[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: special principals handling
On Feb 1, 2008, at 11:00 , Guillaume Rousse wrote:
> But using a single privilegied entity for a group of people
> requires to
> share secrets (aka root password), which is also a bad idea, and
How is every admin having his/her own $user/admin principal not
How is every admin having his/her own $user/admin principal a shared
Additionally, ideally you want a different principal for each *kind*
of administrative action. I have different principals for:
- kerberos admin
- afs admin
- cyrus admin
The big advantage here, aside from limiting the amount of damage a
mistake can cause: should it be necessary to revoke a privilege, it
can be done with minimal disruption to the user and to other admins.
Now, an argument can be made that this leads to multiple e.g. root
passwords (thus, a larger attack surface). Whether this is a
significant issue depends on your threat model.
(Also: giving all privileges to the default principal is like sudo?
Huh? It's like logging in as root / Administrator.)
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] firstname.lastname@example.org
system administrator [openafs,heimdal,too many hats] email@example.com
electrical and computer engineering, carnegie mellon university KF8NH