On Sun, Nov 27, 2011 at 7:56 PM, Matt Connolly <[email protected]> wrote: > > On 28/11/2011, at 1:35 AM, Bill Sommerfeld wrote: >> On 11/27/11 04:36, Matt Connolly wrote: >>> This still didn't help. But again, setting the root user password with >>> `sudo passwd root` enables me to authenticate to the root role using that >>> root password. (not my user password, as I would use with sudo). >>> >>> Any reason why the installer would not give the "Primary Administrator" >>> profile to the first user on the machine? >> >> A user account granted the "Primary Administrator" profile becomes >> equivalent to root -- any process running as that uid can "pfexec rm -rf >> /usr" or anything more destructive. >> >> > If the first user can't do it, who can? >> >> Primary Administrator is too powerful to grant to a "use every day" user >> account. > > Granted. Although I would think an option during the install process to grant > "Primary Administrator" role to that first user (perhaps with an appropriate > warning) would be fine. (As far as risk goes, the first user is given access > to root via sudo anyway). > > I'm happy using sudo because it asks to confirm password (which pfexec > doesn't), but I see two caveats with that: > 1. no support for role based auditing > 2. all the existing system panels use the role/profile approach.
I do not know how sudo is compiled in openindiana but sudo has proper support for BSM, patches have been submitted for that in 2008 seriously, the primary administrator thing was an extremely bad idea. Oracle fixed that particular blunder with solaris 11 making su work like sudo for the most part > >> >>> If it wasn't for sudo, you'd have to boot into single mode to change >>> anything! >> >> the folks who made the opensolaris installer grant the first regular user >> the "primary administrator" role, and then splattered pfexec all over the >> documentation, made a terrible mistake; the installer has only been >> corrected recently, after too many opensolaris users have been mistrained to >> use pfexec the wrong way. > > And finally, just to clarify one more thing, when you use those system panels > (like SMF Services, etc) that ask you to authenticate as root role, should it > be the root password or your user password? to login to a role, you need the role password > > Thanks, > Matt > > > _______________________________________________ > OpenIndiana-discuss mailing list > [email protected] > http://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ OpenIndiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
