We will be creating a new server build model using Solaris 11 and I wanted to know a little more about sudo
.
I have had very limited introduction to how it works in Ubuntu Linux, but we only use that for workstations. I wonder is potential in Solaris.
- I understand that certain users can be given root access without providing them the root password. I like this.
- I also have seen it implied that some kind matchers can be applied to only allow certain access. This of course has limited use, but it can
- add a layer of work before a user is able to sabotage the system, perhaps delaying the sabotage until his/her access is revoked. (this should never be a problem, but it is good to have measures in place in case there is mis-placed trust a couple years from now)
- prevent mistakes, for example accidentally shutting down the wrong machine.
- simplify some processes, for example a user may be charged with keeping the DNS server up to date, in which case they could be given access to specific zone files, as well as permission to run
svcadm refresh dns-server
.
My questions are
- What capabilities apply to Solaris, as opposed to either Linux or just myth?
- Do you have recommended reading material on
sudo
? (as it relates to Solaris) - Would you recommend that I use it, or just stay with
su -
?
sudo
works pretty much identically on Solaris as it does on Linux, FreeBSD, AIX, etc. -- The major caveat being that you will need to install it and configure it on Solaris (You can download it here).That website also has extensive documentation on sudo, and if you are unfamiliar with it I would suggest that you invest some time in reading about what sudo is and what it can do for you, then think about how best to integrate it into your environment.
Note that I do not believe there are Solaris 11 packages for sudo at this point - you will likely need to compile it yourself (and/or build your own package). This is not horribly complicated: Read the documentation and proceed carefully. If you feel like you are out of your depth there are mailing lists (again, see the site I linked above) that can help you out.As others have pointed out
sudo
has apparently been absorbed by Solaris 11 - No compiling, just configuration.Again the docs at the site linked above will tell you pretty much everything you need to know.
From a security standpoint I would DEFINITELY recommend using sudo - Not giving out the real root password is a huge benefit, and the finer-grained access control is worth the administration required.
Sudo works exactly the same with Solaris as it does with Ubuntu etc so any previous experience you have with it is useful. Solaris does though come with Role Based Access Control (RBAC) which gives you quite fine grained control over what people are alowed to run with elevated privileges.
Using sudo or RBAC is preferable to su - as they can be used to log what actions have been taken.
It is the same code and the compiling options ar similar to what those used on Linux so the setup and purpose is identical. One difference is that root is (by default) a role on Solaris 11 Express, not a user account. That means using either sudo or rbac (pfexec) is now mandatory on Solaris.
You'll probably find that document interesting, It explains why sudo was introduced in Solaris: http://mail.opensolaris.org/pipermail/opensolaris-arc/2008-June/009146.html
sudo or pfexec are better than
su -
as the less anyone is root the better. Sudo has its own logging feature. pfexec has some extra capabilities and integrates with Solaris auditing so might be a preferred solution in some cases.Two notes:
Solaris 11 express is bundling sudo so you don't need to compile it or even install it on that OS.
On default installations, sudo is a required component, given the fact root is by default unsuitable for direct logins and the installer no more use rbac to grant extra privileges to the initial user account.
You can use both sudo or RBAC on Solaris. Prior to v11, you'd have to install sudo on your own.
Which you use on your system would your preference, along with your needs. I recommend looking at using RBAC. Its got finer grain control which would allow you to let a user do only certain things using pfexec or pfedit. You're also going to want to look at using RBAC to create roles to limit privileges for "group" or "app" accounts. ie: web, database, ...
Solaris 11 now also allows you to use "roleauth=user" so that you would use the users password to assume to role vs needing to maintain passwords for the roles. It also lets you assign a Console user profile to allow users to get in on the console now that root is a role by default.