[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: special principals handling

On Feb 1, 2008, at 11:00 , Guillaume Rousse wrote:

> But using a single privilegied entity for a group of people  
> requires to
> share secrets (aka root password), which is also a bad idea, and  
> doesn't

How is every admin having his/her own $user/admin principal not  
How is every admin having his/her own $user/admin principal a shared  

Additionally, ideally you want a different principal for each *kind*  
of administrative action.  I have different principals for:
- root
- kerberos admin
- afs admin
- cyrus admin

The big advantage here, aside from limiting the amount of damage a  
mistake can cause:  should it be necessary to revoke a privilege, it  
can be done with minimal disruption to the user and to other admins.

Now, an argument can be made that this leads to multiple e.g. root  
passwords (thus, a larger attack surface).  Whether this is a  
significant issue depends on your threat model.

(Also:  giving all privileges to the default principal is like sudo?   
Huh?  It's like logging in as root / Administrator.)

brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH