Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Create another root account
Operating Systems AIX Create another root account Post 302924503 by bakunin on Monday 10th of November 2014 07:49:29 AM
Old 11-10-2014
Quote:
Originally Posted by bobochacha29
I have got a problem.
I have added all default roles to my user ( root2 )
You got already advice about how to deal with your imminent problem. I would like to add some general remarks about RBAC: my professional experience is to better stay away from RBAC (as well as ACLs, for that matter, and for similar reasons) and restrict yourself to the classical user rights management UNIX offers.

The UNIX privilege model is very simple and - at first sight - not very flexible. On the other hand, as long as you stay within its boundaries it can be managed with an absolute minimum of effort. Any query or change, regardless of addressing a single user or many, a single file or many, can be done in a minimum of steps and in most cases only one command is needed.

RBAC (and ACLs as well) offer the ability to use a much more fine-grained model. Allow userA to execute cmdB but not cmdC and userB the other way round, etc.. This is an alluring prospect but if you really start to put all these offered capabilities into practice and quite soon you have system which is way too complex to be handled effectively. Instead of a simple "ls -l" you need to cross-corelate long lists of "userA is able to execute cmdB only when ... and then only at ... but not in the presence of ... except if ...". Once you got through all the ifs, whens, and excepts you probably have forgotten what you originally wanted to do in first place.

In short: UNIX privilege management is very simplistic, but it is so for a reason: stick with it and you always have a manageable system. Use all the fancy additional possibilities (RBAC, ACLs, even both) and very likely you will be able to solve a singular problem more easily but in the long run end up with a system which is hard (if not impossible) to manage and a privilege structure which is neither easily nor quickly adapted to changing demands.

I hope this helps.

bakunin
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

create or modify user account to have same access as root

Is there a way to create or better yet modify a user account so it has the same privs as root? (6 Replies)
Discussion started by: xadamz23
6 Replies

2. AIX

root account has been locked

I'am set the root account locked ON, using smitty, so I can't login or su with root user in my AIX system, some one can help me to unlock root account login ???, sample : :~>su root's Password: 3004-301 Your account has been locked; please see the system administrator. 3004-501 Cannot su to... (1 Reply)
Discussion started by: Maker
1 Replies

3. Solaris

Renaming of root account

Hi, I have solaris 7. Just for implementing security on my system, I would like to know can I rename the root account to something else. After renaming will my os still function properly. Regards, (2 Replies)
Discussion started by: RajaRC
2 Replies

4. UNIX for Advanced & Expert Users

Root account is expired

Hi all, I am using redhat linux version 9 .I am unable to login to the system and i am getting a warninig sorry root account is expired . How can i activate the account. (2 Replies)
Discussion started by: mallesh
2 Replies

5. AIX

Can't login root account due to can't find root shell

Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in. I'm using AIX 5L version 5.2... (2 Replies)
Discussion started by: neikel
2 Replies

6. Solaris

Root account - disable expiry

I couldnt find this in any other post - so hoping someone can help out. I want to set password expiry (or rather I have to) for a number of users on my solaris 9 system. I know i can set the following options in the /etc/default/passwd file to do it and then just type a passwd -f <username> to... (6 Replies)
Discussion started by: frustrated1
6 Replies

7. UNIX for Dummies Questions & Answers

Root account!

Is it possible to create more than one root account? Thanks, Jorge (4 Replies)
Discussion started by: jofonseca99
4 Replies

8. Solaris

how to su - from non root acount to non root account

HI i am trying to give su access to some users say X Y and Z to a account AB . I am able to give them su access to root with the help of sudoers file but i want to give them password less access to AB account which i am not able to do . I want to this when user X fires "su - AB" he is not... (9 Replies)
Discussion started by: rishiraaz
9 Replies

9. Solaris

Recover root account

Hi everyone! I've got a problem caused by another who did: - He create an user and grant the group (1) to this - The problem appears as "Permission deined when reboot the Server Dec 21 09:13:09 payment dtlogin: open_pam_conf: Owner of /etc/pam.conf is not root Dec 21... (4 Replies)
Discussion started by: trantuananh24hg
4 Replies

LEARN ABOUT DEBIAN

qmail-getpw

qmail-getpw(8)						      System Manager's Manual						    qmail-getpw(8)

NAME

       qmail-getpw - give addresses to users

SYNOPSIS

       qmail-getpw local

DESCRIPTION

       In  qmail,  each  user controls a vast array of local addresses.  qmail-getpw finds the user that controls a particular address, local.	It
       prints six pieces of information, each terminated by NUL: user; uid; gid; homedir; dash; and ext.  The user's account  name  is	user;  the
       user's  uid  and  gid  in  decimal  are	uid  and gid; the user's home directory is homedir; and messages to local will be handled by home-
       dir/.qmaildashext.

       In case of trouble, qmail-getpw exits nonzero without printing anything.

       WARNING: The operating system's getpwnam function, which is at the heart of qmail-getpw, is inherently unreliable: it fails to  distinguish
       between	temporary  errors and nonexistent users.  Future versions of getpwnam should return ETXTBSY to indicate temporary errors and ESRCH
       to indicate nonexistent users.

RULES

       qmail-getpw considers an account in /etc/passwd to be a user if (1) the account has a nonzero uid, (2) the account's home directory  exists
       (and  is visible to qmail-getpw), and (3) the account owns its home directory.  qmail-getpw ignores account names containing uppercase let-
       ters.  qmail-getpw also assumes that all account names are shorter than 32 characters.

       qmail-getpw gives each user control over the basic user address and all addresses of the form user-anything.  When local is user, dash  and
       ext  are  both  empty.  When local is user-anything, dash is a hyphen and ext is anything.  user may appear in any combination of uppercase
       and lowercase letters at the front of local.

       A catch-all user, alias, controls all other addresses.  In this case ext is local and dash is a hyphen.

       You can override all of qmail-getpw's decisions with the qmail-users mechanism, which is reliable, highly  configurable,  and  much  faster
       than qmail-getpw.

SEE ALSO

       qmail-users(5), qmail-lspawn(8)

																    qmail-getpw(8)
All times are GMT -4. The time now is 03:03 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy