Re: Solaris, Sudo, and locking the root account

From: Trevor Fiatal (trevor@seven.com)
Date: 09/29/01


Message-ID: <3BB5130E.D1294BE9@seven.com>
Date: Fri, 28 Sep 2001 17:17:18 -0700
From: Trevor Fiatal <trevor@seven.com>
To: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: Re: Solaris, Sudo, and locking the root account

Darren Moffat wrote:
>
> You might want to consider using RBAC in Solaris 8 and making the root
> account a role. This means root can't be directly logged into and only
> those people who have been given the password and the role can assume the
> role. For all others they run the commands they need as the relevant uid,
> via RBAC just as happens with sudo.
>
> With RBAC the root account isn't locked so in single user when sulogin runs
> it can still verifiy the password.

If it wouldn't be too onerous, I'd be interested in seeing an
explanation of the how to implement this. A one-page practical
example is worth 50 pages of generic explanations, and RBAC is
one of those areas I've been interested in but haven't seen a
wealth of clear examples on.

-Trevor

-- 
Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/
Co-Founder
Seven
510.967.4556 (work/mobile)  
510.401.8054 (vmail/fax)



Relevant Pages

  • Re: history
    ... > You should really stay away from 3rd party applications if possible. ... Not only on Solaris; but yes, ... > and any bugs or exploits in sudo can go unnoticed because its not part of ... RBAC is appropriate for larger organizations with a central authority ...
    (comp.unix.admin)
  • Re: history
    ... > You should really stay away from 3rd party applications if possible. ... Not only on Solaris; but yes, ... > and any bugs or exploits in sudo can go unnoticed because its not part of ... RBAC is appropriate for larger organizations with a central authority ...
    (comp.unix.admin)
  • Re: history
    ... very easy to setup but Solaris has a much more powerfull utility called RBAC ... one reason I recommened avoid 3rd party tools is because 1) sudo is setuid ... >> I work on Solaris and on theses hosts everybody is root. ...
    (comp.unix.admin)
  • Re: history
    ... > You should really stay away from 3rd party applications if possible. ... > very easy to setup but Solaris has a much more powerfull utility called RBAC ... OK, but it's only for Solaris, right? ... > and any bugs or exploits in sudo can go unnoticed because its not part of ...
    (comp.unix.admin)
  • Re: alternatives to sudoers?
    ... > but with Solaris comes RBAC: ... it isn't allowed to install any other program (for example sudo). ...
    (comp.sys.sun.admin)