Hi all,
I would like to create a toor account in Solaris,
so that I do not need to use root for installing
programs or other tasks, once the root account
is by default very limited in $PATH $MANPATH,
hast no nice aliases etc.
Can anyone tell me the steps for doing that?
Thanks
or rbac....
the point being you should have one (and only one) user with a uid of 0. to the os, that user is root. for maintenance and accountability, it's better to use rbac (as of solaris 8) or sudo. that way, a non-priveleged user can still run specified command(s) as root without having all power granted to that user.
may not sound like a big deal, but trust me...it's better to screw things up as a nonroot user than as root / toor.
hope this helps,
brian
Sorry,
i dont agree with you. Sudo or rbac provide some privileged functions
to normal users. It is completely another story.
I want a user for daily administrative tasks on solaris.
Just because doing it from root is horrible, once you always
log in to sh shell, and has a very restricted path.
I created toor with uid 0, the same as root, and it works great.
I have my prefered shell and costumized PATH, MANPATH etc,
what you cannot do with root.
It is also not allowed to login directly to toor from network, so that
it does not offer considerable additional security risks.
That is it ...
IMO, there's no point in keeping root in "crippled" default state.
Ever since Solaris 2.3, I've changed root's shell to /bin/ksh without any problems. Along with that, I apply a "useful" /.profile to every server, it looks like:
PATH=/usr/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib
PS1="`uname -n`# "
export PATH LD_LIBRARY_PATH PS1
EDITOR=vi ; export EDITOR
VISUAL=vi ; export VISUAL
PAGER=less ; export PAGER
alias ll='ls -l'
alias la='ls -la'
stty erase '^H'
set -o emacs
If you boot singleuser, you get an error about the last line ("set -o emacs"), but it's a minor complaint. You could wrap it to test for the shell, or just accept the error (when booting singleuser). :-)
I assume that /usr exists any time / exists, booting Solaris 2.x with / and not /usr is rare and painful (better off netbooting or reaching for that infamous "disc 1", IMO). Most of my server installs lump / and /usr onto the same partition anyway.
Aside from that little bit of insanity in my world....
As the primary sysadmin for (almost) every box I touch, I do nearly everything with "sudo" anyway. It is good accounting practice, among many other good reasons.
A note about sudo..
The only folks I know who have had real issues with sudo were those using bash, with its dot files (.bashrc/.bash_profile) in regards to how it interprets interactive/non-interactive mode.
If you're pulling your hair out over sudo not picking up specific environment settings, that's probably why.
I completely agree with Windsor. What's the point of a crippled root account? It protects nothing, and it's more of a hassle to work with it.
I too change root's shell to ksh; have a very long path; a bunch of prompts, aliases, and env settings; these have nothing to do with the normal operation of the server, merely an environment when logged in as root.
> Ever since Solaris 2.3, I've changed root's shell to /bin/ksh without any problems
Or bash. A matter of taste. You might want to retain a sensibly short PATH, since putting a trojan in root's PATH is one of the old tricks in the book.
For historical reasons, Solaris has used /sbin/sh as the root sheel because it's a static binary. Since there is no reason to mount /usr as a separate filesystem anymore, and a good sysadmin should be able to boot into recovery mode off cdrom or net, there is really no advantage to using /sbin/sh as the root shell.
If you get tired of constant fiddling with the sudoers file (or Solaris 10 roles if you're into that kind of thing), even setting up sudo to allow certain users to "sudu bash" is better than having a shared root account, since there is some accounting of who did what. But once some dumbass makes a mistake as shared root and you have to stay up all night cleaning up the mess they made, the advantages of doling out privileges in as small portions as possible with sudo will become obvious.
Ok, you convinced me to use sudo.
But changing the root shell brought me already big problems.
I do not know about ksh, but I once changed it to tcsh and
the CDE environment did not start. Some shell script did not execute.
I will try ksh. Thanks all...
....... it was a nice discussion.
