RE: Solaris, Sudo, and locking the root account

From: Geoff Collis (geoff@andale.com)
Date: 09/28/01


Message-ID: <3C33BA4DEAB2D511A16900500488E66111D490@mail.vendorhub.com>
From: Geoff Collis <geoff@andale.com>
To: "'Gordon Ewasiuk'" <gewasiuk@gnmc.net>, focus-sun@securityfocus.com
Subject: RE: Solaris, Sudo, and locking the root account
Date: Fri, 28 Sep 2001 11:53:41 -0700

GOrdon

I normally do not lock the root account, but I do restrict who knows the
password, and by convention everyone uses "sudo -s" to gain root access.
Yours is an interesting question, lets see what others say.

FWIW: depending on how brave you are, you can *avoid* the fsck by changing
its options. Usually you have no choice than to run "-y" anyway! :-)

I usually change the /sbin/rcS file as follows:
 
# diff rcS /sbin/rcS
14,15d13
< #
< # Modified to do "fsck -y" of file systems (local hack)
201c199
< ufs) foptions="-y"

---
>                       ufs)    foptions="-o p"

Then you never get asked, either it works or its time to reinstall! :-)

- Geoff -----Original Message----- From: Gordon Ewasiuk [mailto:gewasiuk@gnmc.net] Sent: Thursday, September 27, 2001 10:27 AM To: focus-sun@securityfocus.com Subject: Solaris, Sudo, and locking the root account

Hi All,

What is the general feeling towards locking the root account on Solaris when using sudo? We use sudo on Solaris everwhere and lock the root account. This forces all users to sudo -s for a root shell - BUT - after an abnormal shutdown, if a filesystem comes up dirty, it might need a manual fsck pass. This, of course, requires the root password to enter maint. mode.

I've got no problems booting from a CD, mounting the root FS, and unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny when I explained it to him.

Is this a standard practice or making more trouble then it's worth?

TIA,

-Gordon

-------------------------------------------------- Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC The REAL office number is here-----> 703.893.4901 Tired of BSODs, My Computer, and Code Red? http://www.sun.com/solaris/binaries/ -------------------------------------------------



Relevant Pages

  • Re: history
    ... very easy to setup but Solaris has a much more powerfull utility called RBAC ... one reason I recommened avoid 3rd party tools is because 1) sudo is setuid ... >> I work on Solaris and on theses hosts everybody is root. ...
    (comp.unix.admin)
  • Re: [kde] su identification
    ... Let us also assume that the password for bravo ... and the password for root is master. ... the root account and will demand Root account's password ... type in sudo su. ...
    (KDE)
  • Re: Card Reader
    ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ...
    (rec.photo.digital)
  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
    (Fedora)
  • Re: hi all..
    ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ...
    (Fedora)