[indiana-discuss] pfexec?
David Abrahams
dave at boostpro.com
Thu May 28 08:19:16 PDT 2009
on Thu May 28 2009, Martin Bochnig <martin-AT-martux.org> wrote:
> On Thu, May 28, 2009 at 7:58 AM, Fajar A. Nugraha <fajar at fajar.net> wrote:
>> On Thu, May 28, 2009 at 12:36 PM, Martin Bochnig <martin at martux.org> wrote:
>>> On Thu, May 28, 2009 at 2:30 AM, David Abrahams <dave at boostpro.com> wrote:
>>>>
>>>> Coming from other unices I find this strange pfexec thing being used in
>>>> some places where sudo or su might have been used otherwise, and I'm
>>>> trying to figure out its proper application. Can anyone offer a helpful
>>>> pointer?
>>>
>>>
>>> In addition to being much more fine-grain-controllable, RBAC offers
>>> you the convenience, that you do not need to re-type the password
>>> every time you run pfexec.
>>
>> Note that sudo and su still works as well.
>> If you prefer to login directly as root (which is disabled by
>> default), you can use pfexec to set root password and edit
>> /etc/user_attr and remove "type=role;" from root.
>>
>> --
>> Fajar
>
>
> Yes, good that you mention. Of course sudo still works and is already
> available as IPS package. Search it with "pfexec pkg search -r sudo".
I have already been using it, thanks. It's not that I prefer sudo; I'm
just trying to understand the proper place of pfexec in the system.
It's a little odd to issue admin commands without ever issuing a
password, but I guess sudo doesn't really offer more security since an
intruder has probably already got your password if he's logged in as
you?
> And there is a 3rd option as well: In a failsafe scenario you can boot
> whatever other medium (fail-safe mode, another bootable zpool, another
> bootenv, a USB stick, LiveCD, NET, whatever ... ) and have root access
> from there.
> Or, 4th way, just: In single user mode root is not yet a role and a
> direct login to the text console is always possible from there.
Sure, I'm not at a loss for avenues to root privs. I'm just trying to
figure out if there are any guidelines about what to use and when.
Thanks,
--
Dave Abrahams
BoostPro Computing
http://www.boostpro.com
More information about the indiana-discuss
mailing list