Re: Solaris, Sudo, and locking the root account

From: Neil Dickey (
Date: 09/28/01

Message-Id: <>
Date: Fri, 28 Sep 2001 15:03:38 -0500 (CDT)
From: Neil Dickey <>
Subject: Re: Solaris, Sudo, and locking the root account

Gordon Ewasiuk <> wrote asking:

>What is the general feeling towards locking the root account on Solaris
>when using sudo? We use sudo on Solaris everwhere and lock the root
>account. This forces all users to sudo -s for a root shell - BUT - after
>an abnormal shutdown, if a filesystem comes up dirty, it might need a
>manual fsck pass. This, of course, requires the root password to enter
>maint. mode.

Sooner or later, everything having to do with security comes down to trust
-- not software so much as people. If the people chosen to be administrators
of a system cannot be trusted with the root account, then you have a serious
and insurmountable problem to start with so long as those people are in your
employ. That said, if your people are trustworthy and the root password is
a good one, then what's the problem with leaving the account unlocked? There
are lots of ways of hacking root privileges that don't involve knowing the
root password. Nowadays they seem to be the principal threat.

I'm neglecting, of course, the use of 'sudo' to allow student or other part-
time help to do such bread-and-butter tasks as performing system backups.

Quick question: Does the sudo shell you use confer full root privileges, or
is it restricted? If the former, then, again, why bother? If the latter,
then it's conceivable that you will be unable to deal with some unforseen
future combination of adverse circumstances. I think it's best not to paint
one's self into a corner.

>I've got no problems booting from a CD, mounting the root FS, and
>unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny
>when I explained it to him.

That would work unless the CD drive went bad, and they do. That could
be a real heart-breaker if time is money and the boss is standing there
looking daggers at you while you order a new one.

>Is this a standard practice or making more trouble then it's worth?

Given that one is using stuff like SSH2, etc., and not sending the root
password in the clear over the net -- EVER -- my personal opinion, subject
to revision if circumstances warrant, is that you are making more trouble
for yourself than it's worth. ;-)

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

Relevant Pages

  • Re: history
    ... very easy to setup but Solaris has a much more powerfull utility called RBAC ... one reason I recommened avoid 3rd party tools is because 1) sudo is setuid ... >> I work on Solaris and on theses hosts everybody is root. ...
  • Re: [kde] su identification
    ... Let us also assume that the password for bravo ... and the password for root is master. ... the root account and will demand Root account's password ... type in sudo su. ...
  • Re: Card Reader
    ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ...
  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
  • Re: hi all..
    ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ...