hi All,
>
> What is the general feeling towards locking the root account on Solaris
> when using sudo? We use sudo on Solaris everwhere and lock the root
> account. This forces all users to sudo -s for a root shell - BUT - after
> an abnormal shutdown, if a filesystem comes up dirty, it might need a
> manual fsck pass. This, of course, requires the root password to enter
> maint. mode.

im not sure if its standard practice with sudo -- we don't employ sudo. but i can say that you could set up all your filesystems with logging enabled, minimizing the need to boot off a cd....

>
> I've got no problems booting from a CD, mounting the root FS, and
> unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny
> when I explained it to him.

did he look at you funny like "im lazy, i dont like doing that" or "whats a cd?"

also, im not sure whether a lcoked root box is supportable by sun, that would be something sunservice would know (or one of the awesome sun guys on the list)

it also depends what kind of a system it is. if its a fairly critical system, the downtime needed to boot a cd, do the fsck, etc. may be unacceptable, but thats your call. plus, if its mission critical, then youd probably have logging filesystems anyways, so yeah.

>
> Is this a standard practice or making more trouble then it's worth?

i think booting off cd is in general too slow (in terms of how long the system takes to come up), so i would be against it, or taking steps to prevent needing to do it. i generally dont like locking the root account, just from an annoyance standpoint.

>
> TIA,
>
> -Gordon
>
> --------------------------------------------------
> Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC
> The REAL office number is here-----> 703.893.4901
> Tired of BSODs, My Computer, and Code Red?
> http://www.sun.com/solaris/binaries/
> -------------------------------------------------
>



Relevant Pages

  • Re: history
    ... very easy to setup but Solaris has a much more powerfull utility called RBAC ... one reason I recommened avoid 3rd party tools is because 1) sudo is setuid ... >> I work on Solaris and on theses hosts everybody is root. ...
    (comp.unix.admin)
  • Re: [kde] su identification
    ... Let us also assume that the password for bravo ... and the password for root is master. ... the root account and will demand Root account's password ... type in sudo su. ...
    (KDE)
  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
    (Fedora)
  • Re: Card Reader
    ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ...
    (rec.photo.digital)
  • Re: hi all..
    ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ...
    (Fedora)