SUMMARY: Create additional superuser

From: Andrew Luande <luandea_at_paynet.co.ke>
Date: Thu Jan 08 2004 - 05:48:55 EST
I got very good responses from all the kind people below.  

 

A simple way (but not recommended for lack of audit) of doing it is by
creating a normal user, and editing the entry in /etc/passwd. Set the UID
and GID in the file to 0.  

          

admin:x:0:0::/:/bin/ksh

 

Problem with this is files created will be owned by root still, not the new
name, because there's a 1 to 1 mapping between UIDs and usernames and for
audit purposes will be difficult to tell which user did what.    

 

There are two other utilities that you can use for this 

 

- sudo -> http://www.courtesan.com/sudo/

- RBAC -> integrated with Solaris 8,9. See:

www.sun.com/solutions/blueprints/0603/817-3062.pdf

 

and below are comparisons from Ximo Domenech [ximo_d@yahoo.com]  on the
differences

 

----------------------------------

 

RBAC doesnt work if you want to assign special authorizations that are not
included in the auth_attr database. Sudo helps you assign any authorizations
you might think of , or need to assign.

But if you dont have

any special authorizations you need to implement, rbac is much better,
controlable. I currently have a sudoers file that is 19k long, and is quite
difficult to figure out to move to differrent enviroment. Plus rbac is fully
supported by sun when sudo is not.

Unfortunately both of

them dont have a way to centralize all the data.

 

----------------

 

RBAC Advantages:

 

Built in to Solaris 9

Easy to configure in S9 with WBEM/SMC interface Very flexible

 

RBAC Cons:

 

Roles and rights not clearly defined

Found I needed to test quite a bit

Not as granular as sudo

 

Sudo Advantages:

 

Small, lightweight

No massive GUI needed to configure

Very very granular

Superior logging

 

Sudo Disadvantages:

 

No ability to 'become' a role as with RBAC Have to define each and every
command so setup takes longer Need to compile and install Not integrated
with BSM

-----------

 

Sudo allows more customized control over homemade scripts in my opinion.

Rbac I would say controls more system level controls, printing, ufsdumps,
useradds.... No expert but that is what I think the diffs are.

 

--------------

 

RBAC and sudo do roughly the same thing, as I'm sure you know. There are a
few key differences though.

1) RBAC is more difficult and complex to set up than sudo

2) RBAC is integrated into the Solaris authentication mechanism, whereas

   sudo acts like a 'shell' on top of the services.

3) RBAC is designed for a network. sudo is generally set up on single

   machines.

4) RBAC is supported by Sun.

 

If you have a broad environment and want one central privilege granting
system, you will definitely want to use RBAC. If you just have a few
machines that you want to set up pseudo-root access to, then sudo is
probably easier (especially since you're familiar with

it)

Looked at another way, RBAC is more difficult, but more powerful and it
scales much better than sudo. The size of your environment and your
requirements will determine which is the better tool.

 

--------------------

Sudo is easier to configure, RBAC has gui tools to help you configure it,
rbac is part of the operating system and will probably remain so.  The more
people that switch to native tools, the less the need for other tools.

 

 

 

 

 

 

Ole-Morten Duesund [oduesund@bergen.oilfield.slb.com],
ed.rolison@itc.alstom.com, hatter@pzat.meep.org, Ximo Domenech
[ximo_d@yahoo.com], dom clermont [domclermont@yahoo.com], Bradley Alan
[ABradley@omam.com], Joohyun Cha [zoo11@hst.co.kr], Ole-Morten Duesund
[oduesund@bergen.oilfield.slb.com], Meier Adrian
[ADRIAN.MEIER@T-SYSTEMS.CH], Parissis Pavlos [PParissi@athens2004.com],
Ronny Martin [rmartin@be.tiscali.com], 

 

         

 

Hi,

 

Good day all.  I would like to know if it is possible for me to create
another user, with superuser rights.  Say a mirror of superuser for
additional administrators.  Thanks
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Jan 8 05:48:50 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:28 EST