On 26.05.2012 10:16, Thomas Leineweber wrote:
Am 26.05.2012 01:24, schrieb Claudio Freire:
On Fri, May 25, 2012 at 8:07 PM, Hans Witvliet
wrote: b) in a large company specific roles are assigned to certain users, Those users should only be troubled with their own pwd, and should never have access to neither root-pwd nor root-privileges.
Dedicated accounts with their own pwd are a nightmare for an organisation.
What do you mean with that? I can only parse that sentence to mean all users should have the same password, which seems quite unlikely to be what you meant as that's nonsense.
I would read it as follows:
If there is a dedicated account with it's own pwd for the administration of a service, it is not possible to see, who did the administration task. Nearly "everybody" could have logged in as the dedicated user, because many persons know the pwd. That is in contrast to the requirement, that you can find out who has done the administration task.
That's not correct, su currently logs to syslog when you switch to another user and shells such as ksh93 provide auditing and per-user accounting facilities. Furthermore with a role account you'd disallow direct login for role accounts and restrict role assumption to users which have explicit authorization to do so. I'm not sure how RBAC with SELinux works but e.g. in Solaris you can assign "rights profiles" (which are an aggregation of related privileges) even directly to a user instead of a role account who can then invoke commands with elevated privileges without an additional password but still with full auditing. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org