[install-discuss] Install time user creation & root

[Darren J Moffat]

Someone said to me in private email:
> For a laptop or other single user device this is all completely
> moot.  If only one person knows the root password ever, roles
> don't matter.  If the machine has multiple users, roles make
> sense.

I replied directly but I think it is useful for everyone to see the 
reply (though it isn't necesseary for people to know who made that 
statement to me).  This is a slightly revised version of what I replied 
with.

There is a reason we don't allow root to login over the network
(telnet,rlogin and ssh) by default on Solaris and hasn't done so for a
very long time  So root is already partly a role, it is just that that
part is enforced by an older bit of code in Solaris.

Also consider that MacOS X does effectively makes the root account a
role by marking it as disabled and NOT assigning it a password.

Roles are NOT just about ensuring only those with the password can
authenticate to it but also about ensuring that they can't directly
login.  We shouldn't be encouraging people to directly login as root on
the console - especially graphically.  Developer or not.

Also it is a wrong assumption to assume that a laptop or workstation in
an non network nameservice environment only has one user and that they 
are all equal.  Consider the fast-user switching functionality in 
Windows, MacOS X, Linux that we will be getting really soon too with the 
virtual-consoles project.  In that case it is common to have accounts on 
the laptop for Dad (the admin), Mum (also an admin), and the kids (not 
the admins) - or depending on the household reverse the roles :-) 
MacOS X and Windows Vista (even XP to an extend) both now strongly lead 
you this way during initial installation.

In MacOS X (and I believe in Vista - certainly in XP) you need to be
explicitly tagged as being an account allowed to use admin
functionality.  In Solaris one of the ways we do that is make root a role.

Also consider that in many companies laptops are
centrally configured deployed with local accounts for the users they are 
given to.  Those users aren't allowed to have admin access to those 
laptops. This is good practice even for Solaris.  While it doesn't fit 
the developer model it doesn't mean it isn't valid and since it is the 
more secure way it should be the default.

Finally making root a role on a single user account laptop if that 
single user account has the root role only changes one thing.  The 
ability to login directly as root - something that we shouldn't (and 
don't) encourage users to do anyway.

-- 
Darren J Moffat