Am 26.05.2012 12:03, schrieb Guido Berhoerster:
On 26.05.2012 10:16, Thomas Leineweber wrote:
I would read it as follows:
If there is a dedicated account with it's own pwd for the administration of a service, it is not possible to see, who did the administration task. Nearly "everybody" could have logged in as the dedicated user, because many persons know the pwd. That is in contrast to the requirement, that you can find out who has done the administration task.
That's not correct, su currently logs to syslog when you switch to another user and shells such as ksh93 provide auditing and per-user accounting facilities. Furthermore with a role account you'd disallow direct login for role accounts and restrict role assumption to users which have explicit authorization to do so.
I'm not sure how RBAC with SELinux works but e.g. in Solaris you can assign "rights profiles" (which are an aggregation of related privileges) even directly to a user instead of a role account who can then invoke commands with elevated privileges without an additional password but still with full auditing.
You are right, that su et al are logging the switches. I was talking about the possibility of a direct login to a role account without going through a personalized account before. Sorry for the confusion. Thomas -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org